Self Assessment

Weekly Intelligence Report – 29 Sep 2023

Published On : 2023-09-29
Share :
Weekly Intelligence Report – 29 Sep 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Geography: Canada, Poland, United States.
Target Industries: Construction, Law, Media & Internet, Manufacturing, Retail, Real Estate.


CYFIRMA Research and Advisory Team has found ransomware known as CryptBB while monitoring various underground forums as part of our Threat Discovery Process.


CryptBB, a recently wild-spread ransomware variant, is possibly written in the Delphi language. After encrypting the files, original file names were appended with an extension consisting of a random character string.

Upon the conclusion of the encryption process, this ransomware alters the desktop wallpaper and generates a ransom note with the title “[random_string].README.txt.”

It can be ascertained with high confidence that the threat actors are of Russian origin, publicly announcing themselves in support of the Russian Federation.

Screenshot of a Files Encrypted by CryptBB Ransomware. (Source: Surface Web)

Screenshot of a ransom note by CryptBB Ransomware. (Dated: November 2022) (Source: Surface Web)

Researchers suggest that there is a possibility that the CryptBB ransomware may be based on or related to the LockBit 3.0 ransomware.

Screenshot of CryptBB’s desktop wallpaper. (Source: Surface Web)

Countries Targetted by CryptBB Ransomware

Industries Targeted by CryptBB Ransomware

There is a possibility that CryptBB may be separated from the LockBit group at the beginning of 2023.

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • By examining the list of victims, it is possible to infer that the primary target of this ransomware could be the United States.
  • Long sleep periods: The malware performs long sleep during execution, indicating that it may be designed to avoid detection or delay its actions on the compromised system.
  • Direct CPU clock access: The malware’s capability to directly access the CPU clock suggests that it may be able to evade traditional detection methods that rely on monitoring system behaviour.
  • Runtime modules: The ransomware has runtime modules, which means that it can download and execute additional code on the compromised system.

ETLM assessment

CYFIRMA’s assessment, relying on the available information, suggests that the CryptBB ransomware might evolve further, adopting more advanced evasion methods. It could potentially broaden its scope to target various industries and regions. The capability to download and execute runtime modules increases the threat, allowing for the incorporation of new functionalities in upcoming versions. We will continue to monitor, and provide a more comprehensive assessment when further information becomes available.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques / Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
2 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.002: Obfuscated Files or Information: Software Packing
T1036: Masquerading
3 TA0006: Credential Access T1003: OS Credential Dumping
4 TA0007: Discovery T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1614: System Location Discovery
5 TA0009: Collection T1005: Data from Local System
T1185: Browser Session Hijacking
6 TA0040: Impact T1486: Data Encrypted for Impact


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.

Trending Malware of the Week

Type: Trojan
Objective: Stealing Financial Information
Target Technology: Windows OS
Target Industries: Banking and Financial Sector
Target Geographies: Latin America (Brazil & Mexico)

Active Malware of the Week

This week “BBTok” is trending.


Researchers have recently uncovered an ongoing campaign in Latin America that is deploying a new version of the BBTok banking Trojan. This campaign employs a combination of Living Off the Land Binaries (LOLBins) in its infection chains, resulting in low detection rates. During their analysis, researchers identified server-side resources used by the threat actors in attacks targeting users in Brazil and Mexico. These server-side components are responsible for delivering malicious payloads, likely distributed through phishing links. Multiple iterations of these server-side scripts and configuration files were observed, revealing the evolving deployment methods of the BBTok banking Trojan over time.

Evolution of BBtok

The BBTok banking Trojan, initially discovered in 2020, was deployed in Latin America through fileless attacks. The banking Trojan has a wide set of functionalities, including enumerating and killing processes, keyboard, and mouse control, and manipulating clipboard contents. Alongside those, BBTok contains classic banking Trojan features, simulating fake login pages for a wide variety of banks operating in Mexico and Brazil. Since it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily utilizing phishing emails with attachments for the initial infection. Recently, researchers have seen indications of banking Trojans distributed through phishing links and not as attachments to the email itself.

Attack Method

Following the fake interfaces, controlled by the BBTok banking Trojan, impersonate legitimate financial institutions. They skillfully manipulate unsuspecting users into divulging their personal and financial information. Victims are deceived into entering their security codes or token numbers, which are essential for bank account 2FA, allowing the BBTok attackers to conduct account takeovers. Moreover, in some cases, this deceptive tactic also tricks victims into providing their payment card numbers.

Fig: Fake interfaces embedded within the BBTok Banker

The BBTok banking Trojan creates fake versions of over 40 Mexican and Brazilian bank interfaces. It tricks victims into inputting their 2FA codes or payment card numbers. An analysis of the server-side code shows that the attackers continually update their methods to infect different Windows versions.

Researchers were able to identify a database of BBTok malware victims in Mexico, which contained more than 150 entries with victims’ information.

Fig: Database with victims’ information


  • BBTok, which has been active since 2020, has largely gone unnoticed due to its evolving tactics, including increased obfuscation and the use of downloaders, resulting in a low rate of detection. BBTok remains active, primarily targeting users in Brazil and Mexico and employing complex geo-fencing techniques to ensure that it infects only machines located in these specific countries. This ongoing adaptability and ability to remain stealthy highlight the persistent threat that BBTok poses to banking security in the Latin American region.
  • Over time, the cybercriminals behind BBTok have been continuously updating their infection methods for various versions of Windows, utilizing a wide range of file types such as ISO, ZIP, LNK, DOCX, JS, and XLL. BBTok is a highly sophisticated cyber threat known for its multifaceted tactics, particularly in extracting sensitive banking information. It employs counterfeit interfaces and impressive evasion techniques, highlighting the ever-growing ingenuity of cybercriminals in creating potent and elusive threats.
  • In recent years, the BBTok malware has emerged as a significant threat in the cybersecurity landscape. It capitalizes on the growing interest in stealing sensitive financial information, particularly related to online banking, and preys on individuals who may lack extensive technical expertise. As the popularity of online banking has surged, BBTok represents a darker aspect of this ecosystem where cybercriminals employ deceptive tactics to defraud unsuspecting online banking enthusiasts.


From the ETLM Perspective CYFIRMA believes that BBTok may evolve to employ even more sophisticated evasion techniques, making it increasingly challenging for organizations to detect and mitigate the malware. This could lead to longer dwell times and more extensive data breaches. While BBTok has primarily targeted the banking sector, it may diversify its targets in the future. While primarily affecting Latin American countries, BBTok might expand its geographic reach, targeting organizations in other regions, which could impact a more diverse set of businesses.

Indicators of Compromise

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.


  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Secure your organization’s internet-facing assets with robust security protocols and encryption, including authentication or access credentials configuration, to ensure that critical information stored in databases/servers is always safe.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Consider the following multi-layered protection program:
    • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.
    • Anti-phishing engines to prevent any type of phishing attack before it reaches users.
    • Antivirus software for emails to minimize the risk of being infected by malware through email.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –BlackCat Ransomware| Malware – BBTok
  • BlackCat Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – BBTok
  • Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

A new APT named AtlasCross launched Sophisticated Attack, using the Red Cross Blood Drive Template

  • Threat Actors: AtlasCross
  • Attack Type: Spear Phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Unknown
  • Target Industries: Unknown
  • Business Impact: Operational Disruption

In a recent observation, a newly identified APT group known as ‘AtlasCross’ has emerged, targeting organizations through sophisticated phishing campaigns. This group employs deceptive emails impersonating the American Red Cross to distribute backdoor malware. Researchers have uncovered two previously unknown trojans, DangerAds and AtlasAgent, which are associated with AtlasCross’s attacks. Researchers said AtlasCross has a high level of sophistication and evasive tactics, making it challenging for researchers to pinpoint their origin. Researchers revealed that AtlasCross exhibits notable differences in execution flow, technology stack, attack tools, and objectives compared to known attackers. The attack chain begins with phishing emails, disguised as American Red Cross messages inviting recipients to participate in a “September 2023 Blood Drive.” These emails contain a macro-enabled Word document that, when activated, installs the DangerAds and AtlasAgent malware on Windows devices. DangerAds serves as a loader and system profiler, while AtlasAgent is the final payload, loaded once specific conditions are met. AtlasAgent is a custom C++ trojan with capabilities such as gathering host and process details, preventing multiple program launches, executing additional code, and downloading files from the attacker’s servers. AtlasCross maintains a narrow targeting scope, with DangerAds checking for specific strings in system usernames or domain names. Additionally, AtlasAgent communicates with its servers, receiving commands that are difficult for security tools to detect and thwart.

Relevancy & Insights:
New viruses like DangerAds and AtlasAgent can be more destructive due to their advanced evasion tactics, targeted nature, data exfiltration capabilities, persistence on compromised systems, and ability to evade security tools. Their complex payloads, exploitation of zero-day vulnerabilities, and potential to form botnets for large-scale attacks make them formidable threats.

ETLM Assessment:
Sophisticated attacks by groups like AtlasCross are becoming increasingly common due to their ability to evade traditional defenses. These attacks leverage social engineering tactics as initial access, making them easy, accessible, and effective. As cybercriminals continue refining their techniques, the frequency of such attacks is expected to go upwards as nation-state threat actors increasingly target nations with whom they have diplomatic tensions. Moreover, in modern warfare, cyberattacks are often initiated before conventional military operations, serving as the initial salvo in conflicts between nations.


  • Disable or tightly control the use of macros in Microsoft Office documents, especially in documents received from unknown or untrusted sources.
  • Implement robust email filtering and anti-phishing solutions to detect and block malicious emails before they reach users’ inboxes.
  • Conduct regular cybersecurity awareness training for employees to help them recognize phishing emails and avoid clicking on suspicious links or downloading unknown attachments.
  • Deploy endpoint protection solutions that can detect and prevent the execution of malicious code and trojans like DangerAds and AtlasAgent.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Trending Chinese Cyber-threats
In a recent report, the Chinese and North Korean government’s influence operations have been observed to have grown more effective over the past year. China-aligned social media networks have engaged directly with authentic users on social media, targeted specific candidates in content about US elections, and posed as American voters. Separately, China’s state-affiliated multilingual social media influencer initiative has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million. Chinese cyber operations this year have been focused on countries surrounding the South China Sea, where China presses territorial claims on countries like the Philippines, Vietnam or Indonesia as well as on the United States, with which China is in conflict over primacy in the region and global affairs as a whole.

ETLM Assessment:
Besides the aforementioned regions, Chinese cyber espionage has been increasingly targeting technical assets in the US defense industrial base with a special focus on satellites, telecommunications, on US infrastructure on the island of Guam, US critical infrastructure, and nations opposing China’s territorial claims in the South China Sea. All the mentioned industries are under perpetual threat of Chinese cyber penetration as China considers them as threats from a geopolitical perspective.

A shift in Russian cyber targeting
The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) has published its observations of a distinct shift in the targets selected by Russian cyberespionage services. At least two of the major Russian intelligence services (the GRU and FSB) had previously shown a distinct preference for collecting against Ukraine’s electrical power infrastructure; however, both were observed shifting their focus on law enforcement agencies, and specifically on those units charged with collecting and analyzing evidence of Russian war crimes.

ETLM Assessment:
This activity shift is best explained as an early stage of an attempt to interfere with investigations into Russian war crimes and into preparing intelligence for future disinformation campaigns that are to be expected to attempt to discredit otherwise credible allegations, including those described by a recent UN fact-finding mission on the matter. There appears to be an ongoing wider cyber intelligence campaign by Russian security services, which also includes the recently disclosed compromise of systems at the International Criminal Court, which has charged Russian leaders including President Putin. The campaign is expected to last months and possibly years.

Rise in Malware/Ransomware and Phishing

Clarion is Impacted by BlackCat Ransomware

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: BlackCat Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]clarion[.]com), was compromised by BlackCat Ransomware. Clarion is a manufacturer of multimedia systems, marine audio systems, smart access solutions, speakers, subwoofers, amplifiers, and more. The leak site associated with the BlackCat Ransomware alleges that the compromised data includes both engineering details of the company’s clients and various other sensitive information.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • With 372 reported victimization cases in the year 2023, the group solidifies its reputation as one of the most active ransomware collectives. An examination of their attack patterns reveals a clear emphasis on targeting organizations located in the United States.
  • We have noticed that the BlackCat (ALPHV) ransomware group has incorporated stolen Microsoft accounts and the newly detected Sphynx encryptor into their tactics, utilizing these tools to encrypt the Azure cloud storage of their targets.
  • Based on the BlackCat Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Industries, most affected by BlackCat Ransomware

ETLM Assessment:
CYFIRMA’s evaluation remains steady: we expect the BlackCat Ransomware to persist in its focus on American businesses, as demonstrated in the accompanying graph, and possible continued targets to nations allied with the US. Nonetheless, recent events such as the Clarion attack underscore that even prominent manufacturing corporations are susceptible to potential targeting.

Vulnerabilities and Exploits

Vulnerability in Mitsubishi Electric GX Works3

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: System Administration Software
  • Vulnerability: CVE-2023-4088 (CVSS Base Score 9.3)
  • Vulnerability Type: Incorrect Default Permissions

The vulnerability allows a local attacker to escalate privileges on the system.

Relevancy & Insights:
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application.

Impact :
A local attacker can execute arbitrary code on the system with elevated privileges. Affected Products : https[:]//www[.]mitsubishielectric[.]com/en/psirt/vulnerability/pdf/2023-010_en.pdf

Apply Security Updates : Mitsubishi Electric or the software vendor may release security patches or updates to address this vulnerability. Ensure that these updates are applied promptly.

This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 5 products most affected.

Latest Cyber-Attacks, Incidents, and Breaches

Moldovan government websites are the focus of DDoS attacks.

  • Threat Actors: Unknown
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: Moldova
  • Target Industries: Government
  • Business Impact: Operational Disruption

The Government of the Republic of Moldova has reported a surge in cyber-attacks targeting multiple websites over the past week. The Chisinau International Airport, the National Energy Regulatory Agency (ANRE), and the Ministry of Foreign Affairs and European Integration (MFAIE) have all fallen victim to a series of distributed denial-of- service (DDoS) attacks over the past week. The attacks involved a very large number of requests, usually from outside the country, which were aimed at blocking a server or a web platform. The government also advises private sector stakeholders to prioritize cybersecurity within their organizations, bolster corporate network defenses, and explore industry-specific recommended measures to safeguard web servers. The clarifications come after the Information Technology and Cybersecurity Service confirmed on Monday, September 25, the recording of a cyber-attack on the information sources of service providers in the field.

Relevancy & Insights:
Over the past week, the Government of the Republic of Moldova has observed a notable surge in cyber-attacks, primarily distributed denial-of-service (DDoS) attacks. These attacks specifically targeted critical websites.

ETLM Assessment:
CYFIRMA’s assessment suggests that Moldovan government websites are likely to face ongoing DDoS attacks, with the potential for escalation due to the significant operational disruption caused by such attacks, leading to substantial business repercussions.

Data Leaks

LearningRx Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Education
  • Target Geography: The United States of America
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to LearningRx, {www[.]learningrx[.]com}. LearningRx is a brain training company with locations across the globe. LearningRx helps individuals and families sharpen their cognitive skills to help them think faster, learn easier, and perform better. The compromised data contains SQL-formatted information, including fields such as ID address, ID source, lead ID, center ID, session ID, prefix, first name, last name, suffix, age, date of birth, gender, area code, phone numbers, and other confidential information.

Source: Underground forums

Relevancy & Insights:
Opportunistic cybercriminals, motivated by financial gains, are continuously scouring the internet for exposed and vulnerable systems and software. Many of these attackers carry out their activities in secretive online communities, where they engage in discussions related to their illegal endeavors, including the trade of stolen digital assets. Unlike financially motivated groups such as ransomware or extortion gangs, who often publicize their attacks, these cybercriminals prefer to operate discreetly. They take advantage of unpatched systems or vulnerabilities in software and systems to gain unauthorized access and steal valuable data. Subsequently, the pilfered data is advertised for sale in underground forums, shared among fellow attackers, and repurposed for various illicit purposes.

ETLM Assessment:
The United States of America continues to rank among the top targets for cybercriminals worldwide. According to CYFIRMA’s assessment, U.S. institutions lacking strong security measures and infrastructure are likely to remain at a heightened risk of potential cyberattacks.

Other Observations

CYFIRMA Research team observed a potential data leak related to the ICT Billet, {www[.]ictbillet[.]com}. ICT Billet is an automotive service and collision repair provider, offering excellent bargains on a range of products, including LS and LT parts, LS engine swap kits, LT engine swap kits, LS engine components, LT engine components, and an extensive selection of premium aftermarket automotive merchandise. The data breach encompasses information in SQL format, including ID, Name, Email, Group, Phone, ZIP, Country, State/Province, Billing Address, Shipping Address, Date of Birth, Tax VAT Number, and various other sensitive details.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.