Author:
Kaustubh Jagtap, Product Marketing Director, SafeBreach
In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including NoEscape ransomware, AvosLocker ransomware, and Retch ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.
Researchers from Cyble Labs came across a new information stealer known as Atomic macOS(AMOS). This new malware variant targets macOS systems and is being sold to cyber threat actors via private Telegram channels for a $1k monthly subscription. Threat actors who pay this subscription get an Apple Disk Image File (DMG) that allows them to target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers. Researchers have also observed threat actors leveraging this malware to attempt stealing data from over 50 cryptocurrency extensions.
The creators of this malware also provide their subscribers with a web panel for victim management, a MetaMask brute-forcer, and delivery of stolen logs via Telegram. When the “dmg” file is triggered, it enables a phony password prompt that searches for the system password in a bid to secure elevated privileges which is then followed by the extraction of the Keychain password, and exfiltration of stolen data via a zip file that is sent to the threat actor command and control server.
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the AMOS Infostealer.
The threat research team from Security Joes have identified a pro-Hamas hacktivist group using a new Linux-based wiper malware known as the BiBi-Linux Wiper to target several Israeli companies. This malware is an x64 ELF executable (coded in C/C++) that lacks any obfuscation or protection capabilities. This wiper malware allows threat actors to specifically target folders on victim computers that can potentially allow them to cripple victim computers and even destroy the installed operating system.
It includes capabilities like multithreading that can be used to corrupt several files concurrently, allowing it to execute attacks with enhanced speed. It overwrites files and renames them with an extension that contains a hard-coded string “BiBi”. Another notable aspect of this wiper is its use of the “nohup” command that allows it to run without any obstructions in the background. Once this wiper is initiated, it performs the following actions:
The SafeBreach platform has been updated with the following new attacks to ensure our customers can validate their security controls against this wiper variant:
Researchers from Securonix have identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks to deliver ransomware and Cobalt Strike payloads. According to researchers, threat actors forced a MSSQL password and then used the database’s xp_cmdshell feature to run commands on the host machine the database was running on.
The typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called “FreeWorld,” named for the inclusion of the word “FreeWorld” in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is “.FreeWorldEncryption.”. The attackers were also observed establishing a remote server message block (SMB) to mount a directory housing their tools, including a Cobalt Strike command-and-control agent (srv.exe), a network port scanner, and Mimikatz for credential dumping and lateral movement. Threat researchers have classified this campaign as highly sophisticated due to its use of various tools, malicious payloads, and rapid execution.
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant:
Proofpoint Emerging Threat researchers have identified a new malware called ZenRAT that they believe is being distributed via fake installation packages for the password manager Bitwarden. Upon receiving a tip, researchers came across a Windows software installation package that was being hosted on a website pretending to be associated with Bitwarden. This imposter website [bitwariden[.]com only displays the fake Bitwarden download if a user accesses it via a Windows host. If a non-Windows user attempts to navigate to this domain, the page changes to something entirely different.
If Windows users click download links marked for Linux or MacOS on the Downloads page, they are instead redirected to the legitimate Bitwarden site, vault.bitwarden.com. Clicking the Download button or the Desktop installer for Windows download button results in an attempt to download Bitwarden-Installer-version-2023-7-1.exe. The installer places a copy of an executable, ApplicationRuntimeMonitor.exe into C:\Users\[username]\AppData\Roaming\Runtime Monitor\, and runs it. ZenRAT (ApplicationRuntimeMonitor.exe) uses WMI queries and other system tools to gather information about the host which is then sent back to the C2 server along with stolen browser data and credentials in a zip file called Data.zip that include files InstalledApps.txt, and SysInfo.txt. Based on the analysis of the malware sample, ZenRAT appear to be designed as a modular, extendable implant that can potentially be used by other threat actors in their attack campaigns in the future.
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant:
Threat researchers from Fortinet have discovered a new infostealer called ExelaStealer that is largely an open-source infostealer but can be customized after making additional payments to the threat actors. It appears to have been written in Python and can pull in resources from other languages where needed. It is intended to steal sensitive data from Windows-based hosts, including passwords, CC data, session data, and keylogs.
The attackers advertise the open-source as well as paid-for versions of the infostealer. The paid-for version offers additional capabilities that can make the infostealer even more valuable to threat actors. The paid version costs $20/month or three months for $45. A lifetime subscription is also available for $120.
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant:
Researchers from Deep Instinct have identified a new social engineering campaign that the Iranian threat group MuddyWater used to target two Israeli entities during the ongoing Israel-Hamas hostilities. This campaign from MuddyWater involves the use of known remote administration tools (previously used by MuddyWater) as well as the use of a new file-sharing service called “Storyblok”.
Researchers believe that the campaign originates with a spear phishing email whose content lures the targeted victims into downloading an archive hosted at “a.storyblok[.]com”. The archive contains several hidden folders, including a deceptive LNK shortcut resembling a directory called “Attachments.” When the LNK file is opened, the infection sequence is initiated, executing the “Diagnostic.exe” file, present in both archives observed by the Deep Instinct researchers. This file then launches “Windows.Diagnostic.Document.EXE,” a legitimate installer for “Advanced Monitoring Agent.” After infection, MuddyWater operators likely conduct reconnaissance before executing PowerShell code, causing the infected host to communicate with a custom command-and-control (C2) server.
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the threat group:
SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:
Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.