The overall level of cyber threat continues to be elevated globally and the impact is being felt across organizations of all sizes and industry sectors. Cyber-attacks persist across all industrial sectors with continued global focus on healthcare and industrial control systems (ICS). This follows the current trend where attackers are looking for 'soft' targets in industries with a history of underinvestment in cybersecurity. The impact of each attack is increasing as malicious actors focus on higher value targets.
Here are the most recent activities by threat actor groups as well as notable vulnerabilities and exploits.
FIN7 Reboot with EDR Bypass Tool
Originating from Russia and Ukraine, FIN7 has been a persistent threat since at least 2012. Initially targeting point-of-sale (PoS) terminals, the group later shifted to acting as an affiliate for now-defunct ransomware gangs like REvil and Conti. They have also launched their own ransomware-as-a-service (RaaS) programs, including DarkSide and BlackMatter.
The group, also known by names like Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest, has a history of setting up front companies to recruit unsuspecting software engineers for ransomware activities under the guise of penetration testing.
FIN7's adaptability and technical prowess are evident in their constant retooling of their malware arsenal, including tools like POWERTRASH and DICELOADER. Recent reports from Silent Push reveal that FIN7 uses shell domains in phishing campaigns to deliver ransomware and other malware. They also use these domains in redirect chains leading to spoofed login pages. These fake versions are often advertised on search engines like Google to trick users into downloading malware-infected software.
Despite arrests and sentencing of some members, FIN7 continues to evolve. SentinelOne's latest findings indicate that the group has not only promoted AvNeutralizer – a highly specialized tool developed by FIN7 to tamper with security solutions – on cybercrime forums but also enhanced its capabilities. Since January 2023, multiple ransomware groups have started using updated versions of this tool, which was initially exclusive to the Black Basta group.
SentinelLabs researcher Antonio Cocomazzi cautions against viewing the advertisement of AvNeutralizer as a new malware-as-a-service (MaaS) tactic without additional evidence. Historically, FIN7 has developed sophisticated tools for their own use, but selling such tools to other cybercriminals could be a strategic move to diversify and generate additional revenue.
The updated AvNeutralizer employs anti-analysis techniques and leverages a Windows built-in driver to tamper with security solutions, making it a valuable asset for attackers facing advanced security defenses. FIN7's ongoing development of such tools, along with their automated SQL injection attack modules, highlights their relentless pursuit of more effective and damaging cyber tactics. Their activities underscore the critical need for robust cybersecurity measures to protect against ever-evolving threats.
Eldorado
Partner programs for cybercriminals, or Ransomware-as-a-Service (RaaS), have become highly organized operations. These programs recruit affiliates to conduct ransomware attacks on companies. Selection criteria for affiliates have evolved to be more systematic over time. From 2022 to 2023, Group-IB analysts found 27 ads for RaaS on dark web forums, including well-known programs like Yanluowang and Knight. The number of such ads increased by 1.5 times in 2023, indicating a rising demand for skilled affiliates.
Recruitment for these programs typically occurs through dark web ads, directing potential affiliates to secure messaging platforms like Tox and Jabber. The RAMP ransomware forum is particularly popular, hosting about 60% of new RaaS ads between 2022 and 2023. This recruitment drive has led to a significant rise in ransomware attacks, with Group-IB identifying around 4,583 attacks published on dedicated leak sites (DLS) in 2023, a 74% increase from 2022.
A new RaaS service, advertised in March 2024 on the RAMP forum, sought penetration testers for a new locker and loader. Group-IB analysts infiltrated the Eldorado group, which targets both Windows and Linux systems using custom malware written in Golang. The Eldorado ransomware employs advanced encryption methods and customization options for affiliates. As of June 2024, Eldorado has attacked 16 companies, predominantly in the US, affecting various industries including real estate and healthcare.
Despite increased awareness and security measures, ransomware groups continue to evolve and pose significant threats. The emergence of groups like Eldorado, with their sophisticated tactics and rapid impact, underscores the persistent danger of ransomware. Organizations must remain vigilant and proactive in their cybersecurity efforts to combat these ever-evolving threats.
Novel Technique Combination Used In IDATLOADER Distribution
A recent incident in which a suspected malware exhibited strange download behavior revealed a complex infection chain involving layers of obfuscation to deploy IDATLOADER, followed by infostealers. The linchpin of this was mshta.exe, a Microsoft process, to execute malicious code buried deep inside a file presenting as a PGP Secret Key. With novel uses of established techniques and a lot of obfuscation, this is a complex and sophisticated infection chain.
As with so many chains, it starts with human error: the victim accessed a Bollywood pirate movie download site. Instead of downloading a video, the victim is sent to a page on "Bunny CDN" that provides a bit.ly link that downloads a zip file. That contains another password protected zip file with a text file containing the password. The second zip contains a 190mb .lnk (shortcut) file with a "trailer" video file. Clicking the .lnk is what starts the first element of the chain.
The .lnk leverages mshta.exe, used to execute HTML application files containing HTML scripts such as JavaScript, to execute a "PGP Secret Key" that resides on the CDN. The downloaded file contains a lot of binary data which is not normal for text-based, human-readable HTML files. This is not a PGP key, but instead an embedded HTA and EXE file surrounded by junk information for obfuscation. Even the HTA has junk information in it. The EXE is calc.exe, the Windows Calculator, present there to attempt to fool AI/ML analysis into thinking it is legitimate. As VirusTotal shows only 1/70 AV programs detecting it as malicious, all of the obfuscation works.
Mshta.exe executes the hidden HTA, giving it closer access to the OS. This runs despite all of the obfuscation-breaking HTML and proper HTA formatting. Of the four layers of obfuscation, the first three completely hide the next stage, and the fourth has some obfuscated content within. With deobfuscation complete, two .zip archives are downloaded, with the script unzipping the archive in %AppData% and trying to use the content as a command. This only works with a zip file containing only one executable.
As such, the first archive, K1.zip, has a large set of files. The second has one .exe, "jdekl.exe." This is the legitimate binary RttHlp.exe from IOBit, renamed. The file "hydrogeology" is an encrypted payload that is likely decrypted/deployed.
The file itself even contains novel techniques, importing a BPL (Borland Package Library) which is like a DLL for use with Borland's compilation tools. No MITRE sub-technique exists for BPL side-loading as opposed to DLL side-loading.
This complex infection chain does an excellent job of hiding from detection engines, however behavioral analysis can alleviate some of this. EDR and other technologies can also aid in detection even if these obfuscated files bypass perimeter scans. And of course, proper user training (such as making sure users do not and cannot visit Bollywood movie pirating sites) ends most of these infection chains at their start.
NullBuilge Hactivists
The latest research reveals a new threat actor, NullBulge, conducting financially motivated attacks under the guise of hacktivism. Emerging between April and June 2024, NullBulge targets AI-centric and gaming entities by injecting malicious code into legitimate software distribution platforms like GitHub and Hugging Face. Despite projecting an anti-AI, pro-artist activist message, SentinelLabs found evidence of financial motivations, such as selling infostealer logs and OpenAI API keys on hacker forums.
NullBulge's tactics involve "poisoning the well," where they distribute malware through mod packs used in gaming and modeling software. The group's attacks included a high-profile data theft from Disney's internal Slack channels, targeting users of AI tools and platforms with Python-based payloads exfiltrating data via Discord webhooks. NullBulge uses tools like Async RAT and Xworm before delivering customized LockBit ransomware builds, though they haven't yet received any ransom payments.
While posing as low-sophistication actors, NullBulge effectively exploits emerging sectors with commodity malware and ransomware. The group also claims to control the AppleBotzz identity, central to their malware staging and delivery process.
This research underscores the ongoing threat of low-barrier-of-entry ransomware. NullBulge's invasive targeting of AI-centric applications highlights a growing area of focus for threat actors. Organizations are advised to manage API keys securely, review third-party code rigorously, and ensure code is sourced from trusted platforms to mitigate risks posed by groups like NullBulge.
Malicious Packages Hidden in PyPI
The FortiGuard Labs team has recently discovered a malicious PyPI package named "zlibxjson" version 8.2, which poses a significant threat to individuals and institutions using PyPI packages. Published on June 29, 2024, this package includes a malicious URL that downloads an executable file packed with PyInstaller, which unpacks into multiple Python and DLL files. Among these, three files are particularly harmful: discord_token_grabber.py, get_cookies.py, and password_grabber.py.
The discord_token_grabber.py file is designed to steal sensitive information from Discord users. It extracts Discord tokens from the user's local machine by searching for token patterns in local files. These tokens are then decrypted and validated by making requests to Discord's API. Once validated, the tokens are stored and exfiltrated to an external server controlled by the attacker. The file also collects additional user information such as profile details, billing information, and guild memberships, which is then sent to the attacker's server.
The get_cookies.py file focuses on stealing cookies from various web browsers, including Chrome, Firefox, Brave, and Opera. It accesses and copies browser data directories without user consent and decrypts stored cookies using the system's master key. The decrypted cookies are saved to a file named cookies.txt, indicating an intent to gather and potentially transfer sensitive information to an attacker.
The password_grabber.py file targets saved passwords from web browsers, specifically Google Chrome and Microsoft Edge. It accesses the databases where these browsers store login data, extracts the encrypted passwords, and decrypts them using the browser's encryption key. The extracted and decrypted data, including URLs, usernames, and passwords, are stored in a dictionary that can be sent to an attacker or saved for misuse. The code also removes the copied database file to clean up traces of its activities.
The identified malicious activities in these PyPI packages highlight the importance of diligent security practices in managing software dependencies. Users and businesses alike are advised to remain vigilant and use proper cyber security tools to identify and mitigate such threats, ensuring the security and privacy of their sensitive information.
The global cyber threat level has continued to increase as a function of general global political unrest around the Middle East, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology's Managed Security Services, can help provide this visibility in identifying potential risks to an organization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.