DefendEdge Logo
Contact
Engage with Us
Contact
Engage with Us

Tag: Malware

Categories
blogs Cyber Threat Intelligence Uncategorized

Clop Ransomware Gang: Profiling a Notorious Cybercriminal Organization

In recent years, the Clop ransomware gang has emerged as one of the most prolific and notorious cybercriminal organizations. Employing sophisticated techniques and constantly evolving their strategies, the group has successfully targeted high-profile organizations worldwide. This article aims to provide an informative profile of the Clop ransomware gang, detailing its history, operations, and recent activities.

History of Clop
Clop originated as a variant of the CryptoMix ransomware family and gained prominence in February 2019 when the threat group known as TA505 employed it in a large-scale spear-phishing email campaign. Operating as a ransomware-as-a-service (RaaS) model, Clop was used by a Russian-speaking group and disguised its malicious intent by utilizing verified and digitally signed binaries. This approach allowed the ransomware to evade security detection effectively.

In 2020, the financially motivated hacking group FIN11 started deploying Clop ransomware, leveraging zero-day vulnerabilities in the Kiteworks file transfer appliance. These attacks involved the use of a specific web shell called “DEWMODE” for exfiltrating stolen information. Clop’s operators also began implementing double extortion schemes, where they threatened to publicize and auction off stolen data if their demands were not met.

Clop’s Operations
The Clop ransomware gang exhibits a range of sophisticated techniques in its operations. Unlike other ransomware variants, Clop targets entire networks rather than individual computers, gaining access to the Active Directory (AD) server to persistently infect endpoints. Previous attacks by the group involved large-scale phishing campaigns, utilizing spam emails and malicious attachments to deliver the Clop malware. These attacks often involved various tools, such as SDBOT, FlawedAmmyy, and Cobalt Strike, which facilitated reconnaissance, lateral movement, and exfiltration of data before the deployment of the ransomware.

The group utilizes multiple tactics to coerce victims, including negotiation emails and threats of publicizing stolen information on their dedicated leak site, “Cl0p^_-Leaks.” Clop has even employed quadruple extortion techniques, targeting top executives and customers to exert additional pressure on companies to pay the ransom. By constantly evolving its tactics, Clop has set new trends in the world of cybercrime.

Recent Activities
While the arrests of six suspected Clop members in Ukraine in June 2021 dealt a significant blow to the group, their criminal activities continued throughout 2021 and 2022. However, recent data suggests a slowdown in ransomware deployments, indicating a shift towards data stealing and extortion. Law enforcement and private partners managed to seize parts of Clop’s infrastructure and takedown money laundering channels used for cryptocurrency payments.

In May 2023, the Clop gang exploited critical zero-day vulnerabilities in the MOVEit Transfer and MOVEit Cloud file transfer software, targeting numerous private and public organizations. These attacks focused on stealing sensitive data and extorting companies rather than encrypting systems. The group used a combination of tactics, including data leak threats and demands for negotiations, to pressure victims into complying with their demands.

The Clop ransomware gang has established itself as a formidable threat in the cybersecurity landscape. With a history of high-profile attacks and constantly evolving tactics, the group continues to pose a significant risk to organizations worldwide. Enterprises must remain vigilant and adopt proactive cybersecurity measures to mitigate the threats posed by ransomware groups like Clop. Collaborative efforts between law enforcement, private partners, and cybersecurity professionals are crucial in dismantling such criminal organizations and safeguarding sensitive data from exploitation.

Categories
alerts blogs Cyber Threat Intelligence

The Play Ransomware Gang: Profile of a Persistent Threat

In recent years, the world has witnessed an alarming rise in cyberattacks, with ransomware being one of the most pervasive and damaging forms of malicious activity. The Play ransomware gang has emerged as a highly disruptive and notorious group among the many ransomware gangs. This article aims to provide an informative and professional profile of the Play ransomware gang, shedding light on their operations, tactics, and notable attacks.

The City of Oakland Attack

The Play ransomware gang made headlines with their cyberattack on the City of Oakland, California. Beginning in mid-February 2023, the attack targeted the city’s IT systems, causing significant disruptions. While emergency services remained operational, various other departments were severely impacted, including business taxation and parking citation services. The gang claimed responsibility for the attack and demanded a ransom, threatening to expose sensitive data stolen from the city.

Attack Methodologies

Play ransomware employs several sophisticated techniques to infiltrate and compromise targeted organizations. They exploit known vulnerabilities, such as exposed RDP servers and FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), to gain initial access. Once inside the network, they employ “lolbins” binaries and distribute executables via Group Policy Objects. Notably, the gang also engages in double extortion, exfiltrating sensitive data and threatening to release it if their ransom demands are not met.

Unique Technique: Intermittent Encryption

A distinctive characteristic of the Play ransomware gang is their use of intermittent encryption. This novel technique involves encrypting files in smaller, intermittent chunks, evading detection by security systems that rely on static analysis. By encrypting only portions of a file, often distinguished by null characters, Play ransomware can remain undetected for longer periods, exacerbating the damage caused to targeted organizations.

Notable Attacks

Beyond the City of Oakland, the Play ransomware gang has targeted various organizations worldwide. One significant incident occurred in Switzerland, where they hacked Xplain, an IT firm that supported numerous federal and cantonal government departments. They also targeted the major Spanish bank Globalcaja, compromising client and employee documents. Additionally, the gang claimed to have stolen 600GB of data from communications firm Poly (Polycom).

Play Ransomware Tools

The Play ransomware gang has developed custom tools to enhance their attacks’ effectiveness. Grixba, a network-scanning and information-stealing tool, enables them to enumerate users and computers within a compromised network. The VSS Copying Tool allows the gang to interact with the Volume Shadow Copy Service, even copying files in use by applications. These tools provide them with critical information and increase the efficiency of their malicious activities.

Security Recommendations

Organizations should implement robust security measures to combat the evolving threat posed by ransomware groups like Play. These include multifactor authentication (MFA), least privilege principles, network segmentation, attack surface management (ASM), secure domain controllers (DC), regular patching and updates, and maintaining encrypted offline backups of critical data. Additionally, employing threat intelligence platforms and monitoring the dark web for emerging threats can enhance an organization’s security posture.

The Play ransomware gang has proven to be a persistent and highly disruptive threat to organizations worldwide. Their sophisticated attack methods, including intermittent encryption and double extortion, showcase their determination to exploit vulnerabilities for financial gain. Organizations must remain vigilant, implementing robust security measures and proactive threat mitigation strategies to protect themselves against the increasing menace of ransomware attacks.

Categories
Uncategorized

Medusa Ransomware: The Rise of a Double-Extortion Threat

In recent years, the cybercrime landscape has witnessed the emergence of Medusa ransomware, a variant that stands out due to its double-extortion tactics. This article aims to provide an in-depth profile of the Medusa ransomware operation, shedding light on its origins, operational methods, and the threats it poses to organizations. Additionally, we will explore measures organizations can take to mitigate the risks associated with this malicious entity.

Who is Medusa?

Medusa is a human-operated eCrime group known for conducting Big Game Hunting (BGH) operations. This ransomware operation is distinct from other similarly named malware and botnets. Medusa first appeared in June 2021 and has gained prominence due to its high-profile attacks on corporate victims, including the Minneapolis Public School district.

What Does Medusa Do?

Medusa utilizes a sophisticated encryption technique to compromise systems and render files inaccessible to the victims. It employs AES-256 + RSA-2048 encryption using the BCrypt library, ensuring a high level of security for the encrypted data. The ransomware terminates over 280 Windows services and processes, including those related to mail servers, backup servers, database servers, and security software, to prevent interference during the encryption process.

How Does Medusa Operate?

Medusa implements a double-extortion strategy, which involves not only encrypting compromised systems but also exfiltrating sensitive data from the victim organizations. If the ransom demand is not met, the threat actors threaten to publicly release the exfiltrated data, causing significant reputational and financial damage to the victim organizations.

What are Medusa’s Motives?

The primary motivation behind Medusa is financial gain. By targeting corporate victims and employing double extortion, the eCrime group aims to extract significant ransoms from organizations. The threat actors utilize the fear of data exposure to coerce victims into paying substantial sums to regain control of their systems and prevent the public disclosure of sensitive information.

How Can Organizations Prevent Medusa Attacks?

To mitigate the risks associated with Medusa attacks, organizations should adopt comprehensive cybersecurity measures. The following steps are recommended:

  • Maintain Regular Backups: Implement a robust backup strategy to ensure that critical data is securely backed up and can be restored in the event of a ransomware attack.
  • Keep Software and Systems Updated: Regularly patch and update software and systems to address vulnerabilities that threat actors may exploit.
  • Implement Endpoint Protection: Utilize advanced endpoint protection solutions that incorporate behavior-based detection and real-time threat intelligence to identify and mitigate ransomware attacks.
  • Conduct Employee Training: Educate employees about phishing attacks and other social engineering techniques commonly used to distribute ransomware. Encourage them to exercise caution while opening email attachments or clicking on suspicious links.
  • Utilize Network Segmentation: Implement network segmentation to restrict lateral movement in the event of a successful compromise and minimize the impact of a ransomware attack.
  • Deploy Multi-Factor Authentication (MFA): Enable MFA for critical systems and accounts to provide an additional layer of security against unauthorized access attempts.

Medusa Ransomware presents a significant threat to organizations worldwide, employing double-extortion methods to extract substantial ransoms. By understanding the operational methods and motivations of this eCrime group, organizations can take proactive steps to strengthen their cybersecurity posture and prevent or mitigate the risks associated with Medusa Ransomware attacks. Implementing a combination of preventive measures, including regular backups, system updates, employee training, and advanced endpoint protection, can help organizations safeguard their valuable data and maintain business.

Categories
Cyber Threat Intelligence

Lemon Group’s Cybercrime Enterprise Leverages Millions of Pre-Infected Android Phones

The Lemon Group, a large cybercrime enterprise, has installed “Guerilla” malware on approximately 9 million Android-based devices, including smartphones, watches, TVs, and TV boxes.  

Techniques such as reflashing and silent installation have become prevalent in the past decade. Reflashing involves reprogramming or replacing the firmware of a device, allowing for modifications, firmware updates, or the installation of different operating systems. Initially used for device customization, threat actors later exploited these methods for malicious activities, infecting phones with unwanted apps to profit from pay-per-install schemes. In 2016, reports emerged of Triada malware being implanted in multiple devices. In 2019, Google confirmed cases where third-party vendors used original equipment manufacturer (OEM) images without notifying the OEM company. In 2021, researchers discovered the botnet and the criminal operations behind the SMS Phone Verified Accounts (PVA) mobile botnet, which exploited compromised mobile supply chains. They identified the malware responsible as Guerrilla and traced it back to a threat actor group known as the Lemon Group. Researchers observed an overlap between Guerrilla and Triada regarding communication and network flow, indicating a potential collaboration between the two groups. 

Guerilla malware allows the threat actors to carry out various malicious activities, such as intercepting one-time passwords, setting up reverse proxies, hijacking WhatsApp sessions, and more. The Lemon Group was initially exposed in February 2022 and later rebranded as “Durian Cloud SMS,” but their tactics and infrastructure remained the same. The group’s main business involves utilizing big data for analysis and advertising purposes. It is unclear how Lemon Group infects devices, but possible methods include supply chain attacks, compromised software/firmware updates, or insider involvement. The malware consists of various plugins for specific functions, including intercepting SMS passwords, setting up proxies, hijacking sessions, displaying intrusive ads, and silently installing/uninstalling applications. Lemon Group’s monetization strategy includes selling compromised accounts, hijacking network resources, generating fraudulent ad impressions, and offering proxy and SMS PVA services. The impact of Lemon Group’s operations is global, with millions of infected devices spread across 180 countries, particularly in the United States, Mexico, Indonesia, Thailand, and Russia. The actual count of infected devices could be higher, as some devices have not yet communicated with the attackers’ servers. Researchers detected over 490,000 compromised mobile numbers tied to one-time password requests for various services. The extent of the Lemon Group’s operations indicates their substantial global reach. The threat actor’s activities pose a significant risk to compromised devices and legitimate users, and their malware has been spread over the past five years. 

To mitigate mobile device malware risks, keep software updated, download apps from trusted sources, exercise caution with app permissions, install reputable security software, beware of phishing and malicious links, enable app verification and sandboxing, implement device encryption and strong passwords, regularly back up data, use public Wi-Fi networks cautiously or with a VPN, and stay informed about mobile threats through education and awareness. These measures help protect against known vulnerabilities, malicious apps, phishing attempts, and unauthorized access, enhancing the overall security of mobile devices and safeguarding personal information. 

Categories
Cyber Threat Intelligence

Sophisticated Techniques Implemented by ViperSoftX InfoStealer to Evade Detection

A widespread cryptocurrency- and information-stealing malware called ViperSoftX has affected numerous victims across consumer and enterprise sectors throughout Australia, Japan, the U.S., and India. ViperSoftX is a JavaScript-based Remote Access Trojan (RAT) that allows remote access and control over infected machines. This evasive malware has recently adopted advanced encryption and anti-analysis techniques to avoid detection. ViperSoftX enters systems through software cracks, key generators, and seemingly non-malicious applications, acting as carriers. Before deploying its main routine, the malware performs checks to evade virtual machines, monitoring, and anti-malware systems. It targets popular web browsers like Chrome, Firefox, and Edge, installing rogue extensions to extract passwords and cryptocurrency wallet data. The malware’s command-and-control servers frequently change to evade detection and scan for specific password managers.

The enterprise sector has been heavily targeted, comprising over 40% of the victims. The latest version also includes the ability to steal passwords from password managers like KeePass 2 and 1Password, possibly exploiting a recent security flaw (CVE-2023-24055) in KeePass. The presence of techniques targeting both cryptocurrencies and passwords suggests the involvement of multiple groups in the ViperSoftX campaign. The operators demonstrate high-level skills in executing malware seamlessly, emphasizing the importance of avoiding unofficial and free sources when downloading software.

To avoid malware like ViperSoftX, be cautious with email attachments and links, use official download channels, activate and update software from legitimate sources, install reputable security software, and regularly scan your system. Back up important files and use reputable malware removal tools if needed. Stay informed about ViperSoftX’s targeted cryptocurrency wallets and its latest developments, such as infecting browsers with the malicious extension VenomSoftX. Following these steps, you can protect yourself against this malware and other similar threats.

Categories
Cyber Threat Intelligence

Enterprise Networks Under Attack by New Malware Toolkit ‘Decoy Dog’.

Cybersecurity researchers have discovered a new malware toolkit named Decoy Dog after analyzing over 70 billion DNS records. Decoy Dog is a sophisticated toolkit that uses techniques like domain aging, when a domain is registered but not used for some time, and DNS query dribbling to evade detection. While the malware’s usage in the wild is “very rare,” its atypical characteristics allow it to map additional domains that are part of the attack infrastructure. The operation was set up at least a year before its discovery, with three distinct infrastructure configurations detected so far.

The malware’s primary component is a remote access trojan (RAT) called Pupy, an open-source post-exploitation toolkit popular among state-sponsored threat actors. It executes commands remotely, elevates privileges, steals credentials, and spreads through a network laterally. Pupy is a potent and hazardous RAT that poses a significant threat due to its fileless nature and encrypted slow Command-and-Control (C2) communications. Pupy can evade detection by EDR solutions, making rooting out within a network difficult. Notably, Pupy is one of the few RATs that can operate across multiple platforms, including Linux and mobile devices, via an outdated version of Python.

According to the report, the Decoy Dog toolkit featuring Pupy was detected in less than 3% of all networks, and only 18 domains have been linked to the toolkit. Additionally, most of the toolkit’s C2 infrastructure was found to be hosted in Russia. Cybersecurity researchers recommend that organizations block these domains: claudfront[.]net, allowlisted[.]net, atlas-upd[.]com, ads-tm-glb[.]click, cbox4[.]ignorelist[.]com, and hsdps[.]cc. Other recommended security mitigations are keeping systems and software up to date, implementing multi-factor authentication, conducting regular security awareness training, and employing a comprehensive incident response plan. Further information regarding this discovery is anticipated to be released in the future.

Categories
Cyber Threat Intelligence

BellaCiao Malware linked to APT Charming Kitten

Charming Kitten Threat Card
Charming Kitten threat profile provided by DefendEdge Cyber Threat Intelligence

DefendEdge Cyber Threat Intelligence
Michael Spoloric, Analyst

The discovery of the BellaCiao malware has once again highlighted the persistent threat posed by state-sponsored hacking groups. Charming Kitten, the group believed to be behind the malware, has a history of targeting organizations and individuals in various regions of the world, including the United States, Europe, the Middle East, and India. The group is known for its use of spear-phishing tactics, social engineering techniques, and custom-built malware to achieve its objectives.  

 The BellaCiao malware is tailored to suit individual targets and is a dropper malware designed to deliver other malware payloads onto a victim’s computer. The malware is said to be highly stealthy and can evade detection by many security solutions. The discovery of this new malware highlights the need for organizations and individuals to remain vigilant and take proactive steps to safeguard their systems and data against such threats. This includes keeping software and systems up to date, being cautious when opening emails or attachments from unknown senders, and reducing the attack surface of your network. However, even with these suggestions, it is still possible that an incident can make its way into your network. In the event this was to occur, a security operations center (SOC) can monitor for signs of suspicious behavior and respond to mitigate any potential threats. 

For Emergency Cyber Security Incident Response please email RedTeam@DefendEdge.com