This month, threat actors kept on refining their attack strategies for maximizing their profits.
There is a trend for threat actor groups to use sophisticated techniques using attack kits that are clones of kits used by their competitors. For example, new ransomware operator Atom Silo, which exploits a vulnerability in Atlassian Confluence, a web-based virtual workplace for the enterprise allowing teams to communicate and collaborate on projects to access the victim's corporate environment. The ransomware kit that Atom Silo used is identical to LockFile, a ransomware family known for using a unique “intermittent encryption” method as a way to evade detection and for adopting tactics from previous ransomware operators. Atom Silo used several novel techniques, such as side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software to avoid detection. Once installed, Atom Silo moved across its victims' network, compromising multiple servers, executing the backdoor binaries, conducting additional reconnaissance. About eleven days after this initial intrusion, the ransomware and a malicious Kernel Driver utility payload were deployed to circumvent endpoint protection.
Another significant trend is the intermingling of various ransomware groups for profit. For instance, the threat actor group BlackMatter has ties to both the REvil and DarkSide ransomware operators. BlackMatter operates a ransomware-as-a-service (RaaS) model where independent cybercriminals infiltrate networks and install the ransomware on servers and PCs. The RaaS providers then handle the notification and ransom negotiation, paying its affiliates part of the received ransom payments. In October 2021, BlackMatter stepped up its game by informing its victims that in case the ransomware demands were not met, all their stolen data would be published. BlackMatter targets US critical infrastructure entities, such as farming co-ops that could result in food shortages.
Rogue nations were also stepping up their game in October 2021. Iranian Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries, launched ShellClient, a Remote Access Trojan (RAT) designed to steal sensitive information about their critical assets, infrastructure, and technologies of victimized aerospace and telecom companies. ShellClient abuses cloud-based storage services for Command and Control (C2), such as Dropbox, to remain undetected. Suspected Iranian state-sponsored threat actors using ShellClient include Chafer APT (APT39), Agrius APT, and newcomer MalKamak. But also Charming Kitten ) APT35 (uploaded an app to Google’s Play Store that masqueraded as a virtual private network service collecting call logs, text messages, contacts, and location data from compromised devices.
During October 2021, financial institutions were targeted again, this time by the MirrorBlast attack campaign, which mirrors the attack tactics, techniques, and procedures used by the Russia-based threat group TA505. MirrorBlast uses the same attack chain, GetandGo functionality, final payload, and domain name patterns. Among REvil’s victims are hardware company Acer, which was extorted for approximately $100M, Apple supplier Quanta Computer, and thousands of companies using Kaseya IT management solutions.
This month a Chinese associated hacking group, suspected to be IronHusky, exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a new RAT dubbed MysterySnail. Variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities. The MysterySnail RAT is designed to collect and exfiltrate system information from compromised hosts before contacting its C2 server for further commands. The RAT performs various tasks on infected machines, such as creating new and killing already running processes for launching interactive shells and a proxy server supporting up to 50 simultaneous connections.
Also during October 2021, an unknown ransomware group encrypted VMware ESXi servers with Python script. In general, the Python programming language is not commonly used in ransomware development. However, for targeting ESXi systems, it is a logical choice since these Linux-based servers come with Python installed by default. The attackers used a Python ransomware script to encrypt the victimized virtual machines running on a vulnerable ESXi hypervisor once they got access.
Multiple ransomware gangs, including Darkside, RansomExx, and Babuk Locker, have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space before.
On a positive note, the FBI, the US Cyber Command, and the US Secret Service, in cooperation with several other countries, took over the Tor payment portal and data leak blog of the notorious hacker group REvil. It left the group crippled and without a platform. In October, the Ukrainian police arrested two members of a ransomware gang, quite likely REvil. They are suspected of having attacked more than 100 foreign companies in North America and Europe and causing $150m in damages to Western organizations. The police also confiscated $1.3m in cryptocurrencies.
To find out if your organization is protected against the latest malware attacks, run Cymulate's Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!
Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.