[ad_1]
Situational Awareness – Cyber News
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
Geography-Wise Graph
Industry-Wise Graph
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.
Weekly Intelligence Trends/Advisory
1. Weekly Attack Type and Trends
Key Intelligence Signals:
- Attack Type: Ransomware Attacks, Spear Phishing, Vulnerabilities & Exploits, Data Leaks.
- Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
- Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
- Ransomware –Sarcoma Ransomware, RansomHub Ransomware | Malware – PySilon
- Sarcoma Ransomware Ransomware – One of the ransomware groups.
- RansomHub Ransomware – One of the ransomware groups.
- Please refer to the trending malware advisory for details on the following:
- Malware – PySilon
- Behaviour –Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.
2. Threat Actor in Focus
Sophisticated Cyber Espionage Campaign Targets Asian Defense and Research Sectors with Cobalt Strike Implants
- Threat actor: Unknown
- Initial Attack Vector: Spear Phishing
- Objective: Espionage
- Target Technology: Windows
- Target Geography: China, Hong Kong and Pakistan
- Target Industries: Defense Industry, Civil Aviation, Academia and Research Institutions and Medical Science Institutions
- Business Impact: Operational Disruption, Financial Losses and Data Compromise.
Summary:
Researchers have discovered a sophisticated cyber espionage campaign by an unknown threat actor, demonstrating a highly targeted approach toward strategic sectors. The primary targets include electrotechnical researchers, defense industry stakeholders, and individuals in electronic engineering education across Hong Kong, mainland China, and Pakistan, focusing on those handling sensitive, high-value information. The threat actor employs carefully crafted social engineering tactics, embedding relevant lures in malicious RAR archives containing decoy files themed around award nominations, postdoctoral applications, and defense industry events, thereby enticing the specific professional audience.
The infection chain begins with a RAR archive containing a malicious LNK file disguised as a PDF. Upon execution, this LNK file runs a VBScript (O365.vbs), which decodes and renames the Cobalt Strike payload (cache.bak) to mimic legitimate Windows executables like sigverif.exe. This technique enables the actor to establish a persistent, covert presence on the infected machine, supported by a scheduled task for recurring execution while self-deleting to evade detection.
Analysis of the Cobalt Strike beacon configuration shows meticulous planning: the implant communicates over HTTPS on port 443, utilizing the IP address 139[.]155[.]190[.]84 with a host header resembling a Tencent API endpoint. With operational parameters such as sleep and jitter timings, the beacon’s behavior is optimized to blend into normal traffic and minimize detection. Consistent naming patterns, including “ImeBroker.exe,” across campaigns point to an organized infrastructure.
Researchers also uncovered distinct machine IDs embedded within LNK files, which provide clues about the campaign’s regional focus. Specific IDs are found in lures aimed at Pakistan’s defense sector, hinting at targeted tactics and separate configurations for different geographic areas. The breadth of this campaign reveals a well-coordinated, persistent effort by the threat actor, likely aimed at gathering sensitive intelligence across Asia’s defense, research, and academic sectors.
Relevancy & Insights:
A recent cyber espionage campaign by an unknown threat actor leverages socially engineered lures and Cobalt Strike implants to infiltrate Asian defense, research, and academic sectors, targeting high-value information. The actor’s consistent use of themed lures—such as scientific awards and defense industry events—indicates a motive focused on intelligence gathering. This activity aligns with the actor’s past attacks involving industry-specific themes and sophisticated persistence mechanisms, pointing to a well-resourced group. Researchers, defense professionals, and academic institutions in these fields should remain vigilant, as the campaign’s methods and infrastructure suggest a sustained interest in these strategic sectors.
ETLM Assessment:
An unknown threat actor engaging in cyber espionage is targeting primarily Hong Kong and Pakistan across various high-value industries, including defense, electrotechnical engineering, and academia. The actor leverages advanced techniques utilizing Cobalt Strike, deploying malicious VBScript and LNK files within RAR archives to execute payloads in memory while evading detection. Their focus on critical sectors highlights a strategic intent to gather sensitive information, making organizations within these industries particularly vulnerable. As this threat landscape evolves, entities must remain vigilant and enhance their defenses against sophisticated tactics that prioritize stealth and persistence.
Recommendations:
- Implement comprehensive training programs to educate employees about social engineering tactics and the risks associated with opening unsolicited attachments or links. Regular updates on emerging threats will help staff recognize suspicious activities.
- Employ advanced email filtering solutions that can detect and block potentially malicious attachments or links. Integrate threat intelligence feeds to stay informed about known threat actor tactics, techniques, and procedures (TTPs).
- Conduct regular vulnerability assessments to identify and remediate any weaknesses in the network or applications. Ensure that all software, especially those used for email and document handling, is kept up-to-date with the latest security patches.
- Use network segmentation to limit the lateral movement of threats within the environment. Implement the principle of least privilege for user accounts and services to minimize exposure.
- Develop and regularly update an incident response plan that includes procedures for identifying, containing, and recovering from potential breaches. Conduct tabletop exercises to ensure readiness and identify areas for improvement.
MITRE ATT&CK Tactics and Techniques | ||
Tactics | ID | Technique |
Initial Access | T1566.001 | Phishing: Spear-phishing Attachment |
Execution | T1059 | Command and Scripting Interpreter |
Persistence | T1053 | Scheduled Task/Job |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1055.002 | Process Injection: Portable Executable Injection |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Collection | T1213 | Data from Information Repositories |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
3. Major Geopolitical Developments in Cybersecurity
Russian Trolls Create Election Chaos in the US by Posing as Reputable Media
Russian state-backed actors are spreading massive amounts of fake news masquerading as information from reliable news sources in the final days of the 2024 US election season. Their goal is to fill the American news landscape with enough nonsense to affect the outcome of the election.
The main goal of the Kremlin’s full-scale propaganda campaign, Operation Overload, is to sway the US election by overloading already thin journalistic resources. There will be fewer journalists left to disprove the nonsense if the few reliable news outlets and journalists that remain in the US are always using their limited investigative resources to find fake news.
In order to make the misinformation appear to be from a reliable US news source, the group also adds branding and logos, making it harder for customers to distinguish between the two. The Russian fake news farm has most recently been spreading false material on Tim Walz, the vice-presidential candidate.
In order to undermine public confidence in the democratic process, incite domestic anxieties in the US about political violence and “civil war,” and take advantage of preexisting social divisions, the operation aims to directly introduce influence content into the mainstream discussion on divisive political issues.
ETLM Assessment:
Operation Overload has already employed this successful strategy. Similar initiatives in France recently helped the Russian state-sponsored outfit refine its fake news tactics. The program, which previously sought to sabotage the 2024 French elections and the Paris Olympics, is now concentrating on the US presidential election. It entails the development of fake news websites, phony fact-checking tools, and artificial intelligence (AI)-generated audio that imitates mainstream media sources.
The endeavour primarily uses automated social media posts to continuously spread false information, in addition to AI-generated material, propaganda saturating media, and fake news that has been manipulated to appear like real reporting. X (formerly Twitter) is where a lot of the misinformation about Operation Overload spreads. X accounts were identified as the source of three distinct fake narratives that the Russian troll farm had been spreading against Walz in recent days.
Operation Overload will persist in spreading three different types of misinformation in the coming days with the goal of influencing the US election: inciting political violence, attacking candidates, and demonizing Ukrainians and the LGBTQIA+ community.
4. Rise in Malware/Ransomware and Phishing
The Sarcoma Ransomware Impacts Suntrust Properties
- Attack Type: Ransomware
- Target Industry: Real Estate
- Target Geography: Philippines
- Ransomware: Sarcoma Ransomware
- Objective: Data Theft, Data Encryption, Financial Gains
- Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the Philippines; Suntrust Properties (www[.]suntrust[.]com[.]ph), was compromised by Sarcoma Ransomware. Suntrust Properties, Inc. (SPI) is a leading real estate company in the Philippines, known for developing affordable residential communities, condominiums, and other properties. It is one of the largest real estate developers in the country. Suntrust focuses on offering homes for middle-income families, balancing affordability with strategic locations. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 1 TB.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
- Sarcoma ransomware first appeared in late 2023 and quickly established itself as a formidable adversary in the ransomware landscape. Its sophisticated approach and rapid victimization have drawn attention.
- The Sarcoma ransomware group employs a double extortion model, encrypting victims’ data while also exfiltrating sensitive information to leverage for ransom payments. For instance, Sarcoma threatened to publish stolen data within days if ransoms were not paid, showcasing their aggressive extortion tactics.
- The Sarcoma Ransomware group primarily targets countries like the United States of America, Spain, Australia, Canada, and the United Kingdom.
- The Sarcoma Ransomware group primarily targets industries, such as Specialized Consumer Services, Industrial Goods & Services, Computer Services, Home Improvement Retailers, and Pharmaceuticals.
- Based on the Sarcoma Ransomware victims list from 1st Jan 2024 to 29th October 2024, the top 5 Target Countries are as follows:
- The Top 10 Industries, most affected by Sarcoma Ransomware from 1st Jan 2024 to 29th October 2024 are as follows:
ETLM Assessment:
Based on recent assessments by CYFIRMA, Sarcoma ransomware is rapidly becoming a significant threat due to its aggressive tactics and increasing victim count. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate risks associated with this evolving threat landscape.
The RansomHub Ransomware Impacts the Yorozu Corporation
- Attack Type: Ransomware
- Target Industry: Automotive
- Target Geography: Japan
- Ransomware: RansomHub Ransomware
- Objective: Data Theft, Data Encryption, Financial Gains
- Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Yorozu Corporation(www[.]yorozu-corp[.]co[.]jp), was compromised by RansomHub Ransomware. Yorozu Corporation is a Japanese company primarily operating in the automotive parts industry. The company specializes in the development, design, production, and sales of automotive parts, including suspension systems. Yorozu’s products serve major automotive manufacturers, such as Nissan, Toyota, Honda, and several global companies like Ford, General Motors, and Mercedes-Benz. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database. The total size of the compromised data is approximately 849 GB.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
- RansomHub operates under a Ransomware-as-a-Service (RaaS) model, attracting experienced affiliates by offering competitive terms. This model has enabled the group to grow rapidly, capitalizing on tactics that include exploiting vulnerabilities in software such as Apache ActiveMQ, and Citrix ADC.
- The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Italy, and Australia.
- The RansomHub Ransomware group primarily targets industries, such as Specialized Consumer Services, Heavy Construction, Business Support Services, Software, and Health Care Providers.
- Based on the RansomHub Ransomware victims list from 1st Jan 2024 to 29th October 2024, the top 5 Target Countries are as follows:
- The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2024 to 29th October 2024 are as follows:
ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Yorozu Corporation, a prominent Automotive company from Japan, highlighting RansomHub’s significant threat presence in the Asia Pacific region.
5. Vulnerabilities and Exploits
Vulnerability in Cisco Adaptive Security Virtual Appliance and Secure Firewall Threat Defense Virtual SSL VPN
- Attack Type: Vulnerabilities & Exploits
- Target Technology: Server application
- Vulnerability: CVE-2024-20260
- CVSS Base Score: 8.6
- Vulnerability Type: Uncontrolled Memory Allocation
Summary:
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Relevancy & Insights:
The vulnerability exists due to a lack of proper memory management for new incoming SSL/TLS connections on the virtual platforms within the VPN and management web servers.
Impact:
A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Affected Products:
https://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftdvirtual-dos-MuenGnYR
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment:
Vulnerability in Cisco Secure Firewall Threat Defense Virtual can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Cisco Secure Firewall Threat Defense Virtual is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding network firewall operations, including intrusion prevention, URL filtering, and malware defense, across different geographic regions and sectors.
6. Latest Cyber-Attacks, Incidents, and Breaches
KillSec Ransomware attacked and published the data of the Rudraksha Multispeciality Hospitals
- Threat Actors: KillSec Ransomware
- Attack Type: Ransomware
- Objective: Data Leak, Financial Gains
- Target Technology: Web Applications
- Target Industry: Healthcare services
- Target Geography: India
- Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage
Summary:
Recently, we observed that KillSec Ransomware attacked and published the data of Rudraksha Multispeciality Hospitals (www[.]rudrakshahospitals[.]com) on its dark web website. Rudraksha Multispeciality Hospitals, based in India, offers a wide range of healthcare services focused on providing advanced, compassionate, and affordable treatment. The hospital specializes in neurosurgery, general surgery, orthopedics, critical care, and plastic and reconstructive surgery, among other areas. It also provides comprehensive medical services in cardiology, endocrinology, urology, and pediatric care. Rudraksha Hospitals are equipped with modern surgical facilities and a state-of-the-art critical care unit designed to handle life-threatening conditions with timely and precise interventions. The data leak, following the ransomware attack, encompasses sensitive information, including personally identifiable information (PII), financial data, and confidential business details. This includes names, addresses of businesses, customer addresses, contact numbers, invoice details, amounts due, terms of payment, late charges, customer numbers, invoice numbers, and sales representative IDs.
Source: Dark Web
Relevancy & Insights:
- Launch of KillSec RaaS: On June 25, 2024, KillSec announced the introduction of its Ransomware-as-a-Service platform via its Telegram channel. This platform is designed to provide aspiring cybercriminals with advanced tools and user-friendly features to facilitate ransomware attacks. The core component of this service is an advanced locker written in C++, which encrypts files on victims’ machines, making them inaccessible, without a decryption key provided after a ransom is paid.
- Access to the KillSec RaaS program is priced at $250, with KillSec taking a 12% commission on any ransom payments collected by users. This model aims to make sophisticated cyber tools accessible while ensuring profitability for KillSec.
- KillSec Ransomware employs various sophisticated methods to infiltrate systems, including phishing attacks, exploiting known vulnerabilities, and using custom malware to maintain persistence within compromised networks.
ETLM Assessment:
The emergence of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally.
According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.
7. Data Leaks
PT PETROLAB SERVICES Data Advertised on a Leak Site
- Attack Type: Data Leak
- Target Industry: Energy, Analytical laboratory, and industrial testing services
- Target Geography: Indonesia
- Objective: Data Theft, Financial Gains
- Business Impact: Data Loss, Reputational Damage
Summary:
The CYFIRMA Research team observed a potential data leak related to PT Petrolab Services(www[.]petrolab[.]co[.]id) in an underground forum.PT Petrolab Services is an Indonesian independent laboratory offering specialized testing, analysis, and consulting services across various industries. Petrolab serves over 2,500 clients across Southeast Asia, particularly within sectors like oil, mining, manufacturing, and energy. The exposed data includes details such as the Customer ID, Customer Name, Customer Abbreviation, Customer Administrative Address, Email, and other sensitive and confidential information. The data breach has been attributed to a threat actor identified as “Zenox8x”.
Source: Underground Forums
United News Data Advertised on a Leak Site
- Attack Type: Data Leak
- Target Geography: Philippines
- Target Industry: Media and Publishing
- Objective: Data Theft, Financial Gains
- Business Impact: Data Loss, Reputational Damage
Summary:
In a recent post on a dark web forum, a threat actor claims to have breached the database of United News Network, a Philippine news and media company. The alleged database reportedly contains usernames and email addresses.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
Threat actor “Zenox8x” is a relatively new threat actor that has emerged in the cybersecurity landscape, utilizing sophisticated tactics to execute attacks. Organizations are advised to enhance their cybersecurity measures, including regular updates, employee training, and incident response planning, to mitigate risks associated with such evolving threats.
Recommendations: Enhance the cybersecurity posture by
- Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
- Ensure proper database configuration to mitigate the risk of database-related attacks.
- Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.
8. Other Observations
A dark web actor claims to have leaked data from 1StopBedrooms.com, an online furniture retailer in the USA. The breach reportedly exposes details from approximately 1 million orders, including customer addresses, email addresses, and phone numbers. The compromised data raises serious concerns about customer privacy and potential misuse for fraud or phishing attacks.
The breach highlights vulnerabilities in e-commerce platforms, emphasizing the need for robust data protection strategies. Affected customers are advised to be cautious of suspicious communications and monitor their accounts for any unauthorized activity. 1StopBedrooms.com has not yet provided an official response to the incident.
Source: Underground forums
The CYFIRMA Research team observed a potential data leak related to Elife Limo(ww[.]elifelimo[.]com) in an underground forum. Elife Limo is a global private transportation service offering airport transfers, limousine rentals, bus charters, and other specialized travel services in over 150 countries. Their offerings include various vehicle types like sedans, SUVs, minibusses, and specially equipped vans for wheelchair accessibility and pet transport. Known for their punctuality and professional chauffeurs, Elife also provides added services like flight tracking, free waiting periods at airports, and flexible cancellations. The Compromised User Data contains Full names, Airport check-ins, Email Addresses, Phone numbers, Flight numbers, Flight Arrival times & drop-off locations. The data breach has been attributed to a threat actor identified as “IntelBroker”.
Source: Underground forums
ETLM Assessment:
IntelBroker acts as an “intelligence broker,” breaching organizations and selling their compromised data on underground forums. They have claimed responsibility for over 80 data leaks, affecting more than 400 organizations. Based on the available information, CYFIRMA’s assessment indicates that IntelBroker represents a significant threat in the cybercrime landscape due to its aggressive tactics and high-profile targets. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against such evolving threats.
STRATEGIC RECOMMENDATION
- Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
- Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
- Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
- Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
- Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.
MANAGEMENT RECOMMENDATION
- Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
- Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
- Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
- Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
- Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.
TACTICAL RECOMMENDATION
- Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
- Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
- Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
- Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
- Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
Trending Malware of the Week
Type: Remote Access Trojan (RAT)
Objective: Data Exfiltration, Stealing Sensitive Information, Remote Access, Espionage
Target Technology: Windows OS
Active Malware of the Week
This week “PySilon” is trending.
PySilon
Recently, researchers identified PySilon RAT, an open-source remote access tool initially posted on GitHub in December 2022. PySilon RAT exemplifies how threat actors increasingly turn to open-source malware for its flexibility, robust capabilities, and ease of deployment. Written in Python, this tool is readily available on GitHub and supported by communities across Telegram and other forums, offering threat actors a powerful, customizable framework for malicious activities. The emergence of PySilon highlights the concerning trend of sophisticated, adaptable open-source tools making advanced malware campaigns more accessible than ever.
Fig: PySilon RAT malware builder program
The PySilon RAT builder allows users to customize configurations by specifying details like the Server ID, bot token for Discord bot development, and installation path in the system registry. Once these custom details are added to the pre-written Python code, the builder compiles it into an executable (.exe) file using PyInstaller.
Attack Method
When the generated executable file is executed on a user’s PC, it creates a new channel on a server controlled by the threat actor. Initially, the infected system’s IP address and other relevant information are sent to the attacker through chat. Each infected PC has its own dedicated channel, enabling the threat actor to manage and control each compromised device individually.
Fig: System information sent by the initially installed bot to the threat actor
When executed, the RAT malware replicates itself in the user folder and modifies the system registry’s RUN key to ensure persistence, launching automatically each time the PC starts. The threat actor can further customize the folder name used for replication. The malware also includes anti-virtual machine (VM) logic, detecting VM environments through specific file or process names, and will not run if a virtual environment is detected. The following commands are supported by PySilon.
The threat actor can then use the commands in the newly created channel’s chat to execute further malicious actions. Listed below are the primary actions the malware enables from the threat actor’s perspective.
Screen recording and audio recording
The malware enables screen and audio recording on the infected PC through Python modules like pyautogui, numpy, imageio, and sounddevice.
Fig: Screen and audio recording files sent to the threat actor
Collecting information
The “Grab” command in the RAT malware allows the threat actor to collect extensive information from the infected system, including the user’s personal and payment details, browser history, cookies, and various passwords. The information gathered includes Discord tokens, Nitro status, MFA details, email, phone number, passwords, cookie data, and browsing history.
Fig: Collecting information
Keylogging
When the user presses “Enter,” the input content is sent to the threat actor’s server.
Fig: Keylogging
Folder encryption and additional malicious actions
The malware can encrypt files on the infected PC using the Fernet encryption algorithm, with the decryption key stored in the user folder. Encrypted files are marked with a .pysilon extension, and no ransom note is generated. Beyond encryption, the malware can modify the hosts file to control website access through a blacklist/whitelist, upload or download files, execute commands, manage processes, and even trigger a blue screen of death (BSOD) using Windows-native functions.
Fig: Encryption/decryption commands and Key file created in user folder
INSIGHTS
- The PySilon malware reveals a strategic shift by threat actors toward open-source platforms like GitHub, leveraging the accessibility and flexibility of tools coded in Python. Researchers discovered PySilon being deployed by various actors to gain complete control over infected systems, primarily using Discord as a command-and-control hub. This setup enables actors to easily manage malware features remotely, and the integration with Discord also allows for continuous communication and updates, enhancing its stealth and functionality.
- PySilon offers a broad range of malicious capabilities, from file encryption to credential theft, allowing threat actors to extract sensitive information like passwords, browsing history, and even payment details. One particularly concerning feature is its ability to persist on a user’s PC and evade detection through anti-virtual machine logic, enabling it to operate solely in genuine environments. The malware also lacks a ransom demand feature, hinting that its focus may be more on data theft and espionage than immediate financial gain.
- The PySilon malware highlights the evolving nature of malware distribution through popular platforms and the ease with which threat actors can now launch sophisticated attacks. With customizability at its core, PySilon appeals to a range of attackers, who can tailor its configurations and commands to suit specific goals, from blacklisting websites to causing system crashes. As open-source malware use grows, security professionals must remain vigilant against similar campaigns, as these tools make advanced attacks more accessible and challenging to detect.
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the rise of PySilon malware signals a future of heightened cybersecurity risks as threat actors increasingly leverage open-source tools for targeted attacks on organizations and employees. PySilon’s data extraction capabilities suggest that employee accounts will become key targets, with stolen credentials potentially granting attackers deeper access to corporate networks. This points to a shift toward stealthy, customized attacks, where malware adapts to exploit specific systems and user behaviors. PySilon’s persistent, covert nature could drive a surge in undetected breaches, intellectual property theft, and network disruptions, challenging traditional security measures. Additionally, as attackers extend their reach to employees’ personal devices, especially those used for remote work, organizations may need to adopt stronger, cross-device protections, while employees will be urged to prioritize data privacy across all platforms.
STRATEGIC RECOMMENDATION
- Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
- Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
MANAGEMENT RECOMMENDATION
- Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.
- Security Awareness training should be mandated for all company employees. The training should ensure that employees:
- Avoid downloading and executing files from unverified sources.
- Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
TACTICAL RECOMMENDATION
- Enable Network traffic/security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Ransomware of the Week
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware.
Target Technologies: MS Windows.
Introduction
CYFIRMA Research and Advisory Team has found Destroy Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Destroy Ransomware.
Researchers recently discovered the Destroy ransomware, which is part of the “MedusaLocker” ransomware family.
Ransomware encrypts files and appends the “.destry30” extension to their filenames. The number in the extension may vary depending on the ransomware variant. Once the encryption process is complete, ransomware drops a ransom note titled “How_to_back_files.html.”
By the ransom note, this ransomware variant clearly targets companies rather than individuals.
Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)
The ransom note informs the victim that their company network has been compromised, resulting in the encryption of important files and the theft of confidential or personal data. The attackers demand a ransom in exchange for decryption.
The note also cautions against attempting to modify the encrypted files or using third-party decryption tools, as this could lead to permanent data loss. As a gesture, the attackers offer to decrypt up to three files for free as proof. However, if the ransom is not paid, they threaten to leak or sell the stolen data.
Appearance of Destroy ransomware’s ransom note “How_to_back_files.html” (Source: Surface Web)
Following are the TTPs based on the MITRE Attack Framework.
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0001: Initial Access | T1091: Replication Through Removable Media |
2 | TA0002: Execution | T1047: Windows Management Instrumentation |
T1059: Command and Scripting Interpreter | ||
T1129: Shared Modules | ||
3 | TA0003: Persistence | T1543.003: Create or Modify System Process: Windows Service |
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | ||
T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
4 | TA0004: Privilege Escalation | T1134.004: Access Token Manipulation: Parent PID Spoofing |
T1543.003: Create or Modify System Process: Windows Service | ||
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | ||
T1548: Abuse Elevation Control Mechanism | ||
T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
5 | TA0005: Defense Evasion | T1027.002: Obfuscated Files or Information: Software Packing |
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools | ||
T1036: Masquerading | ||
T1070.004: Indicator Removal: File Deletion | ||
T1112: Modify Registry | ||
T1134.004: Access Token Manipulation: Parent PID Spoofing | ||
T1140: Deobfuscate/Decode Files or Information | ||
T1202: Indirect Command Execution | ||
T1222: File and Directory Permissions Modification | ||
T1497: Virtualization/Sandbox Evasion | ||
T1548: Abuse Elevation Control Mechanism | ||
T1562.001: Impair Defenses: Disable or Modify Tools | ||
T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
6 | TA0006: Credential Access | T1056.001: Input Capture: Keylogging |
T1003: OS Credential Dumping | ||
7 | TA0007: Discovery | T1012: Query Registry |
T1057: Process Discovery | ||
T1082: System Information Discovery | ||
T1083: File and Directory Discovery | ||
T1120: Peripheral Device Discovery | ||
T1497: Virtualization/Sandbox Evasion | ||
T1614: System Location Discovery | ||
8 | TA0008: Lateral Movement | T1091: Replication Through Removable Media |
9 | TA0009: Collection | T1005: Data from Local System |
T1056.001: Input Capture: Keylogging | ||
T1074: Data Staged | ||
10 | TA0011: Command and Control | T1071: Application Layer Protocol |
11 | TA0040: Impact | T1486: Data Encrypted for Impact |
Relevancy and Insights:
- This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
- Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
- Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
- The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
- The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
ETLM Assessment:
CYFIRMA’s analysis of available data indicates that MedusaLocker ransomware has been actively targeting a wide range of sectors, including Manufacturing, Healthcare, Finance, IT services, and much more, since 2019. Projections suggest that destroy, a more advanced variant of MedusaLocker, will likely use enhanced evasion techniques to broaden its impact, targeting both individuals and businesses. It is expected to continue affecting major industries worldwide. Therefore, maintaining vigilance and implementing robust cybersecurity measures are crucial to mitigating these evolving threats effectively.
SIGMA Rule:
title: Shadow Copies Deletion Using Operating Systems Utilities
tags:
– attack.defense-evasion
– attack.impact
– attack.t1070
– attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’
selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’
selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’
selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet
selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’
selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’
CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
fields:
– CommandLine
– ParentCommandLine
falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high
(Source: SurfaceWeb)
Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.
STRATEGIC RECOMMENDATION
- Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
- Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.
MANAGEMENT RECOMMENDATION
- A data breach prevention plan must be developed considering (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
- Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
- Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.
TACTICAL RECOMMENDATION
- Update all applications/software regularly with the latest versions and security patches alike.
- Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
- Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
[ad_2]