Acronis Cyber ​​Incident Digest #21

Dark Watchman demonstrates the evolution of fileless threats

A new remote access (RAT) Trojan called Dark Watchman uses a fileless distribution technique. Written in JavaScript, this RAT is more stealthy than many others.

Dark Watchman resides in the Windows registry as a script. And scheduled jobs are executed to run this script every time the user logs in. The malware also contains a keylogger, which is already C# code. It is compiled using a PowerShell script and a legitimate .NET tool, CSC.exe.

The RAT can download and execute new loaders, execute arbitrary commands, send files to a command-and-control server, and update its own code. There are also signs of a ransomware download.

Effective detection of these types of threats is provided only by behavioral detection solutions. After all, it turns out that there are no malicious files at all.

Portuguese media giant Impresa paralyzed by ransomware attack

A ransomware attack on Portuguese media group Impresa resulted in the shutdown of SIC, the country’s largest TV operator and publisher of the weekly Expresso.

The Ransomware Lapsus$ group claimed responsibility for this cyberattack. The hackers also claimed that they took control of the AWS account. This is the same cybercrime group that compromised the Brazilian Ministry of Health in the past and stole 50TB of data in December 2021.

Not surprisingly, the volume of ransomware attacks continues to grow. Despite the presence of protection tools, fairly large companies regularly become victims of attacks due to new variants of ransomware or the use of new techniques by attackers.

Night Sky – new ransomware ramps up its activity

A new ransomware operator called Night Sky was first seen behind malicious activity at the end of 2021. The group has already successfully attacked two victims in Japan and Bangladesh. The data stolen during these attacks has already been published online.

Ransomware Night Sky encrypts all files except applications and libraries (.exe or .dll). The names of encrypted files have the .NightSky extension. The band uses double-extortion techniques. Not only do they encrypt files and demand a ransom, but they also steal sensitive data from victims and threaten to release it if they refuse to pay. They demanded a ransom of $800,000 from one victim, and the volume of demands for the second was never published.

Given their novelty, threats such as Night Sky remain very dangerous for those machines that do not have anti-ransomware protection tools installed. Otherwise, the protection may react to the intrusion too late.

First Patch Tuesday of the year brought 96 fixes

The first Microsoft Patch Tuesday in 2022 brought fixes for 96 vulnerabilities, 89 of which were marked as important, and the remaining 7 as critical.

One of the most talked about critical patches was a fix for a vulnerability that could allow a worm to infiltrate a system and execute arbitrary code (RCE). The vulnerability was discovered in the HTTP protocol stack. According to the CVSS classification, it received a score of 9.8, as it can be used to launch arbitrary packages on the attacked server.

At the same time, six of the seven fixes are aimed at eliminating zero-day threats. Among them are several more RCE class vulnerabilities that had already been exploited by hackers before the release of official patches.

The similar content of the next Patch Tuesday again makes us think that the functions of behavioral analysis and patch management capabilities are becoming critical elements of a modern cyber defense system.

Patchwork created such a successful trojan that they infected themselves!

An Indian group of cybercriminals operating under the name Patchwork recently infected…itself with their own malware. As a result, important data on the activities of the group were made public.

In general, Patchwork (also known as Dropping Elephant) have been criminally active since 2016. Since then, over 2,500 large targets worldwide have been infected.

In the current situation, the group appears to have lost control of its own RAT (remote access trojan) in the course of its development. As a result, screenshots and other information leaked from their computer systems. Thanks to this, information security specialists were able to reveal that the attackers were testing a completely new version of the BADNEWS RAT Trojan, which they also call Ragnatela. To spread the new (still experimental) threat, they used phishing campaigns and have already been able to compromise several large companies at once.

Patchwork mainly attacks companies and users in China and Pakistan. But, given the architecture of the solution, nothing can prevent them from expanding the geography of targets one day. And since the group uses new versions of Trojans, you can only rely on the use of artificial intelligence and advanced technologies for detecting new threats in protection.

The dnSpy utility acquired a Trojan and helped to attack researchers and developers of information security tools

Unknown attackers have recently launched a series of attacks on security system developers and cybercrime researchers. For this, malicious versions of dnSpy, a popular .NET editor with a debugger function, were used.

Given that dnSpy is no longer supported, the creators of the virus have placed a repository on GitHub to share the code of a useful tool. Naturally, the community was offered fake repositories containing infected versions of the utility. And thanks to SEO optimization and buying a certain number of ads, they were able to bring malicious sites promoting these “crafts” to the first page of search results for the relevant topic.

Not surprisingly, a number of users were infected, as they deliberately installed what they thought was a useful tool. In this case, those users who installed protections with AI and URL filtering received the most benefit from their security systems – after all, the malicious tool was promoted using illegitimate sites.

In Russia, members of the REvil group were arrested

And finally, in case you haven’t heard about it yet, Russian law enforcement officers raided 25 places at once and arrested 14 people related to the REvil cybercriminal group. Agents found the detainees had $6.8 million in cash in various currencies, several crypto wallets, and 20 expensive sports cars.

In general, this is a significant event. After all, it is REvil that is responsible for many high-profile attacks that affected thousands of users. These include attacks on JBS Foods and Caseya VSAheld last year.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *