Cyber Intel Brief: Dec 21 – 28, 2022

Malware

Management Infrastructure Behind IcedID

Impacted Industries: All

What You Need To Know:

Cybercriminals behind the IcedID malware (a dropper malware that, according to open-sources, operates as an initial access broker) has a roughly even chance of changing the TTPs they use to implement their proprietary command-and-control protocol (BackConnect) and management infrastructure. We base this assessment on Team Cymru discovering 11 BackConnect command and control servers (C2s) managed via two VPN nodes with an average life cycle of about four weeks. One or two are active at any given time, following a Monday-to-Friday schedule. Additionally, the operators have a roughly even chance of implementing defensive measures due to Team Cymru pointing out that the cybercriminals have yet to take very few steps to cover their tracks.


Malware

IcedID Abusing Google Ads

Impacted Industries: All

What You Need To Know:

Cybercriminals behind other malware families could begin implementing Google ads to distribute malware due to Trend Micro observing cybercriminals behind IcedID malware using malicious advertising (malvertising) via Google ads to spread the malware. In this campaign detailed by Trend Micro, victims would first click on a malicious Google ad, redirecting them to a malicious site. When they click the “Download” button, it causes the victim to download a ZIP file. These ZIP files contain malicious Microsoft Software Installer (MSI) or Windows Installer files that, once executed, load IcedID malware. The IcedID malware can deliver other payloads, including Cobalt Strike and other malware, and allows cybercriminals to conduct highly impactful follow-through attacks that have resulted in ransomware and data extortion.


Malware

Is PureLogs Infostealer an Emerging Threat?

Impacted Industries: All

What You Need To Know:

Cyble published a report on an infostealer distributed through a dedicated website and promoted on cybercrime marketplaces. A screenshot, shared by Cyble, of the website’s product page shows a “stock number” next to each offering. This number could suggest two things: the infrastructure is not robust enough to handle a large volume of users, which lowers the threat level, or it’s a marketing ploy to persuade users to purchase the malware, increasing the threat level. PureLogs is designed to steal browser data, including cookies and passwords, crypto wallets, and various extensions. The campaign was reportedly carried out by the cybercriminal “Alibaba2044”, targeting Italy. In addition to PureLogs, the cybercriminal behind the infostealer, known as PureCoder, is offering several other types of malware for sale, including cryptominers, hidden virtual network computing malware, a botnet loader, and a malware loader. A PureLogs infection can be severe for an organization, potentially resulting in the loss of sensitive data, disruption to operations, and financial losses. There is a risk that cybercriminals could sell stolen sensitive data, like passwords, on cybercrime marketplaces, increasing the risk of follow-on post-exploitation activity such as sensitive data theft, extortion, and ransomware.


Malware

DDoS Botnet ZeroBot Adds to its Capabilities

Impacted Industries: All

What You Need To Know:

The cybercriminals behind the DDoS botnet Zerobot will likely remove old and add new vulnerabilities that the malware can exploit and the ability to spread to Windows machines due to Microsoft publishing details, including new capabilities, about the latest version of the malware. Go-based botnet primarily spreads through IoT and web application vulnerabilities and is offered as part of a Malware-as-a-Service scheme. The newest capabilities include DDoS attack methods (totaling 26 known attack methods) and exploits for several vulnerabilities of supported architectures.


New Techniques

North Korean APT BlueNoroff Uses New Techniques

Impacted Industries: Financial; Potentially all

What You Need To Know:

Customers who trade cryptocurrency or deal with smart contracts are the primary targets of the BlueNoroff group, known for stealing cryptocurrency. Kaspersky recently observed the group adopting new malware delivery methods. The latest new techniques observed by Kaspersky included attempting to evade Microsoft Windows’ Mark-of-the-Web flag by using .iso, .vhd, and other file types that contained various file types, including PowerPoint files. Kaspersky also observed a new Visual Basic Script, a previously unseen Windows Batch file, and a Windows executable. However, the final payload remained essentially unchanged.


Ransomware

Vice Society Deploys Custom-Branded Ransomware

Impacted Industries: All

What You Need To Know:

SentinelOne has identified a new strain of ransomware, dubbed “PolyVice,” used in a recent Vice Society intrusion, appends the file extension .ViceSociety to encrypted files. The codebase used to build the payload deployed by Vice Society has also been used to create custom-branded payloads for other threat groups, including Chily and SunnyDay. SentinelOne assesses that a developer or group of developers is likely selling custom-branded ransomware payloads to multiple groups through a “white label” “Locker-as-a-Service” model, allowing buyers to customize their ransomware without revealing the source code. If SentinelOne’s analysis is accurate, unknown affiliates likely will abandon, or at the very least, depend less on their relationships with RaaS providers to carry out their attacks.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog