Threat Intelligence Report November 15 - November 21 2022

Threat name:

Researchers recently detected a new version (Version 3.3.3) of famous Loader malware named IceXLoader. The IceXLoader Version 3.3.3 is written in the Nim language, compiled into C, C++, and JavaScript. IceXLoader can collect the following information about the victim and send it to the C&C server:

a.         IP address
b.         UUID
c.         Username and machine name
d.         Windows OS version
e.         Installed security products
f.          Presence of .NET Framework v2.0 and/or v4.0
g.         Loader Version – in our case is v3.3.3
h.         RAM information
i.          CPU information
j.          GPU information
​​​​​​​k.         Timestamp

Laplas Clipper is a malicious application which targets user’s cryptocurrency accounts. This malware seizes a cryptocurrency transaction by exchanging a victim’s wallet address with the wallet address owned by Threat Actors (TAs). When a user tries to make a payment from their cryptocurrency account, it redirects the transaction to TAs account instead of their original recipient. Malware performs this swap by monitoring the clipboard of the victim’s system, where copied data is stored. Whenever the user copies data, the clipper verifies if the clipboard data contains any cryptocurrency wallet addresses. The malware replaces it with the TAs wallet address, resulting in the victim’s financial loss.

Execution T1204/T1203- Persistence T1053- Privilege Escalation T1055/T1574 - Defense Evasion T1027/T1562/T1497/T1036/T1070/T1564- Discovery T1057/T1082/T1518- Command and Control  T1071/T1105/T1571

​​​​​​​A new version of the Fodcha DDoS botnet has been detected by the researcher recently which is a highly sophisticated malware capable of ransom demands injected into packets and features to evade detection measures. The Fodcha DDoS botnet was detected by 360Netlab researchers back in April 2022. According to a new report published by the researchers, the latest Fodcha version 4 has grown to an unprecedented scale, with its developers taking measures to prevent analysis after Netlab's last report. The most notable improvement in this botnet version is the delivery of ransom demands directly within DDoS packets used against victims' networks. In addition, the botnet now uses encryption to establish communication with the C2 server, making it harder for security researchers to analyse the malware and potentially take down its infrastructure.  

​​​​​​​Typhon Reborn is the new and updated version of the Typhon Stealer. Both variants are mainly used to steal crypto wallets, and log keystrokes are used in both personal and banking applications. The updated variant Typhon Reborn, however, is now capable of anti-analysis. These techniques range from checking for a debugging environment, default or VM-related user account to checking the hard disk space.

​​​​​​​RatMilad is an android malware that is sideloaded from a phone number spoofing app called Text Me which has also been updated to NumRent. The spoofing app is distributed through messaging apps like Telegram. Once a user is tricked into installing the NumRent app with significant privileges and permissions, it sideloads the RatMilad malware. The malware enables Remote Access Trojan capabilities as it collects and exfiltrates data from the victim's phone.

​​​​​​​Earth Longzhi campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware. The attacker embeds the malware in a password-protected archive or shares a link to download malware, luring the victim with information about a person. Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader. In addition, many TTPs and code spreads throughout the threat landscape in various ways; leaks that are coopted by other actors and selling of tools as a service by threat groups or rogue developers.

​​​​​​​​​​​​​​Fanxgiao uses various strategies to maintain anonymity: most of its infrastructure is protected behind CloudFlare, and domain names are changed regularly and quickly: on one day in October 2022 alone, the group used over 300 new unique domains.

Users arrive at a Fangxiao-controlled site through a link sent in a WhatsApp message, which in turn sends them to a landing domain impersonating a well-known, trusted brand: over 400 organisations are currently being imitated, with that number continuing to rise. Companies affected include Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr.

Victims are then redirected to the main survey domain. When they click the link, they are sent through a series of advertising sites to one of a set of constantly changing destinations. A click on the “Complete registration” button with an Android user agent will sometimes result in a download of the Triada malware. As victims are invested in the scam, keen to get their “reward”, and the site tells them to download the app, this has likely resulted in a significant number of infections.