Threat Intelligence Report February 7 - February 13 2023

Researchers have discovered a new variant of the Mirai botnet that can spread and download the Medusa Botnet. Upon execution, the Mirai botnet connects to its command-and-control server to retrieve the Medusa stealer file, which it then executes on Linux machines. The Medusa Botnet has the potential to launch devastating Distributed Denial of Service (DDoS) attacks at various levels of the network hierarchy, and can also carry out ransomware attacks on target systems. Additionally, it can conduct brute force attacks on Telnet services, collecting information such as system specifications, IP address, and unique identifier and sending it back to the command-and-control server.

Researchers have uncovered a new and sophisticated form of BAT loader, a type of malware used to spread various RATs and Stealer malware families. This new variant of BAT loader is distinct in its method of delivering the malicious payload to the user's system and has been seen in multiple malware families. According to our research, this BAT loader is being utilised by OneNote Attachment, which spreads through spam emails. The infection techniques of the BAT loader and its payload delivery mechanism highlight its adaptability and challenges. This loader is known for employing malspam and social engineering tactics to gain access to target networks through batch and PowerShell scripts, making it a complicated threat to detect. Its ability to evolve and adapt makes the BAT loader a persistent and dangerous type of malware.

Andariel is a threat group that is also closely attributed to APT38 and Lazarus. A campaign from the APT group has been recently discovered. The group has utilised the exploitation of the Zimbra Mail vulnerability (CVE-2022-27925 and CVE-2022-37042). Upon initial exploitation, the threat actors installed tunnelling tools to create a connection to a second server that is directly connected to their Command-and-Control server.

Rules to detect the Zimbra Mail exploit that this APT group utilised, as well as the backdoor activity attributed to this APT group are deployed in the Crystal Eye.

Fortra has released a security advisory for a remote code execution vulnerability found in their GoAnywhere file transfer solution. The vulnerability lies in the Licensing component servlet. As of writing, there is no patch available, but Fortra has released steps on how to disable the licensing service. A network access level is also required for the exploit to work.

Crystal Eye has deployed rules to detect the required parameter for this traffic.

Red Piranha regularly collects information about organisations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 39 new ransomware victim organisations from 16 different countries all over the world.

One particular ransomware group named LockBit3.0 tallied the greatest number of new victims (18), the locations of which are spread across different countries. This is followed by Play group that hit 6 new victims. Victim counts these ransomware groups, and a few others are listed below. 

If we look at the victims as per the country, we can say that the USA again became the most affected country by ransomware groups, where 21 new victims were reported last week. The number of new ransomware victims per country is listed below: 

       
We conducted more research and discovered that 15 industries were affected globally by ransomware with the manufacturing and IT sectors being struck with the loss of 7 and 4 new businesses respectively just last week. The sector/industry of three new victims was not recognised. The following table lists the latest ransomware victims by sector: