Threat Intelligence Report January 17 - January 23 2023

Threat name:

Rhadamanthys Sealer

Researchers recently discovered a brand-new malware variant named "Rhadamanthys Stealer." This malware stealer variation is now in use, and the TA (Treat Actor) behind it is offering it for sale using the Malware as a Service (MaaS) business model. The Rhadamanthys stealer spreads by tricking users into visiting phishing websites that look like popular programmes like Zoom, AnyDesk, Notepad++, Bluestacks, etc. Additionally, it can propagate through spam emails that include an attachment that contains harmful payload.

Hive Malware Backdoor

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s Hive multi-platform malware suite.  xdr33 is a backdoor born from the CIA Hive project, its main purpose is to collect sensitive information and provide a foothold for subsequent intrusions. it establishes communication with the Trigger C2 and waits for the execution of the commands issued by it.

Zerobot Malware

The distributed denial of service (DDoS) botnet is expanded by hacked devices that have been infected by the Zerobot malware, which also affects routers, cameras, and firewalls. The malware may identify more devices to infect, achieve persistence, attack a variety of protocols, and infect vulnerable devices running a variety of operating systems and architectures using numerous modules.

The most recent version of Zerobot offers new DDoS attack capabilities as well as other features including the ability to exploit Apache and Apache Spark vulnerabilities (CVE-2021-42013 and CVE-2022-33891, respectively).

Playful Taurus

Playful Taurus is a Chinese threat group known for conducting cyber espionage campaigns. Their primary choice of targets are governments from America, Africa and the Middle East. It has been reported that the threat group has come up with a backdoor called Turian. Frequently updated variants of this malware being discovered suggest that the malware is constantly evolving and being updated. It was recently found to have infected Iranian government networks. Crystal Eye has rules deployed to detect traffic attributed from the Playful Taurus APT group.

Kimsuky APT

Kimsuky APT, a North Korean threat group, known to conduct government cyber espionage operations, has been recently discovered targeting military base maintenance providers. A common tactic for Kimsuky is to lure their targets with phishing emails resembling a notice from the government ministry department. This will include a malicious document that appears as a sign-up form; once executed, it will immediately contact its command-and-control server for further instructions.

Red Piranha has deployed new rules that will detect the initial domain requests for recently discovered Kimsuky-related sites. The traffic shall be rejected once observed from machine endpoints.

Red Piranha regularly collects information about organisations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 30 new ransomware victim organisations from 12 different countries all over the world.

One particular ransomware group named LockBit3.0 tallied the greatest number of new victims (8), the locations of which are spread across different countries. This is followed by Royal group 6 new victims. Victim counts these ransomware groups, and a few others are listed below.

If we look at the victims as per the country, we can say that the USA once again becomes the most targeted country by ransomware groups wherein a total of 11 new victims were reported last week followed by the UK with 6 new victims reported. The number of new ransomware victims per country is listed below: