Threat Intelligence Report July 11 - July 17 2023

Playful Taurus, also known as APT15, is an advanced persistent threat group from China involved in cyber espionage. Since 2010, they have targeted government and diplomatic entities across multiple regions, including North and South America, Africa, and the Middle East. In June 2021, ESET reported that Playful Taurus upgraded their toolkit with a new backdoor called Turian. This backdoor, which is still being developed, is exclusively used by the Playful Taurus actors. We have recently observed new variants of this backdoor and identified new command-and-control infrastructure. Our analysis indicates that several Iranian government networks may have been compromised by Playful Taurus. Playful Taurus consistently evolves their tactics and tools. The recent upgrades to their Turian backdoor and the deployment of new command-and-control infrastructure indicate their continued success in cyber espionage campaigns. While Iranian government networks are likely compromised, it is important to note that Playful Taurus also targets other government and diplomatic entities across North and South America, Africa, and the Middle East using similar techniques and tactics.

Cinoshi Stealer is a freely available tool accompanied by an integration-supporting panel. Attackers can use the Developers Panel to build the binary without the need for hosting a separate server. The stealer possesses various functionalities such as gathering data (passwords, cookies, cards) from Gecko, Chromium, and Edge-based browsers, collecting data from crypto wallets and browser extensions, stealing sessions from platforms like Steam, Telegram, and Discord, extracting information about the victim's computer like capturing screenshots and webcam photos from the victim's device. The stealer build can be customised using the web panel. It allows attackers to configure features such as preventing the exfiltration of logs with limited data and blocking the execution of the malware build in countries. Additionally, the panel enables TAs to set up Telegram notifications for build-related activities.

Two malicious documents originating from Hungary were recently discovered being used to target supporters of Ukraine. Due to the NATO Summit, the threat actors are impersonating the Ukrainian World Congress organisation to distribute these malicious documents to participating supporters of Ukraine. The MS Word documents contain an OLE object which instructs the victim machine to connect to its C&C server to download a second-stage malware. The initial malware utilises the Follina vulnerability. If successful, it allows an attacker to execute code on the victim’s machine.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 137 new ransomware victims from 23 distinct industries across 33 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (56) spread across various countries. 8Base and Tormous groups follow closely with each hitting 19 and 15 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 33 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 81 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 23 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with 18% and 16% of the total ransomware victims belonging to each of those sectors, respectively. The table below presents the most recent ransomware victims sorted by industry.