Threat Intelligence Report July 4 - July 10 2023

In an APT campaign discovered by researchers in April, macOS users were targeted with a sophisticated multi-stage malware, ultimately resulting in the RustBucket backdoor. This backdoor, attributed to the BlueNoroff APT group linked to Lazarus, has since evolved with additional variants, showcasing previously unseen persistence capabilities. RustBucket stands out for its diverse anti-evasion and anti-analysis measures observed throughout its stages. The attack commences with an Applet disguised as a PDF Viewer app, followed by subsequent stages that vary in payload language and architecture. The Stage 2 payloads, written in Swift or Objective-C, retrieve Stage 3 from a command-and-control server. Notably, the Stage 2 payload necessitates a specially crafted PDF to unlock the code and initiate the download of Stage 3, along with an XOR'd key for decoding the obfuscated C2 appended to the PDF's end.

Remcos RAT (Remote Control and Surveillance) has a notorious history in the world of cybercrime. Originally developed as a legitimate remote administration tool, it quickly became exploited by malicious actors for their nefarious purposes. Its capabilities are vast, allowing hackers to gain unauthorised access to compromised systems remotely. With features like keylogging, screen capturing, and file manipulation, Remcos RAT provides cybercriminals with complete control over infected machines. It has been involved in various high-profile attacks, including data breaches, financial fraud, and espionage activities. In recent years, Remcos RAT has been leveraged in sophisticated phishing campaigns, targeted attacks on businesses, and the distribution of other malware. Its evolving nature and advanced functionalities make it a constant threat, requiring vigilant cybersecurity measures to protect against its infiltration.

Zeus Gameover, a notorious malware, infiltrates computer systems with a sophisticated workflow that wreaks havoc on unsuspecting victims. Through a stealthy combination of social engineering, exploit kits, and advanced encryption techniques, Zeus Gameover establishes control over infected machines, enabling cybercriminals to remotely access sensitive information, perform fraudulent transactions, and propagate further malware infections. With its intricate workflow, Zeus Gameover poses a significant threat to cybersecurity, demanding constant vigilance and robust defences to mitigate its devastating impact.

JhoneRAT, a sophisticated Remote Access Trojan (RAT), has emerged as a significant cyber threat in recent years. Operating across multiple platforms, including Windows, Linux, and macOS, JhoneRAT demonstrates advanced capabilities for espionage and unauthorised access. Its functionalities encompass keylogging, screen capturing, file exfiltration, and remote command execution, making it a versatile tool for malicious actors seeking to infiltrate and compromise targeted systems. With its evolving nature and potential for widespread impact, defending against JhoneRAT requires proactive cybersecurity measures and continuous monitoring to safeguard sensitive data and protect against unauthorised access.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 76 new ransomware victims from 21 distinct industries across 21 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (20) spread across various countries. Lockbit3 and Play groups follow closely with each hitting 13 and 11 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 21 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 44 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 21 industries globally. Last week, the Manufacturing and IT sectors were hit particularly hard, with the loss of 13 and 10 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.