Threat Intelligence Report June 20 - June 26 2023

A new variant of the Mallox ransomware has been discovered, introducing a change in its file extension from ".mallox" to ".malox" for encrypted files. The ransomware utilises BatLoader, a tool previously associated with the distribution of RATs (Remote Access Trojans) and stealers. The Mallox ransomware group has integrated BatLoader into their operations, employing it to extract and inject the ransomware payload. This loader bears similarities to the one observed in the distribution of various malware families such as Quasar RAT, Async RAT, Redline Stealer, and DC RAT. Unlike the previous method of infection, this new technique eliminates the need for a downloader to retrieve the ransomware payload from a remote server. Instead, the ransomware payload is contained within a batch script, which is then injected into an executable file without being saved on the disk. The adoption of these novel infection techniques indicates that the threat actors responsible for Mallox ransomware are actively modifying their tactics, techniques, and procedures (TTPs), highlighting their ongoing efforts to improve evasiveness and sustain their malicious activities.

Predator, a malicious spyware designed for Android devices, emerged as a significant threat between August and October 2021. During this period, the attackers took advantage of zero-day vulnerabilities targeting Chrome and the Android operating system to implant Predator spyware on Android devices, even those that were fully updated.

Based on a high-confidence assessment, it is believed that the exploits used in these attacks were packaged by a single commercial surveillance firm named Cytrox. Subsequently, these exploits were sold to various government-backed actors who employed them in at least three distinct campaigns. The government-backed threat actors, originating from countries including Armenia, Côte d'Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain, acquired and leveraged these exploits to deploy Predator spyware on their Android targets. In all the campaigns, the targeted Android users were deceived with one-time links sent via email. These links were cleverly disguised to mimic URL shortener services, adding to the effectiveness and deceptive nature of the attacks.

WispRider malware is a highly sophisticated and insidious software that poses a grave threat to computer systems and networks. As an advanced persistent threat (APT), WispRider has gained notoriety for its ability to stealthily infiltrate and persistently operate within compromised systems. This malware is designed to gain unauthorised access to sensitive information by exploiting vulnerabilities and employing various techniques, such as social engineering and spear-phishing. Once inside a target system, WispRider establishes a backdoor, allowing the attacker to remotely control the compromised machine and carry out malicious activities undetected. With its advanced evasion capabilities, WispRider can bypass traditional security measures, making it essential for organisations to adopt comprehensive security practices to defend against this formidable threat.

SeroXen RAT is a highly potent remote access trojan (RAT) that poses a significant threat to computer systems and networks. This sophisticated malware grants unauthorised individuals the ability to gain remote control and conduct covert surveillance on compromised devices. SeroXen RAT can be deployed through various means, including phishing emails or malicious downloads, and once it infiltrates a system, it establishes a persistent foothold, allowing the attacker extensive control over the infected device. With features like keylogging, screen capturing, and file manipulation, SeroXen RAT presents a grave security concern, necessitating robust cybersecurity measures to detect, mitigate, and prevent its impact on both individuals and organisations.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 110 new ransomware victims from 20 distinct industries across 29 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (27) spread across various countries. Alphv and 8base groups follow closely with each hitting 14 and 12 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 29 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 62 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 20 industries globally. Last week, the Business Services and Manufacturing sectors were hit particularly hard, with the loss of 21 and 18 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.