Threat Intelligence Report June 6 - June 12 2023

A new variant of Android spyware has emerged, posing a threat to unsuspecting users. This malware, which has been named "HelloTeacher" based on a test service mentioned in its source code, is a fresh addition to the cyber landscape. HelloTeacher disguises itself as a popular messaging application such as Viber or Kik Messenger, enticing users to install the malicious software. However, this malware possesses advanced capabilities that go beyond its initial appearance. It can extract contact details, SMS data, photos, and a list of installed applications, and even capture screenshots and record the infected device's screen. But that is not the end of its malicious agenda. The creators behind HelloTeacher attempted to combine the functionality of a banking trojan by exploiting an Accessibility Service. Their primary focus has been on targeting three prominent banks.

Researchers have identified a newly established Ransomware-as-a-Service (RaaS) program called NoEscape. The program was actively seeking affiliates to join its operations. The NoEscape ransomware is written in C++ and affiliates to employ the triple-extortion technique, allowing for the effective extortion of victims. Support for ChaCha20 and RSA encryption algorithms, offering strong file encryption and key protection and Utilisation of asynchronous LAN scanning to identify and exploit Distributed File System (DFS) and Server Message Block (SMB) protocols for lateral movement, persistence, and evasion. Implementation of shared encryption, using a single key to encrypt all files on a network or system, enables faster encryption of large datasets but allows for decryption by victims. Compatibility with various operating systems, including Windows Desktop XP – 11, Windows Server 2003 – 2022, Linux (including Ubuntu and Debian-based distributions), and VMware ESXi.

GobRAT is a sophisticated and evolving malware that poses a significant threat to cybersecurity. First discovered in recent years, GobRAT is known for its advanced capabilities and ability to bypass traditional defence mechanisms. It primarily targets Windows operating systems, infiltrating systems through various distribution vectors such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, GobRAT establishes persistence, allowing it to execute malicious commands and exfiltrate sensitive information. GobRAT's modular design enables it to adapt and evolve, making it a formidable challenge for security professionals striving to detect and mitigate its impact.

HiatusRAT is a remote access Trojan (RAT) that presents a significant risk to computer systems and networks. Developed by cybercriminals, HiatusRAT is designed to provide unauthorised access and control over compromised machines. It typically enters systems through various social engineering techniques or via malicious downloads. Once installed, HiatusRAT allows attackers to perform a wide range of malicious activities, including keystroke logging, screen capturing, file manipulation, and remote command execution. Its modular architecture enables the deployment of additional malicious plugins, expanding its capabilities and making it harder to detect. HiatusRAT poses a serious threat to data privacy and network security, requiring robust measures to detect, prevent, and mitigate its impact.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 86 new ransomware victims from 18 distinct industries across 25 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

lockbit3, a specific ransomware, has affected the largest number of new victims (37) spread across various countries. Alphv and Snatch groups follow closely with each hitting 08 and 05 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 25 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 45 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Manufacturing and Construction sectors were hit particularly hard, with the loss of 15 and 13 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.