 
| New Threat Detection Added | 6 (ImBetter Stealer, SYS01 Stealer, Parallax RAT, Hiatus, Blind Eagle, and MQsTTang Backdoor) | 
| New Threat Protections | 9 | 
| Overall Weekly Observables Count | 2,246,821 | 
| New Ransomware Victims Last Week | 71 | 
Daily Submissions by Observable Type
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
| Threat name: | ImBetter Stealer | ||||||||||||||||||
| ImBetter Stealer is a type of malware created specifically to extract confidential information from computer systems and internet browsers. This information includes sensitive data like Login credentials, Cookies, User profiles, and Wallet extensions. The use of this malware can be particularly risky as it can allow cybercriminals to gain unauthorized access to victims' online accounts and crypto wallets, leading to the loss of valuable digital assets or personal information. | |||||||||||||||||||
| Threat Protected: | 01 | ||||||||||||||||||
| Rule Set Type: | 
 | ||||||||||||||||||
| Class Type: | Trojan-activity | ||||||||||||||||||
| Kill Chain: | Execution T1204 - Defence Evasion T1027 - Credential Access T1528 -Discovery T1010/T1083 - Collection T1005 - Command-and-Control T1071 | ||||||||||||||||||
| Threat name: | SYS01 Stealer | ||||||||||||||||||
| SYS01 Stealer has been observed targeting critical government infrastructure employees, manufacturing companies, and other industries. The attackers behind this campaign are focusing on Facebook business accounts, utilizing Google ads and fake Facebook profiles to promote content such as games, adult material, and pirated software. These tactics are aimed at enticing victims to download a malicious file. Once downloaded, the malware is designed to steal sensitive information, including login credentials, cookies, as well as Facebook ad and business account data. | |||||||||||||||||||
| Threat Protected: | 01 | ||||||||||||||||||
| Rule Set Type: | 
 | ||||||||||||||||||
| Class Type: | Trojan-activity | ||||||||||||||||||
| Kill Chain: | Execution T1059/T1064 - Execution T1059/T1059 - Privilege Escalation T1055/T1134 -Defence Evasion T1036/T1055 - Discovery T1033/T1083 - Impact T1496/T1529 | ||||||||||||||||||
| Threat name: | Parallax RAT | |||||||||||||||||||||
| ParallaxRAT is a malware known to be distributed through spam and phishing emails. Like any other remote access trojan, it is capable of stealing credentials, keylogging, and completely taking over a victim's computer. It has been observed lately that this malware is being used to target cryptocurrency organisations. | ||||||||||||||||||||||
| Threat Protected: | 01 | |||||||||||||||||||||
| Rule Set Type: | 
 | |||||||||||||||||||||
| Class Type: | Trojan-activity | |||||||||||||||||||||
| Kill Chain: | Initial Access T1566 - Execution T1059 - Persistence T1037 - Command-and-Control T1102 | |||||||||||||||||||||
| Threat name: | Hiatus | ||||||||||||||||||
| Hiatus is a remote access trojan targeting routers and network devices. It targets enterprise routers and where it deploys its malicious binaries. Once a device is infected, the threat actor converts the device into a proxy. It also monitors traffic on ports that are associated with email and file transfer. | |||||||||||||||||||
| Threat Protected: | 01 | ||||||||||||||||||
| Rule Set Type: | 
 | ||||||||||||||||||
| Class Type: | Trojan-activity | ||||||||||||||||||
| Kill Chain: | Initial Access T1190 - Execution T1059 - Defence Evasion T1205 - Command-and-Control T1090/T1205 | ||||||||||||||||||
| Threat name: | Blind Eagle | ||||||||||||||||||
| Blind Eagle, also known as APT-C-36 has recently been observed using an advanced toolset comprising Meterpreter payloads that are being delivered by spear phishing attachments. The emails generally include a URL redirecting to a PDF file which in turn deploys malware on the targeted system, effectively launching the infection chain. A malicious RAT is installed on the targeted machine, enabling the threat actor to access and run commands on the said machine at any point in time they desire to do so. | |||||||||||||||||||
| Threat Protected: | 03 | ||||||||||||||||||
| Rule Set Type: | 
 | ||||||||||||||||||
| Class Type: | Backdoor | ||||||||||||||||||
| Kill Chain: | Initial Access T1566.001 - Execution T1204.001, T1204.002, T1059.005, T1059.001, T1059.003 - Persistence T1053.005, T1547.001 - Defence Evasion T1218.009 | ||||||||||||||||||
| Threat name: | MQsTTang Backdoor | ||||||||||||||||||
| MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and get the output. Even so, it does present some interesting characteristics. Chief among these is its use of the MQTT protocol for C&C communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families. | |||||||||||||||||||
| Threat Protected: | 01 | ||||||||||||||||||
| Rule Set Type: | 
 | ||||||||||||||||||
| Class Type: | Backdoor | ||||||||||||||||||
| Kill Chain: | Resource Development T1583.003/T1583.004/T1587.001/T1588.002/T1608.001/T1608.002 - Initial Access T1566.002 - Execution T1106/T1204.002 - Defence Evasion T1036.004 - Command-and-Control T1071/T1102.002/T1132.001/T1573.001 - Exfiltration T1041 | ||||||||||||||||||
| New Ransomware Victims Last Week: | 71 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 71 new ransomware victims from 19 distinct industries across 26 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors. Royal, a specific ransomware, has affected the largest number of new victims (17) spread across various countries. LockBit 3.0 and AlphV groups follow closely with each hitting 13 and 11 new victims respectively. Below are the victim counts in per cent for these ransomware groups and a few others. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Name of Ransomware Group | Percentage of new Victims last week | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| AlphV | 15.49% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Blackbyte | 2.82% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Clop | 9.86% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dark Power | 14.08% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| LockBit 3.0 | 18.31% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Mallox | 4.23% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Medusa | 5.63% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Monti | 1.41% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Royal | 23.94% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vicesociety | 4.23% | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 
 
        
 
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
