Threat Intelligence Report May 30 - June 5 2023

The SharpPanda APT group comprises exceptionally sophisticated cyber threat actors who carry out targeted and prolonged attacks against specific entities, including governments, organisations, and industries. Their objectives encompass espionage, disruption, and financial gain. SharpPanda has been linked to multiple cyber espionage campaigns, employing tactics such as spear-phishing, social engineering manipulation, and exploiting zero-day vulnerabilities to illicitly access networks.

Previously, the group primarily targeted government officials, particularly in Southeast Asian countries. However, as evidenced in their recent campaign, they have shifted their focus to high-level government officials from G20 countries across Europe, North America, and South Asia. This APT group consistently adapts its techniques and incorporates new tools into its arsenal as it evolves.

We have recently encountered a new type of malware called Invicta Stealer, which has caught our attention due to the activities of its developer on social media platforms. The developer actively promotes this information-stealing malware and highlights its dangerous capabilities. In the current landscape, there is a growing trend among malware developers to create and offer various types of stealers to potential buyers and affiliates. Among these, Invicta Stealer stands out as an exceptionally formidable threat. Its unique strength lies in its ability to target a wide range of highly sensitive information found in numerous applications and web browsers. The stolen data can be exploited by attackers for financial gains or to launch further attacks on individuals and organisations by taking advantage of the compromised information. It is crucial to recognise the severity of this threat and take appropriate measures to safeguard against such malicious activities.

A fileless RAT dubbed SeroXen has become the preferred tool for cybercriminals to target gamers. It has excellent detection evasion capabilities on static and dynamic analysis. Based on a combination of different open-source projects, including r77-rootkit, Quasar RAT, and NirCmd, its capabilities get further enhanced, making it a powerful RAT. The delivery of the RAT takes place through RAT is delivered either via phishing emails or Discord channels. SeroXen RAT is a sophisticated Remote Access Trojan that boasts several powerful features. It is designed to remain undetected by antivirus software, providing fully undetectable functionality both during scanning and while running. It includes features like HVNC (Hidden Virtual Network Computing), primarily used for penetration testing, LOTL (Living Off the Land) techniques to operate in a fileless manner, and a rootkit to conceal its presence.

Fanxgiao uses various strategies to maintain anonymity: most of its infrastructure is protected behind CloudFlare, and domain names are changed regularly and quickly. Users arrive at a Fangxiao-controlled site through a link sent in a WhatsApp message, which in turn sends them to a landing domain impersonating a well-known, trusted brand. Companies affected include Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s and Knorr.

Victims are then redirected to a main survey domain. When they click the link, they are sent through a series of advertising sites to one of a set of constantly changing destinations. A click on the “Complete registration” button with an Android user-agent will sometimes result in a download of the Triada malware. As victims are invested in the scam, keen to get their “reward,” and the site tells them to download the app, this has likely resulted in a significant number of infections.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 66 new ransomware victims from 18 distinct industries across 21 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Lockbit3, a specific ransomware, has affected the largest number of new victims (16) spread across various countries. Play and Royal groups follow closely with each hitting 11 and 10 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 21 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 31 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with the loss of 14 and 09 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.