|New Threat Detection Added||2 (Lu0Bot Malware and AtlasAgent Malware)|
|New Threat Protections||7|
|New Ransomware Victims Last Week||147|
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
Cybersecurity experts recently examined a Lu0Bot malware sample based on Node.js, which completely hijacks a victim's computer. This Node.js malware, initially, believed to be a basic DDOS bot, turned out to be more complex. Node.js is a runtime environment used in modern web apps. Lu0Bot first appeared in February 2021 as a GCleaner second-stage payload, acting as a bot that awaits commands from a C2 server and sends encrypted system data. While its activity is limited, its creative use of Node.js makes it stand out, potentially posing risks if its campaign expands and the server becomes active.
Rule Set Type:
|Execution 1053/T1059/T1064/T1106/T1129 - Persistence T1053 - Privilege Escalation T1053/T1134 - Defence Evasion T1006/T1064 - Discovery T1012/T1016 - Collection T1560 - Command-and-control T1071/T1095 - Impact T1529|
|Threat name:||AtlasAgent Malware|
AtlasAgent is a Trojan with a sinister agenda – it is designed to infiltrate a host system, gather sensitive data, impede the concurrent operation of multiple programs, inject specific shellcodes, and fetch files from Command-and-Control servers. This malicious software is built as a DLL application using the C++ programming language. Once inside a system, AtlasAgent becomes an information scavenger, hunting for details like the computer's Guid number, local computer name, adapter specifics, network card info, operating system version, local IP address, and process ID. It then takes action based on instructions from a control terminal, often executing shellcode to carry out various tasks. These actions can have dire consequences, including data theft, system compromise, performance issues, and privacy invasion, making AtlasAgent a significant cybersecurity menace.
Rule Set Type:
|Initial Access T1190 - Execution T1059 - Collection T1005 - Command-and-Control T1090|
Known exploited vulnerabilities (Week 1 - October 2023)
Apple Multiple Products WebKit Code Execution Vulnerability
Apple Multiple Products Kernel Privilege Escalation Vulnerability
Apple Multiple Products Improper Certificate Validation Vulnerability
Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Updated Malware Signatures (Week 1 - October 2023)
A remote access trojan that enables its operator to take control of a victim machine and steal data. It is usually distributed through spam and phishing emails.
Also known as Zbot and is primarily designed to steal banking credentials.
Upatre is also a malware dropper that downloads additional malware on an infected machine. It is usually observed to drop banking trojan after the initial infection.
A banking trojan used to steal online banking credentials.
|New Ransomware Victims Last Week:||147|
Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 147 new ransomware victims or updates in a few past victims from 21 distinct industries across 23 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.
LostTrust, a specific ransomware group, has affected the largest number of victims (53) updates spread across various countries. Alphv and Ransomed ransomware groups updated 16 & 12 victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.
|Name of Ransomware Group||Percentage of new Victims last week|
After conducting additional research, we found that ransomware has impacted 21 industries globally. Last week, the Business Services and Manufacturing sectors were hit particularly hard, with 14% and 13% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.