|New Threat Detection Added|
3 (Bumblebee malware, Red Wolf APT, AMOS MacOS Stealer)
|New Threat Protections||10|
|New Ransomware Victims Last Week||87|
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
The Bumblebee malware, designed for enterprise targeting, spreads via Google Ads and SEO manipulation, masquerading as popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Initially discovered in April 2022, it's believed to be Conti's successor to the BazarLoader backdoor, serving as an entry point for network access and ransomware attacks. In September 2022, a new variant surfaced, employing a stealthier attack approach using the PowerSploit framework for reflective DLL injection into memory. A Google Ad campaign, detected by SecureWorks, introduced this malware, leading users to a deceptive Cisco AnyConnect download page. This campaign exposed corporate users to ransomware attacks, with the threat actor deploying various tools for lateral movement, network reconnaissance, and data exfiltration, raising concerns about impending ransomware deployments.
Rule Set Type:
|Execution T1047 - Persistence T1574.002 - Privilege Escalation T1574.002 - Defence Evasion T1027/1036 -Discovery T1018 - Command and Control T1071/T1095|
|Threat name:||Red Wolf APT|
Red Wolf, known for corporate espionage since 2018, continues to target commercial organizations in Russia, Canada, Germany, Norway, Ukraine, and the UK. They employ phishing emails to infiltrate their targets and deliver malware through disk images, making detection challenging. Once inside a system, they send compromised data to their command-and-control server and deploy additional malware. Unlike state-sponsored espionage groups, Red Wolf focuses on commercial firms, operating stealthily within compromised IT infrastructures for up to six months. Their ability to evade traditional defences and minimize detection is notable.
Rule Set Type:
|Execution T1129 - Privilege Escalation T1055 - Defense Evasion T1027/T1055/T1497 - Discovery T1018/T1033/1082 - Command and Control T1071/T1095/T1573|
|Threat name:||AMOS MacOS Stealer|
A recent campaign was discovered pushing both Windows and Mac malware, particularly an updated version of Atomic Stealer (AMOS) for Mac. AMOS, introduced in April 2023, focuses on stealing crypto assets and can harvest passwords from browsers and Apple's keychain while featuring a file grabber. The developer has actively updated the software, with a new version released in June.
Cyber criminals have been distributing this toolkit primarily through cracked software downloads and by impersonating legitimate websites. They also employ ads on search engines like Google to entice victims.
Rule Set Type:
|Initial Access T1189/T1566 - Collection T1119 - Credential Access T1555|
Known exploited vulnerabilities (Week 2 - September 2023)
Apache RocketMQ Command Execution Vulnerability
Updated Malware Signatures (Week 2 - September 2023)
A stealer designed to collect sensitive data from infected machines. It usually targets Windows-based machines and is spread through email attachments or downloads from compromised websites.
A banking trojan used to steal online banking credentials
A remote access trojan that enables its operator to take control of a victim machine and steal data. It is usually distributed through spam and phishing emails.
An information-stealer malware used to gather data from victims’ machines such as stored account credentials, banking information and other personal data.
A remote access trojan interacts with the infected machine via a remote shell, uploads/downloads files, and records from a webcam/microphone.
|New Ransomware Victims Last Week:||87|
Red Piranha proactively gathers information about organizations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 87 new ransomware victims or updates in few past victims from 18 distinct industries across 18 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organizations of all sizes and sectors.
LockBit3.0, a specific ransomware, has affected the largest number of victims (22) updates spread across various countries. Cactus and Ransomed updated 22 & 17 victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.
|Name of Ransomware Group||Percentage of new Victims last week|
After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Manufacturing and Retail sectors were hit particularly hard, with 16% and 14% of the total ransomware victims belonged in each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.