Cyber Intel Brief: Dec 8 – 14, 2022


CL0P & Venus Ransomware Groups Employ New Techniques

Impacted Industries: All; CL0P is targeting healthcare with a new phishing technique

What You Need To Know:

The Venus ransomware group has been using a new extortion tactic that involves trying to frame executives at public companies for insider trading due to difficulties in getting victims to pay the ransom. The CL0P group is using a new phishing technique that involves sending targets malicious files disguised as medical documents.

Analyst Note: The CL0P group used unsuccessful methods and will likely employ other phishing lures. Venus ransomware victims do not pay and will likely attempt different extortion tactics to scare companies into paying. If Venus ransomware threat actors cannot successfully extort victim organizations, because Venus does not have a “leak site.” They have a roughly even chance of establishing one or selling initial access on criminal marketplaces.

Threat Actors

Iranian APT Group Still Using Command & Control Server in Attacks

Impacted Industries: All

What You Need To Know:

Team Cymru has observed the Phosphorus threat group targeting organizations in the utilities, public administration, and information sectors. The group has been leveraging unpatched systems and common exploits, such as Log4J and ProxyShell, to gain access to these organizations. A common command and control server has been associated with Phosphorus activities. The group has recently been observed using hardcoded IP addresses instead of domain resolution for C2 communications.

Analyst Note: Based on the information provided, the Phosphorus group will likely continue to engage in opportunistic targeting of unpatched vulnerable systems, leveraging common exploits such as Log4J and ProxyShell. It is also likely that the group will continue to use the C2 server ( for their activities in the short term and may continue to use domain names registered with NameSilo to mask their malicious communications. Additionally, the group has a roughly even chance of continuing their use of malware with hardcoded IP addresses and likely continue masking their traffic with legitimate domains to evade domain based detections.

Threat Actors

MuddyWater Group Launches New Campaign with Remote Administration Tool Syncro

Impacted Industries: All; Campaign observed targeting public administration and information sectors

What You Need To Know:

The MuddyWater group has been observed conducting a new campaign targeting organizations operating in middle eastern countries. This campaign differs from previous waves because it uses a new remote administration tool called Syncro and includes a new HTML attachment lure.

Analyst Note: MuddyWater is known for its ability to evolve its tactics, techniques, and procedures and has successfully targeted various sectors globally, including government organizations, telecom companies, and defense contractors. The group will likely continue to conduct successful attacks, posing a significant threat to organizations.

Exploited Vulnerabilities

CISA Adds 5 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added five CVEs to its Known Exploited Vulnerabilities Catalog. The vulnerabilities affect products from Fortinet, Microsoft, Citrix, and Veeam.

Analyst Note: Exploiting public-facing applications [T1190] is one of the most observed techniques used by cybercriminals to gain initial access to corporate networks. Cybercriminals have routinely deployed Cobalt Strike, ransomware and other malware, stolen sensitive data, motivated by the financial gain from extorting the victim.


Increase in Truebot Malware Infections Linked to Silence Group

Impacted Industries: All; TA505 has targeted financial institutions in the past

What You Need To Know:

Cisco Talos has observed an increase in infections of Truebot malware since August 2022, linked to the threat actor Silence Group, and assessed to be associated with TA505 (aka Evil Corp). Research by Cisco Talos has found that one of Truebot’s new follow-on payloads is Grace malware, attributed to TA505. In recent attacks, the threat actors have shifted from using phishing emails as the primary delivery method to other techniques, including exploiting vulnerabilities in IT asset management tools and spreading malware through USB drives.

Analyst Note: It is currently unclear what the threat actors will do next. In the past, they have shifted from using phishing emails as their primary delivery method to other techniques, such as exploiting a recent remote code execution vulnerability in Netwrix Auditor and leveraging Raspberry Robin malware spread through USB drives. However, they have recently started using a new, unidentified distribution mechanism, suggesting that they may continue to change their tactics.


Venom RAT Can Now Steal Passwords and Cookies

Impacted Industries: All

What You Need To Know:

The developer behind Venom RAT has added a new module to the malware. The new module is a stealer that exfiltrates sensitive information from multiple browsers. The latest version of Venom RAT still incorporates features from the old version, such as HVNC, which allows threat actors to access the infected system and perform actions such as creating hidden desktops and launching hidden browsers. The malware also can execute remote shell commands and perform reverse proxy attacks and UAC exploits.

Analyst Note: Venom RAT is a remote administration tool used by threat actors to gain remote control of victim machines. The new module can steal passwords, cookies, downloads, bookmarks, history, and autofill data. Threat actors will likely use phishing to distribute the malware. They can sell the stolen cookies and passwords on criminal marketplaces, resulting in post-exploitation activity, including data exfiltration and encryption.

New Techniques

Detection Guidance for New Kerberos Attacks: Diamond and Sapphire Ticket

Impacted Industries: All

What You Need To Know:

Palo Alto Unit 42 published detection guidance for two new Kerberos attack techniques: Diamond and Sapphire Tickets. These attacks allow a threat actor to access all services and resources within an Active Directory (AD) domain. The Diamond Ticket attack involves obtaining a TGT and decrypting it using the KRBTGT account’s key. In contrast, the Sapphire Ticket attack requires obtaining the credentials of any user in the domain.

Analyst Note: These attacks are difficult to detect as they involve manipulating a legitimate TGT issued by a Domain Controller. Threat actors can use these techniques to deploy ransomware, exfiltrate sensitive data, and gain access to criminal marketplaces. Threat actors who have used Golden or Silver Ticket attacks will likely employ these new techniques in the future to avoid detection.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog