Cyber Intel Brief: Nov 17 – 23, 2022


CISA Releases TTPs for Hive Ransomware Affiliates

Impacted Industries: Public Administration, Information, Manufacturing, and Healthcare and Social Assistance

What You Need To Know:

The FBI, CISA, and the Department of Health and Human Services (HHS) released a joint Cybersecurity Advisory (CSA) to disseminate known Hive TTPs and observables identified through FBI investigations as recently as November 2022. Frequently observed initial access techniques include exploiting vulnerabilities or single-factor logins via RDP, VPNs, and other remote network connection technologies.

Analyst Note: According to FBI data, as of November 2022, Hive ransomware affiliates have extorted over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments. From June 2021 through at least November 2022, Affiliates targeted a wide range of businesses and critical infrastructure sectors, and there is a roughly even chance they will target all customers.


Callback Phishing Campaign Leads to Data Exfiltration and Extortion

Impacted Industries: All; Observed attacks against Professional, Technical, and Scientific Services and the Retail Sector

What You Need To Know:

Unit 42 investigated several incidents related to a data extortion group’s campaign that uses the callback phishing technique. Phishing emails contain an attached PDF masquerading as an invoice. Threat actors socially engineer targets into downloading and running a remote support tool. Once they have access, the threat actors download a remote administrative tool (if the target has admin rights) or identify files for exfiltration. Once the adversary has exfiltrated the data, they will send an extortion email demanding victims pay a fee.

Analyst Note: Unit 42 assesses the threat actors invested significantly in call centers and infrastructure unique to each victim and that callback phishing attacks will increase in popularity. The unique infrastructure makes detection solely by IoCs difficult, as it is likely that the threat actors will not use IoCs from one victim against another. The Adversary Tactics and Intelligence Team forecasts that in the last part of 2023, a threat actor will likely offer call center services to other threat actors.

Threat Actors

Threat Actor Uses BatLoader as Initial Access to Spread Ransomware

Impacted Industries: All

What You Need To Know:

Microsoft has observed recent activity that has led to the deployment of ransomware. The threat actor likely relies on BatLoader to gain initial access, delivered via phishing, malware advertising, fake forum pages, and blog comments. Microsoft observed the following adjustments in the delivery methods in the last few months: use of “contact us” forms on targeted organization’s websites, hosting fake installer files on legitimate-looking software download sites and legitimate repositories, and Google Ads.

Analyst Note: Microsoft assesses that DEV-0569 will likely continue leveraging malware advertising and phishing for initial access. The Adversary Tactics and Intelligence Team concurs with Microsoft’s assessment and assesses the threat actors tracked as DEV-0569 have a roughly even chance they will also employ additional initial access methods to include attachments in their phishing campaigns, like those used by Emotet.

Threat Actors

Yanluowang Ransomware Chats Leaked

Impacted Industries: Finance and Insurance, Manufacturing, and Professional, Scientific, and Technical Services

What You Need To Know:

Trellix and DarkTrace downloaded the internal chat logs and analyzed them after an unknown group or individual gained unauthorized access to Yanluowang’s TOR site and shared chat logs of Yanluowang’s Matrix messages on 31 October 2022 under the Twitter handle @yanluowangleaks. The leaked chat logs are from mid-January to September 2022 and include around 2.7K messages.

Analyst Note: Analyzing Yanluowang’s internal chat messages provides valuable insights into who is behind the ransomware group and who works with them. This leak marks the second time a ransomware group’s private communications were leaked. The intelligence acquired from such data is vital as it sheds light on how sophisticated the ransomware ecosystem is, how agile and adaptable they are, and to what extent these groups have ties.


Undocumented RAT Variant Observed Dropping LodaRat, Redline, & Neshta

Impacted Industries: All

What You Need To Know:

Cisco Talos observed a previously undocumented commodity malware that allows threat actors to run hidden desktop environments on infected hosts, dropping a RAT, an information stealer, and a file infector. According to the commodity malware developer’s advertising, the malware can copy user profiles from the victim’s browser over to a threat actor-controlled hidden browser. Of note, the commodity malware used a language specific to Ethiopia.

Analyst Note: Cisco Talos assesses that more complex and advanced variants of the RAT will likely be observed in the wild, and the RAT will continue to be dropped alongside other malware families. Cisco Talos also assesses that the original author of the RAT may [roughly even chance] opt for a new tool altogether; as the tool becomes more popular, detection rates are likely to increase, thereby reducing the RAT’s effectiveness. The Adversary Tactics and Intelligence Team estimates that the use of the undocumented commodity malware is likely to be limited to this particular threat actor due to the use of a language used in Ethiopia.


More Teams Adopt New Information Stealer

Impacted Industries: All

What You Need To Know:

Sekoia has observed an increase in the number of teams adopting the Aurora Stealer and the number of samples distributed in the wild and C2 servers. Observed delivery methods include leveraging phishing pages impersonating download sites of legitimate software, including cryptocurrency wallets or remote access tools, and using YouTube videos and SEO-poised fake cracked software download websites. The infostealer can fingerprint infected hosts, collect and exfiltrate browser and extension data, and can act as a second-stage malware loader.

Analyst Note: There is roughly an even chance that Aurora Stealer has gained popularity among threat actors. Without knowing the total number of teams in existence, we can not estimate if Aurora Stealer is emerging as a significant threat. However, threat actors will likely incorporate other lures besides fake or cracked software in future campaigns. There is roughly an even chance that threat actors will use it as an initial access vector to deploy second-stage malware, like Cobalt Strike.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog