Cyber Security Weekly Briefing, 4 – 10 March

Telefónica Tech    10 March, 2023

FBI and ICSA Launch Advisory to Combat Royal Ransomware

The FBI and ICSA launched the #StopRansomware: Royal Ransomware Cyber Security Advisory on 2 March to help combat this type of ransomware by disseminating TTPs and IOCs.

Many companies in different critical infrastructure sectors such as industry, telecommunications, healthcare, education, among others, have been breached with this ransomware variant since September 2022.

  • The FBI and CISA believe that Royal uses its own file encryption software, disabling antivirus when gaining access to a system and leaking data before finally deploying the ransomware.
  • They then demand ransoms of between one and eleven million dollars in Bitcoin and in the note they leave victims a .onion site for contact

Organisations are advised to implement the recommendations and mitigations in the advisory to prevent these attacks.

More info

* * *

Hiatus: worldwide campaign against business routers

The Lumen Black Lotus Labs team has identified an active campaign targeting business routers.

  • The campaign, which has been named “Hiatus”, has been active since July 2022, targeting end-of-life DrayTek Vigor 2960 and 3900 routers with an i386 architecture.
  • The entry vector is currently unknown, but once the router has been compromised, the threat actors implement a bash script that downloads and executes two malicious binaries: HiatusRAT and a variant of tcpdump for capturing packets.
  • According to the researchers, at least 100 victims have been detected and have become part of the botnet of the malicious actors, mostly located in Europe, North America and South America.

Lumen Black Lotus Labs estimates that the threat actors kept the campaign at low infection levels in order to evade detection by not attracting as much attention.

More info

* * *

SYS01stealer: new infostealer targeting critical infrastructures

The research team at Morphisec has published a report on a new infostealer targeting critical government infrastructures which they have named SYS01stealer.

The malicious actors behind this threat specifically try to target corporate Facebook accounts by using Google ads and fake Facebook profiles that provide download links promoting games, adult content, software, but are actually malicious.

It is worth noting that once the victim downloads the .zip file, and it is executed, the file will proceed to perform a DLL sideload inside the victim’s system.

Experts point out that SYS01stealer’s goal is to steal browser cookies and exploit authenticated Facebook sessions to exfiltrate information from the victim’s Facebook account. The malware can also upload files from the infected system to the Command & Control server and execute commands sent by it.

More info

* * *

PoC of polymorphic malware using Artificial Intelligence

Researchers at Hyas have built a proof-of-concept for polymorphic malware generation using an Artificial Intelligence language model.

  • The software created, which they have named BlackMamba, is a polymorphic keylogger with the ability to modify its code during execution, and without the use of Command & Control (C2) infrastructures.
  • BlackMamba uses a benign executable to communicate with the OpenAI API during execution, which provides it with the malicious code necessary to collect the user’s keystrokes. Whenever the malware executes, this capability is re-synthesised, allowing it to evade security solutions.
  • According to the researchers, their analysis with a well-known EDR solution yielded no detection of the malware.

The exfiltration of the data collected by the malware in this test is done via Microsoft Teams, which it accesses with the stolen credentials.

More info