< Back
Threat Intel News
27 November 2024

Weekly Summary Cyberattacks 21-27 Nov

Elpaco: The new ransomware variant that combines customization, advanced encryption and global spread   

Cybersecurity researchers have detected a variant of the Mimic ransomware called ‘Elpaco’, which stands out for its high degree of customization and dangerousness. Attackers initially gained access to vulnerable servers by brute-force attacks via RDP, then exploited the CVE-2020-1472 (Zerologon) vulnerability to elevate privileges. Elpaco uses the legitimate Everything library to search for files and a 7-Zip installer to distribute itself, hiding its malicious nature. It also incorporates a graphical interface that allows operators to configure functions such as encryption, ransom note and directories to exclude.

Pro-Russia hacktivists: the CyberVolk threat and its evolution in cyber-attacks   

The hacktivist group CyberVolk, which originated in India and has pro-Russia leanings, has intensified its attacks between June and October 2024, using advanced tools such as ransomware and malware. With roots in the AzzaSec collective, CyberVolk has adapted code such as AzzaSec Ransom to create ransomware of its own and collaborate with other families such as HexaLocker and Parano. Its attacks, mainly targeting public and government entities opposed to Russian interests, have included operations in Japan under the ‘#OpJP’ campaign. The group, which employs advanced encryption techniques and methods to make detection difficult, shows remarkable adaptability, noting its flexibility to reuse and improve open-source tools.

New analysis published on Chinese APT group Earth Estries   

Since 2023, the Earth Estries advanced persistent threat (APT) group has intensified its attacks targeting key industries such as telecommunications, government and technology sectors in regions including the United States, Asia-Pacific, the Middle East and South Africa. Using advanced techniques and tools such as the GHOSTSPIDER, SNAPPYBEE and MASOL RAT backdoors, the group has compromised more than 20 organizations in various countries. It exploits known vulnerabilities in public servers to gain initial access and employs techniques such as the use of legitimate binaries (LOLBINs) to move laterally within networks. Earth Estries combines proprietary and Malware-as-a-Service tools to conduct prolonged cyber-espionage operations, stealing critical information from sectors such as telecommunications, transportation and government-linked NGOs.

Chinese APT Gelsemium targets Linux Systems with the new WolfsBane backdoor   

The China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor called WolfsBane as part of cyberattacks likely targeting East and Southeast Asia. WolfsBane has been assessed to be a Linux version of the Gelsevirine backdoor used by the threat actor, a Windows malware employed since at least 2014 Additionally, researchers discovered another previously undocumented implant called FireWood, which is connected to another malicious toolset known as Project Wood. FireWood has been attributed to Gelsemium with low confidence, given the possibility that it could be shared by multiple China-linked hacking groups.´

US charges five linked to Scattered Spider cybercrime gang   

The U.S. Justice Department has charged five suspects believed to be part of the financially motivated Scattered Spider cybercrime gang with conspiracy to commit wire fraud. Between September 2021 and April 2023, they were able to steal millions from cryptocurrency wallets using victims' credentials stolen in SMS phishing attacks targeting dozens of targets, including both individuals and companies. Scattered Spider specializes in social engineering attacks, impersonating help desk technicians, and using phishing/smishing attacks to steal credentials from targeted companies' employees. In an attack on an interactive entertainment products and software company, the threat actors sent phishing messages that warned employees their VPN was being deactivated and to visit a site to reactivate it.