Weekly Summary Cyberattacks 07-13 Nov
New campaign spreading LodaRAT malware detected
A new campaign spreading LodaRAT, a malware active since 2016, has been detected recently. This remote access Trojan (RAT), initially designed to collect information, now includes capabilities to steal passwords and cookies from browsers such as Microsoft Edge and Brave. Despite having received few updates in recent years, its effectiveness remains thanks to techniques such as phishing and the use of loaders like DonutLoader. In addition, it masquerades as legitimate software, affecting victims worldwide, with 30% of samples registered in the U.S.
New Ymir ransomware partners with RustyStealer in global cyberattacks
Cybersecurity researchers have identified a new ransomware called Ymir that attacks systems previously compromised by the infostealer malware RustyStealer. This ransomware, which operates from memory to evade detection, uses ChaCha20 encryption to lock files and generates ransom notes in PDF format. Although direct data theft by Ymir has not been confirmed, it is suspected that previous tools deployed by the attackers, such as RustyStealer, facilitated the exfiltration of information. RustyStealer compromises legitimate accounts with high privileges, allowing lateral network movement using tools such as PowerShell and WinRM. Once access is secured, attackers deploy Ymir as a payload. In addition to modifying the Windows Registry to display ransom demands, Ymir employs an exclusion list to avoid damaging essential system files.
Earth Estries uses advanced tactics and malware to infiltrate and maintain persistent access in vulnerable networks
The threat group known as Earth Estries, active since 2020, has escalated its attacks through complex infection chains, using multiple techniques and tools as malware, including Cobalt Strike, Zingdoor and SnappyBee. Its campaigns focus on exploiting vulnerabilities in Microsoft Exchange servers and network adapter management systems, introducing malware through CAB files and cURL downloads. The attacks consist of two phases: the first employs PsExec and tools such as Trillclient and Crowdoor for lateral movement and credential theft; the second focuses on installing backdoors through persistence techniques and bypassing defenses.
Analysis of newly discovered ransomware group Interlock published
Cybersecurity researchers have published an analysis of Interlock, an emerging ransomware group that executes “big-game hunting” and double extortion attacks against companies in industries such as healthcare, technology and manufacturing in the U.S. and Europe. This ransomware employs a complex infection system: it infiltrates via a fake browser updater that installs remote access tools (RATs), infostealers and keyloggers. Lateral movements are performed via RDP and programs such as AnyDesk, and data exfiltration is executed via Azure Storage Explorer. Once inside, the attackers stay on the system for up to 17 days, time that allows them to install their ransomware that encrypts files and demands a ransom.
New malware called SteelFox detected stealing sensitive data
A new malware, SteelFox, has been discovered that mines cryptocurrencies and steals credit card data using a privilege escalation technique known as “bring your own vulnerable driver”. This technique, common in state-sponsored threat actors and ransomware groups, allows the malware to gain administrator privileges on Windows systems. SteelFox is distributed via forums and torrent trackers, disguised as an illegal activation tool for programs such as Foxit PDF Editor, JetBrains and AutoCAD. After gaining administrative access, the malware uses a vulnerable driver (WinRing0.sys) to gain full access to the system. It then steals information from up to 13 web browsers and extracts data such as passwords, browsing histories and cookies. In addition, it employs the cryptocurrency mining resource via XMRig to mine Monero. Researchers have blocked more than 11,000 attack attempts, mainly affecting users in Brazil, China, Russia, Mexico and other countries.