Links

https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html
https://thehackernews.com/2023/06/camaro-dragon-strikes-with-new-tinynote.html
https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34362

New Backdoor Malware for Intelligence Gathering

• Camaro Dragon
  • Chinese nation-state group
  • another backdoor application
    • intelligence-gathering
  • overlaps with a threat actor.
    • Mustang Panda
      • state-sponsored group
      • from China
      • known to be active since at least 2012.
    • TinyNote
      • Go-based malware.
      • functions as a first-stage payload
        • basic machine enumeration
        • command execution via PowerShell or Goroutines.
      • multiple persistency tasks
        • establishing redundant methods
          • retain access to the compromised host.
        • distributed using names related to foreign affairs.
          • PDF_ Contacts List Of Invitated Deplomatic Members
        • target Southeast and East Asian embassies.
        • specifically bypass an Indonesian antivirus solution called Smadav

New Ransomware Exhibit Striking Similarities with an older name

• Trend Micro
  • Researchers have discovered a new ransomware family.
    • BlackSuit
      • targets Windows and Linux users
    • similarities it shares with the notorious Royal ransomware.
  • Royal ransomware
    • first observed in early 2022
    • Dev-0569
      • gang that operates Royal
    • highly sophisticated and quickly evolving malware strain.
    • November 2022
      • 43 new victims
        • demanding between $250,000 and $2 million per compromise
      • financial gain
        • extortion
          • large enterprise
        • comparisons to other ransomware gangs
          • Conti and Ryuk
          • indicating that they may have splintered away.
        • Rather than selling Royal as a ransomware-as-a-service (RaaS)
          • purchases direct access to corporate networks from underground Initial Access Brokers (IABs)
          • manages the attack campaigns internally.
          • employs double extortion tactics.
            • extorting victims for deleting stolen data
            • threatening to make it public.
              • in addition to ransom demands for the decryption of infected files.
            • BlackSuit
              • Windows 32-bit version
              • ESXi 64-bit version
              • appends the file extension .blacksuit to encrypted files.
              • leaves a ransom note.
                • information about the attack
                • a unique ID for the victim
                • TOR Chat site link for communication
                • data leak site to post leaked data in case a victim does not pay the ransom.
                  • only one victim currently

• Similarities
  • BlackSuit supports the use of several command-line arguments.
    • like those used by Royal.
    • includes some additional arguments do not present in Royal.
  • Both malwares use comparative intermittent encryption techniques, including OpenSSL’s AES encryption algorithm and similar formulas and numbers when comparing file size.
  • When comparing the source code used in the 64-bit samples of the two malwares, there is a 98% similarity in used functions, 98.9% in BinDiff-based jump statements, and 99.5% in blocks.
  • Similarly, a comparison of the code used in 32-bit samples exhibits 99.3% resemblance in basic blocks, 93.2% in used functions, and 98.4% in jumps based on BinDiff.

Discord Admins hit with malicious Bookmark.

• Discord Communities Hit
  • Focused on Crypto discord communities.
  • Administrators Tricked
    • running malicious JavaScript code
      • disguised as a Web browser bookmark.
    • contacted by a “reporter” for interview.
      • Crypto Focused new outlet
      • Sent a link to the news orgs “official discord.”
        • complete a verification step to validate their identity.
          • involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser.
            • How does this verify?
          • instructed to go back to discord.com and then click the new bookmark to complete the verification process.
        • Bookmark
          • snippet of JavaScript
            • grabs the user’s Discord token.
            • sends it to the scammer’s website.
              • They take the token and use it.
              • after a little bit
            • Attack
              • Now as Admin
                • change the server’s access controls.
                • remove all core team members from the server.
                • posts an announcement.
                  • an exclusive “airdrop,” “NFT mint event” or some other potential money-making opportunity for the Discord members.
                • Have access if Admin doesn’t log out and back in, or else change their credentials.
              • Discord members click the link provided.
                • asked to connect their crypto wallet to the scammer’s site.
                • asks for unlimited spending approvals.
                • drains the balance of any valuable accounts.

MOVEit Transfer zero-day mass-exploited in data theft attacks.

• MOVEit Transfer
  • file transfer software
  • developed by Ipswitch.
    • subsidiary of US-based Progress Software Corporation
  • securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.
  • offered as an on-premises solution managed by the customer.
  • cloud SaaS platform managed by the developer.
• CVE-2023-34362
  • Version Impacted

• Danger
  • SQL injection vulnerability
    • could allow an unauthenticated attacker to gain access to MOVEit database.
    • an attacker may be able to infer information about the structure and contents of the database.
    • Execute SQL statements that alter or delete database elements.
      • perform mass downloading of data.
    • exploitation of unpatched systems can occur via HTTP or HTTPS.
  • Who/How Long
    • Not attributed to any group
    • Not sure how long
  • Fix?
    • developers warn admins to block external traffic to ports 80 and 443 on the MOVEit Transfer server.
      • prevent external access to the web UI.
      • prevent some MOVEit Automation tasks from working.
      • block APIs
      • prevent the Outlook MOVEit Transfer plugin from working.
    • check the ‘c:\MOVEit Transfer\wwwroot\’ folder for unexpected files, including backups or large file downloads.
      • indicators that the threat actors have stolen data.
      • in the process of doing so.
    • Until a patch is released for your version
      • it is strongly advised that organizations shut down any MOVEit Transfers
      • perform a thorough investigation for compromise before applying the patch.