[CyberLand News] Weekly #6 - Threats and Malware

Last news on threats, malware and vulnerabilties in the cyber land

Mar 25, 2023

Dark Power, the new ransowmare group in the land
RedLine malware analysis
CNMF defensive cyber operation
Stealer as Service - BlackGuard
Linux server infected by ShellBot malware
Russo-Ukrainian conflict - CommonMagic malware

Dark Power, the new ransowmare group in the land

A new ransomware group known as "Dark Power" has surfaced, targeting organizations around the world and demanding a relatively small ransom of $10,000. The group's encryptor was first detected on January 29, 2023, and the attacks have already listed their first victims on a dark web data leak site. The group threatens to publish the victim's data if the ransom is not paid.

Dark Power's payload is written in Nim, a cross-platform programming language with several performance advantages, making it a suitable choice for ransomware attacks. Nim is considered a niche choice among cybercriminals, which means it can evade detection by defense tools.

Dark Power terminates specific services and processes on the victim's machine to free up files for encryption and prevent anything from blocking the file-locking process. The ransomware also stops the Volume Shadow Copy Service (VSS), data backup services, and anti-malware products in its hardcoded list. System-critical files are excluded from encryption to allow the victim to view the ransom note and contact the attackers.

Interestingly, there are two versions of Dark Power circulating in the wild, each with a different encryption key scheme. The first variant hashes the ASCII string with the SHA-256 algorithm and splits the result into two halves, using the first as the AES key and the second as the initialization vector (nonce). The second variant uses the SHA-256 digest as the AES key and a fixed 128-bit value as the encryption nonce.

The ransom note, an 8-page PDF document, is unique compared to other ransomware operations. It provides victims with 72 hours to pay the ransom in XMR (Monero) to receive a working decryptor. Dark Power has not been promoted on any hacker forums or dark web spaces, indicating that it is a private project.

According to cybersecurity firm Trellix, Dark Power is an opportunistic ransomware operation that targets organizations worldwide, demanding a relatively small ransom. Trellix did not provide details regarding Dark Power's infection point, but it could be an exploit, phishing emails, or other means.

In conclusion, Dark Power is a new ransomware group that poses a significant threat to organizations around the world. Its use of a niche programming language, evasion of detection by defense tools, and low ransom demands make it a unique and dangerous threat.

More details in “Shining Light on Dark Power: Yet Another Ransomware Gang“

RedLine malware analysis

A new trend of spreading malware through seemingly harmless programs that promise rewards like cryptocurrency or NFT-themed gifts has been on the rise in recent months. These attacks lure unsuspecting users to download and run an 'innocent' executable, which ultimately turns their device into a botnet.

One such malware campaign, called 'Redline-EDIRA', has been active since May 2022. This campaign poses several challenges to novice analysts, and the attackers have implemented various tactics to make reverse engineering difficult.

More details in “Analysis of a Redline Based Malware“

CNMF defensive cyber operation

The U.S. Cyber National Mission Force (CNMF) collaborated with the National Agency for Information Society (AKSHI) to conduct their first-ever defensive cyber operation in Albania, after the country was targeted by Iranian cyber actors in July and September 2022. The operation involved U.S. operators working closely with Albanian cyber partners over three months to identify vulnerabilities and hunt for malicious cyber activity. Hunt Forward Operations like these enable countries to understand shared threats and enhance the security of critical networks.

During the operation, U.S. operators hunted only on networks the partner identified and provided access to. By sharing information, the cybersecurity posture of partners and allies is improved, protecting networks and critical infrastructure against shared threats. The Hunt Forward Operations have proven to be successful cybersecurity defense activity, with CNMF deploying 44 times to 22 countries and conducting hunt operations on nearly 70 networks globally since 2018.

The Iranian state cyber actors who identified themselves as “HomeLand Justice” carried out a destructive cyber attack against the Government of Albania in July 2022, rendering several websites and services unavailable. The FBI investigation indicates that Iranian state cyber actors had acquired initial access to the victim’s network about 14 months before the attack. The cyber attack included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for about a year, periodically accessing and exfiltrating e-mail content.

The collaboration between the CNMF and AKSHI not only identified vulnerabilities and malicious cyber activity but also strengthened the cybersecurity posture of Albania. This partnership building with key allies and partners through Hunt Forward Operations enhances their cybersecurity posture and makes it more difficult for foreign adversaries to operate on networks globally. As Major General William J. Hartman, commander of Cyber National Mission Force, stated, “these relationships are key to protecting our networks and critical infrastructure against shared threats.

More details in “U.S. Conducts First Defensive Cyber Operation in Albania Following Major Attack“
More details in “Iranian State Actors Conduct Cyber Operations Against the Government of Albania“

Stealer as Service - BlackGuard

The BlackGuard stealer is a type of malware sold as a service on underground forums and Telegram since 2021. The malware is capable of collecting information from various applications and browsers, and was initially offered for $700 lifetime or $200 monthly. In November 2022, the malware's developer announced an update to the BlackGuard stealer in Telegram, which included new features and free help with installing the command & control panel.

One of the key features of BlackGuard is its ability to steal crypto wallets saved on an infected machine, as well as cryptocurrency addresses that are copied to the clipboard. The malware replaces the copied addresses with the attacker's own address using a matching algorithm based on the copied content and different cryptocurrency wallet regex. This allows the attacker to potentially receive crypto assets without the victim realizing it when they attempt to transfer or pay to other wallets.

More details in “BlackGuard stealer extends its capabilities in new variant“

Linux server infected by ShellBot malware

AhnLab Security Emergency response Center (ASEC) has recently discovered that the ShellBot malware has been infecting poorly managed Linux SSH servers. This type of malware, also known as PerlBot, is a DDoS Bot malware developed in Perl and typically uses IRC protocol to communicate with the C&C server. Despite being an old malware, it is still actively used today to launch attacks against Linux systems.

While desktop environments are mainly used by normal users, servers are responsible for providing specific services. As such, malware attacks on servers are typically carried out through web browsers or email attachments in desktop environments. However, in server environments, threat actors use different methods since distributing malware in the ways mentioned above has limitations. The prime targets are poorly managed services or services that are weak to vulnerability exploitations.

One example of a poorly managed service is where simple account credentials are used, causing the server to be vulnerable to dictionary attacks. For Windows operating systems, Remote Desktop Protocol (RDP) and MS-SQL service are prime examples of attack vectors. In Linux servers, Secure Shell (SSH) services are usually targeted for attacks, and in IoT environments, the Telnet service becomes targeted for dictionary attacks.

The ShellBot malware is believed to have been installed after threat actors used account credentials obtained through the use of scanners and SSH BruteForce malware on target systems. After scanning systems with operational port 22s, threat actors search for systems where the SSH service is active and use a list of commonly used SSH account credentials to initiate their dictionary attack. The threat actors use actual account credentials when installing ShellBot, and their goal is to use the infected servers to launch DDoS attacks.

More details in “ShellBot Malware Being Distributed to Linux SSH Servers“

Russo-Ukrainian conflict - CommonMagic malware

Kaspersky researchers have been monitoring cyberattacks in the political and geopolitical context of the Russo-Ukrainian conflict. In October 2022, they discovered an active infection of government, agriculture, and transportation organizations in the Donetsk, Lugansk, and Crimea regions. The initial vector of compromise is unknown, but it is suspected that spear phishing or similar methods were used. The victims were directed to a URL that led to a ZIP archive hosted on a malicious web server.

After activating the LNK file contained in the ZIP file, the computer becomes infected with a new type of malicious framework called CommonMagic. This framework is not particularly advanced, but it is still able to effectively infect the computer. The campaign that uses this malware and its associated techniques is not known to have any direct connection with previously identified campaigns.

More details in “Bad magic: new APT found in the area of Russo-Ukrainian conflict“
More details in “Evaluation of cyber activities and the threat landscape in Ukraine“