Cyber Drishti

  Pro-Ocean-Cloud Malware   The China-based cybercrime group Rocke, which is the best-known threat actor engaged in cryptomining operations targeting the cloud.The activities of Rocke, aka the Iron Group, SystemTen, Kerberods/Khugepageds, and even ex-Rocke, were originally reported in August 2018. Rocke was initially associated with ransomware campaigns using its Linux-focused Xbash tool, a data-destruction malware similar in functionality to NotPetya. NotPetya used the EternalBlue exploit to propagate across a network. Xbash performed lateral movement by leveraging an organization’s unpatched vulnerabilities and use of weak passwords, which potentially limited its overall effectiveness. Pro-Ocean is a revised version of cloud-targeted cryptojacking malware with improved rootkit and worm capabilities. Pro-Ocean uses known vulnerabilities to target cloud applications. It contains four modules that deploy during execution — hiding, mining, infecting, and watchdog. Each module co...

    Whirlpool hit by Nefilim ransomware attack   Whirlpool is one of the world's largest home application makers with appliances under its name and KitchenAid, Maytag, Brastemp, Consul, Hotpoint, Indesit, and Bauknecht. Whirlpool employs 77,000 people at 59 manufacturing & technology research centers worldwide and generated approximately $20 billion in revenue for 2019.The leaked data included documents related to employee benefits, accommodation requests, medical information requests, background checks, and more. Nefilim is a ransomware known to encrypt files on a compromised system and appends the file extension .NEF1LIM to the files it encrypts. A ransom note named NEF1LIM-DECRYPT.txt is dropped to the directory of every file it encrypts.The ransom note informs the victims that their data has been stolen and if the perpetrators are not contacted, the data will be leaked. Upon execution, the analyzed variant behaves like typical variants of the ransomware and append...

    BANDOOK(RAT)-Malware   The payload in this attack is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server sends basic information about the infected machine and waits for additional commands from the server. Indicators of Compromise File Hash MD5 27f8d8bbbeeda5fc439ee18d9d4da343 44584c8d010242fddb44afe5ce860872 a6501c62b3a6ffa8d028a88138fe509f 7c15ee5b9a12dacaace8fb62271f12f1 4e9e12c98cfbc5f3aa3c1345bd063fa0 7ef261c151519e66ec369c63e4b1aed4 6effed1b1bb5e9ed6aafacb075c1d4e2 0475771b8bc3efc28b1834f3add608f3 045ce6679ed4086e2ded58470e24c15a 28ad9ace11919b57bf54...

  TA416 Returns back with a Golang PlugX Malware Loader   APT group TA416 reemerges with new changes to its documented toolsets so it can continue launching espionage campaigns. Chinese advanced persistent threat (APT) group TA416, whose previous activity has been attributed to "Mustang Panda" and "RedDelta," has resumed attack activity. This new activity appears to be a continuation of previously reported campaigns that have targeted entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar and groups conducting diplomacy in Africa. Based on the available information, the actor's tool set, which they used to deliver PlugX malware payloads is detected as a new Golang variant of TA416's PlugX malware loader and noticed the PlugX malware is consistently used in targeted campaigns. This signifies the group's persistence in changing its toolset to evade detection. Indicators of Compromi...

    South East Asian government Targeting by Chinese APT Group   A sophisticated advanced persistent threat (APT) group believed to be operating out of China has been stealthily targeting Southeast Asian governments. The FunnyDream campaign has been previously linked to high-profile government entities in Malaysia, Taiwan, and the Philippines, with a majority of victims located in Vietnam.           In this campaign, the group was using numerous malware families, a complex and complete arsenal of droppers, including the Chinoxy backdoor, PCShare RAT, and the FunnyDream backdoor. According to the available information, not only around 200 machines exhibited attack indicators associated with the campaign, evidence points to the fact the threat actor may have compromised domain controllers on the victim's network, allowing them to move laterally and potentially gain control of other systems. There are no clues as to how the infec...

  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...