Threat Pulse – April 2023
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
Rorschach – A New Sophisticated And Fast Ransomware
A new ransomware strain dubbed ‘Rorschach‘ has been discovered that’s both sophisticated and fast.
Rorschach employs a highly effective and fast hybrid-cryptography scheme as well as only encrypting a specific portion of the original file content. This has allowed the malware to encrypt 220,000 files within four minutes and 30 seconds on average, whereas LockBit 3.0 took approximately seven minutes.
This ransomware strain uses a rarely observed technique called DLL side-loading to load the ransomware payload.
Once a device is infected, Rorschach also terminates a predefined list of services, deletes shadow volumes and backups, clears Windows events logs, disables the Windows firewall, and even deletes itself after completing its actions.
EvilExtractor malware
Researchers are seeing a rise in attacks spreading the EvilExtractor data theft tool, used to steal users’ sensitive data in Europe and the U.S.
The attacks began with a phishing email posing as an account confirmation request and including an executable attachment that had been gzip-compressed. This executable is a Python programme that has been designed to look like a genuine PDF or Dropbox file.
Users are warned to be vigilant for unsolicited emails since observations in the wild show that EvilExtractor is popular among cybercriminals.
Linux version of RTM Locker ransomware targets VMware ESXi servers
RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.
Over the past years, the enterprise has moved to virtual machines (VMs) as they offer improved device management and much more efficient resource handling. Due to this, an organisation’s servers are commonly spread over a mix of dedicated devices and VMware ESXi servers running multiple virtual servers.
Ransomware operations have followed this trend and created Linux encryptors dedicated to targeting ESXi servers to encrypt all data used by the enterprise properly.
VMware: Stack-based buffer-overflow vulnerability in bluetooth device-sharing functionality
VMware Workstation and Fusion contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.
VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware
The Iranian threat actor group known as Charming Kitten is actively targeting multiple victims in the US, Europe, the Middle East and India with a novel malware dubbed BellaCiao.
BellaCiao is a personalised dropper that’s capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. In samples observed so far, it has been found that the malware has been tailored to the target companies which generally makes it harder to detect because it is specifically crafted to evade detection.
The initial attack vector is suspected to entail the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine to gain access to a vulnerable device, followed by attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the host via a service instance.
Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack
AuKill is a previously undocumented defence evasion tool that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
The BYOVD technique relies on misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft to gain elevated privileges and turn off security mechanisms.
EDR killer malware abuses Process Explorer driver
A new tool that uses a legitimate driver to bypass the Windows Electronic Defence Protection System (EDR) is being used by multiple threat groups.
New Cylance Ransomware
New Cylance Ransomware targets Linux and Windows devices, with several ransomware attacks having been found.
Ransomware leaves a ransom note requesting to contact attacker via given email addresses. Furthermore, ransomware points out that files are encrypted and do not try to change or restore as it would destroy the private key.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.
