newspaper-fold Blog

Rapid TTP Development and Syndicate Adoption Ignite Q2 Ransomware Explosion

June 1, 2021

Week 22 EIQ_gen_intel_update_image

Summary of Findings

  • APT groups are using ransomware functionality to enable and mask targeted data destruction, possibly for political reasons.
  • DarkSide group has suspended its ransomware-as-a-service (RaaS) program , possibly due to disruptions to its infrastructure following the Colonial Pipeline attack.
  • The rapid evolution of JSWorm ransomware from mass-scale operations to targeted threats showcases the investment by RaaS operators in new TTPs.
  • The use of third-party loaders is helping ransomware syndicates like Conti grab a larger share of the market.
  • Ransomware operators are adopting a new TTP to hinder incident response: deploying multiple variants with different encryption algorithms at the same target.
  • Pakistan-linked APT36 is likely behind a spear phishing campaign against defense personnel in India, possibly for espionage purposes.
  • A Brazilian banking trojan family has spread from South America to Europe, where it has been used to steal credentials from customers at dozens of banks.

Apparent Ransomware Attacks Used as Data Destruction Tools

Strategic attacks aimed at data destruction are among the greatest cyber risks. The Agrius advanced persistent threat (APT) group, possibly sponsored by Iran, has used custom ransomware-wiper variants DeadWood and Apostle to attack Israeli targets since 2020. Attacks execute from ProtonVPN egress points and exploit either SPXSpy web shells or target-owned VPN systems for initial access. Compromised Remote Desktop Protocol (RDP) credentials are used to pivot inside the network. Mimikatz and similar Red Team tooling is employed to harvest additional credentials. An exclusive backdoor, “IPsec Helper” is used for command and control (C2) and data exfiltration. The wiper component is deployed in the final stage of the attack, with a fake ransom note, to delete files and obfuscate the attack.

Pause in DarkSide Ransomware Operations May Be Temporary

Ransomware remains lucrative for syndicates leveraging cryptocurrency to achieve payouts. State authorities alerted to recent high-profile attacks seized DarkSide public infrastructure and funds, which EclecticIQ assesses will only temporarily suspend the group’s operations. Current reports that Zeppelin RaaS (ransomware-as-a-service) is resuming operations after a brief pause suggest DarkSide could also resume attacks relatively easily. New variants of Zeppelin have been observed since March 2021 and developers have “promised” further updates to subscribers. The pledge is a strong indication of intended operation into the future. Zeppelin targets organizations in countries outside the Commonwealth of Independent States (CIS).

JSWorm Evolution Shows How RaaS Operators Develop New TTPs to Remain Effective

Since its onset in 2019, JSWorm (now titled GangBang) has continually evolved its TTPs to include the RIG exploit kit, the Trik botnet, fake payment websites, spam, Microsoft Remote Desktop Protocol (RDP), and Citrix ADC. JSWorm variants have been coded in C++ and Golang, demonstrating further expansion in the way the ransomware operates. In addition, rebranded variants began to use Big Game Hunting TTPs with custom ciphers in 2020. Taken together, these expansions have allowed JSWorm to remain a highly effective threat across time and distance. New variants are now able to perform a wide array of system process modifications on targets via command line. China was the most frequently targeted country according to statistics from Russian cybersecurity firm Kaspersky, with a share of infected systems nearly equal to those of the next three most often targeted countries (United States, Vietnam, and Mexico) combined.

Conti and Sodinokibi Use Third-party Loaders to Expand Share of Ransomware Market

Sodinokibi and Conti ransomware families rank in the top two regarding ransomware market share according to the DIFRReport. Their success is due, in part, to pairing ransomware operations with malware affiliates of popular loaders, including the IcedID trojan. Third-party loaders/trojans enable operators to gain an initial foothold inside networks so they can more easily spread ransomware. Further they use native Windows tools extensively for lateral movement and reconnaissance after initial compromise, making them more difficult to detect.

Syndicates Impede IR Using Multiple Ransomware Families to Attack the Same Target

GlobeImposter, Netwalker, MedusaLocker, and REvil ransomware syndicates are employing multiple ransomware variants with different encryption algorithms to attack the same target. It is a highly effective method for encrypting as many systems as possible and maximizing ransom negotiations. This approach obfuscates the installation and C2 phases of the attack and confuses incident response (IR) teams. EclecticIQ analysts assess this TTP as likely to continue among prominent ransomware syndicates due to its high level of effectiveness.

APT36 Very Likely Targeting India’s Defense Personnel

According to a Cisco Talos Intelligence Group blog, several observed factors strongly suggest that APT36 is conducting a spear phishing campaign using advanced TTPs to target India’s defense personnel. The TTPs being used in the campaign are reportedly similar to those used in 2020 by APT36, a threat actor lined to Pakistan. APT36 also has a history of targeting India with RATs for espionage, and was previously observed targeting UK and Iranian defense entities in 2019-2020. An increase in controlled domains, malware variants including CrimsonRAT and ObliqueRAT, and new phishing lures indicate the targeting is part of an expanding operation. Malicious downloads execute through Microsoft Office applications.

Brazilian Banking Trojan Spreads to Europe

The Bizarro banking trojan—which previously operated in South America—has recently expanded to Europe, particularly France, Italy, Portugal, and Spain. Malware is delivered via spam and unauthorized apps. Social engineering is used in the Delivery, Exploitation, and Installation phases of the Kill Chain. The malware terminates existing browser sessions and assumes control of new, user-initiated sessions to progress to the C2 stage, where credentials are captured at legitimate login portals. From there, to maintain operations, the operators command a large infrastructure that includes AWS, Azure, and WordPress, as well as a network of money mules to cash out the stolen credentials.


3 more posts you might like