_Overview
⚠️[You can also find this in collaboration with Any.Run on their blog :)]⚠️
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers. It emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived. After several spear-phishing campaigns in which this well-known malware was attached, it gained significant popularity starting in 2013. This keylogger has been available on various dark web sites, even having dedicated websites where the tool was sold. However, this keylogger has been cracked for years and used by different actors without going through the subscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of use.
Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period. During this time, certain actors took advantage of the general hysteria to obtain company data through phishing campaigns. Additionally, HawkEye has been used in conjunction with other loaders and/or malware that invoked this keylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some of which include:
- GOLD GALLEON ( 🏴 )
- Mikroceen ( 🇨🇳 )
- iSPY crypter related with Gold Skyline ( 🇳🇬 )
- Remcos used on campaigns with HawkEye
- Pony used on campaigns with HawkEye (Hey, we’ve already analyzed Pony!)
- Get Rich or Die ( 🇳🇬 )
- Uche y Okiki ( 🇳🇬 )
Read More
_Overview
⚠️This is only a small excerpt from the original report, which can be found in the corresponding section, the report has been created thanks to the collaboration of Josh Penny [@josh_penny]⚠️
Akira is a Threat Actor (TA) categorized within the criminal groups related to Ransomware, whose main objective is to gain money through extortion. The attack procedures of the Akira gang have varied over time since their first appearance in 2022. Since this date, they have been increasing their list of victims by following methodologies similar to other criminal groups. Akira is one of the principal TAs in terms of victims in recent years, consistently rising annually in the TOPs
The TA has utilized different tools such as malware and vulnerability exploitation during their attacks. Depending on the victims, we have observed phases aimed at avoiding detection, lateral movements, and various exfiltration methods that have evolved and adapted to their needs. The crown jewel of their operations is the use of the ransomware that gives them their name: Akira
The malware has also undergone significant changes over time. However, as we will see below, its core functionality has not varied greatly. It retains various capabilities such as controlling disk drives, managing running processes, multi-threaded operation, and, of course, encrypting files and writing ransom notes on the victim’s devices
Akira maintains a close relationship with Conti, the ransomware used by WizardSpider. In fact, the code of Akira’s ransomware in some parts is an evolution or another version of the famous ransomware used by the Russian group. Therefore, the community often considers Akira a subgroup of WizardSpider. Additionally, Akira has also been seen to have a close relationship with anothers famous ransomware gangs like BlackByte, Lockbit or Snatch
Read More
_Overview
📡This is not a déjà vu, this is an update and improvement of the NanoCore which I looked at years ago because my analysis seems to me very incomplete, and in addition we see how it has evolved and new versions of this malware have been released📡
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc. It also serves as remote control for the attacker, who will have the ability to manipulate the system, remotely execute scripts, etc.
It first appeared in 2012, and its author was sentenced to over two years in prison in 2017. The code for NanoCore has been leaked on several occasions throughout its versions, allowing different criminal groups like APT to use it at some point, potentially refining or adding functionalities. And undoubtedly, it has also been used by countless Script Kiddies.
NanoCore, therefore, has been used in a multitude of ways and has been notably seen in Spear-Phishing, where it is introduced in a document or in a ZIP/RAR file that triggers the execution of a loader or another malware that runs it. However, it has also been observed in the download of links for some software, trying to appear as a legitimate program, which ends up in the same situation as a download of a script or a ZIP containing a NancRAT loader.
As mentioned earlier, NanoCore has been used by various groups, which, given the functionality of the malware, would act in the intermediate phase of the attack where they already have access to the infrastructure and want relevant information and the ability to freely access it. Although a large number of campaigns using NanoCore in conjunction with other malware that could not be attributed have been seen, there is evidence of groups that have historically been seen using NanoCore:
- APT33 | RefinedKitten (🇮🇳)
- Gorgon Group (🇵🇰)
- Vendetta (🇹🇷)
- TA2719 (🏴)
- TA2722 (🏴)
- Aggah (🏴)
Read More
_Overview
Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been used for more than 10 years and is still in use. This infamous malware continues to receive updates and can be purchased, and has been involved in information theft or used to launch other malwares during attacks on victim infrastructures.
Given that this malware has such a long history (yes, 10 years in cyber is a lot), the methods of use and execution of Pony have varied, as it has depended on who has used it, whether they are more or less organized groups. It has typically been seen in phishing campaigns where a typical message in the language of the targeted country was introduced, simulating some kind of urgency, or alternatively, attacked web pages have been seen where download links have been replaced by a Fareit loader or directly the execution of it. Pony has also been notorious in exploit kits or in fake programs where trying to download the free version of something would gift you with a malware disguised as a small horse.
Pony has been seen used by various groups, usually related to crime, whose general objective is usually to obtain money, and whose functionality of stealing data, persisting, and also the possibility of being used as a bot, is tremendously useful. Obviously, most cases of the use of this type of tool cannot be associated with groups, and years ago the code of Pony versions was leaked, which increased its use both in organized and less organized groups. However, when incidents are observed in which an actor interacts with tools typical of a group or with a characteristic kill chain with methodologies that have been used before, it helps us to place these tools also in their use in more organized groups. Therefore, the groups of this type that have been seen using Fareit are as follows:
- Cobalt Group ( 🇷🇺 )
- Gold Evergreen | TA505 | GracefulSpider ( 🇷🇺 )
- Gold Galleon ( Suspected 🇳🇬 )
- Gold Essex | TA544 | NarwhalSpider ( 🏴 )
Read More
_Overview
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on the attacker, making it a versatile tool for Threat Actors. Active since 2018, it has gained significant popularity, finding a warm reception in underground markets where it can be purchased, and its interest has not waned. Incidents involving its usage are recorded annually.
Coroxy achieves execution on target systems through various methods, depending on the group using it. Recorded attacks have involved reconnaissance phases, lateral movement, and the deployment of SystemBC, often complemented with CobaltStrike. In other cases, it has been employed in campaigns through Spear-Phishing, where it is delivered and installed on the victim’s system via loaders or other malware. While the malware’s methodology has evolved, its core functionality remains consistent. In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker. This provides a backdoor for the attacker to operate from their infrastructure.
As mentioned earlier, numerous groups have been associated with the use of SystemBC over the years. These groups, with many linked to ransomware activities, include:
- ViceSociety
- Rhysida
- GoldDupont
- FIN12
- 8BASE
- PLAY
- Hive
- BlackBasta
- TropicalScoprious (CUBA)
- RiddleSpider (Avaddon)
- WizardSpider (Conti, Ryuk)
- Egregor
- DarkSide
- Maze Team (Maze & IcedID)
Read More
_Overview
LaplasClipper (Laplas Clipper also known as Laplace Clipper) is a well-known malware that operates as a crypto clipboard hijacker. It has been in use since 2022. This malware can be purchased from its portal for as low as $49, with payment structured as a monthly subscription. LaplasClipper has been employed by various criminal threat actors to steal cryptocurrencies.
This malware gains access to devices through various methods. It has been observed being distributed through YouTube video links or compromised websites, as well as links to files containing LaplasClipper loaders. It has also been delivered via spear-phishing campaigns. In recent versions of the malware, it establishes persistence in registries and injects itself into files it creates to gain an advantageous position. From there, it monitors the clipboard, waiting for cryptocurrency wallet-related information to be added. It modifies this information to hijack the cryptocurrencies to the attacker’s server.
As I said, Laplas has been involved in several executions related to other malware or loaders, some of them, which are related to active groups, are the following:
- VidarStealer
- SmokeLoader
- AresLoader
- RedLine Stealer
- AgentTesla
Read More
_Overview
AveMariaRAT, also known as WarZoneRAT, is one of the most famous and widely used RATs in recent years. It can be purchased with a license and monthly subscriptions ranging from $16 to $38 on its website. This tool is used and modified by various groups, ranging from disorganized or resource-limited individuals known as script kiddies to highly relevant criminal groups or APTs.
Some of the notable groups that have been observed using AveMariaRAT include:
- Tomiris ( 🏴 )
- Carbanak | Anunak ( 🇺🇦 )
- Aggah ( 🏴 )
- BlindEagle | APT-C-36 ( 🇨🇴 )
- Confucious ( 🇮🇳 )
- SideWinder ( 🇮🇳 )
- HazyTiger | Bitter ( 🇮🇳 )
- FIN7 ( 🏴 )
- SandWorm Team | Voodo Bear ( 🇷🇺 )
- Kasablanka ( 🏴 )
This malware, used by the mentioned groups, can infiltrate the infrastructure in various ways, from exploiting Spear-Phishing to compromising websites where it is downloaded. Once on our devices, the RAT has capabilities to escalate privileges, bypass UAC, evade defenses like security software, gather sensitive information from the device and user, and inject itself into processes to maintain active communication with the C&C server operated by the attacker
Read More
_Inside Look: Evolution of Spear-Phishing Techniques of Notorious Threat Groups
In recent years, different campaigns and threats have been developing, whose entry vector has been the same: email. This initial access always seems the most absurd and unworthy of attention because companies have properly trained their employees. However, the trend tells us the opposite. Many criminal groups and APTs continue to use this technique, varying or evolving it, leaving the most vulnerable element, human error, in doubt.
Phishing (T1566), a social engineering technique used as initial access (TA0001) since the mid-90s, is nothing more than a tool to deceive the victim into providing confidential information. Attackers disguise fraudulent emails with messages that appear familiar to the victim and are difficult (in most cases) to distinguish at a glance from the legitimate ones they are trying to emulate.
Along with this technique, we have spear-phishing, which has different sub-techniques (T1566.001, T1566.002, T1566.003). It uses fraudulent emails to entice the victim to click on a link, open an attachment, etc.
Read More
_Overview
AZORult is one of the best known malware within the Stealer family. It is usually sold on Russian forums for prices ranging up to $100. This malware has been used by a large number of important threat actors, including some dedicated to crime such as FIN11 or TA505 (GracefulSpider) or others that are part of a state-sponsored model such as GorgonGroup from Pakistan.
This malware usually starts from an initial point as documents via Spear-Phishing or compromised web pages and is characterized by performing different file drops that later will execute and check the connection to the C&C, after this, it will steal information and create persistence or a backdoor to, before performing the exfiltration of the data, have opportunities to persist in the system and thus, the actor continue obtaining information from the system to which the affected computer belongs and sometimes pivot.
Read More
_Overview
RecordBreaker or RacoonStealerV2 is the new version of the stealer Racoon that we can buy as malware-as-a-service at the black markets under $300. Widely used in mass campaigns or used by criminal groups where they try to infect repositories or attach this malware usually compressed in ZIP/RAR format. Its main objective is to reach the largest number of victims and contains different phases including process injection, binary downloading and information theft.
Read More