_Overview

LaplasClipper (Laplas Clipper also known as Laplace Clipper) is a well-known malware that operates as a crypto clipboard hijacker. It has been in use since 2022. This malware can be purchased from its portal for as low as $49, with payment structured as a monthly subscription. LaplasClipper has been employed by various criminal threat actors to steal cryptocurrencies.

This malware gains access to devices through various methods. It has been observed being distributed through YouTube video links or compromised websites, as well as links to files containing LaplasClipper loaders. It has also been delivered via spear-phishing campaigns. In recent versions of the malware, it establishes persistence in registries and injects itself into files it creates to gain an advantageous position. From there, it monitors the clipboard, waiting for cryptocurrency wallet-related information to be added. It modifies this information to hijack the cryptocurrencies to the attacker’s server.

As I said, Laplas has been involved in several executions related to other malware or loaders, some of them, which are related to active groups, are the following:

• VidarStealer
• SmokeLoader
• AresLoader
• RedLine Stealer
• AgentTesla

_Overview

AveMariaRAT, also known as WarZoneRAT, is one of the most famous and widely used RATs in recent years. It can be purchased with a license and monthly subscriptions ranging from $16 to $38 on its website. This tool is used and modified by various groups, ranging from disorganized or resource-limited individuals known as script kiddies to highly relevant criminal groups or APTs.

Some of the notable groups that have been observed using AveMariaRAT include:

• Tomiris ( 🏴 )
• Carbanak | Anunak ( 🇺🇦 )
• Aggah ( 🏴 )
• BlindEagle | APT-C-36 ( 🇨🇴 )
• Confucious ( 🇮🇳 )
• SideWinder ( 🇮🇳 )
• HazyTiger | Bitter ( 🇮🇳 )
• FIN7 ( 🏴 )
• SandWorm Team | Voodo Bear ( 🇷🇺 )
• Kasablanka ( 🏴 )

This malware, used by the mentioned groups, can infiltrate the infrastructure in various ways, from exploiting Spear-Phishing to compromising websites where it is downloaded. Once on our devices, the RAT has capabilities to escalate privileges, bypass UAC, evade defenses like security software, gather sensitive information from the device and user, and inject itself into processes to maintain active communication with the C&C server operated by the attacker

_Inside Look: Evolution of Spear-Phishing Techniques of Notorious Threat Groups

In recent years, different campaigns and threats have been developing, whose entry vector has been the same: email. This initial access always seems the most absurd and unworthy of attention because companies have properly trained their employees. However, the trend tells us the opposite. Many criminal groups and APTs continue to use this technique, varying or evolving it, leaving the most vulnerable element, human error, in doubt.

Phishing (T1566), a social engineering technique used as initial access (TA0001) since the mid-90s, is nothing more than a tool to deceive the victim into providing confidential information. Attackers disguise fraudulent emails with messages that appear familiar to the victim and are difficult (in most cases) to distinguish at a glance from the legitimate ones they are trying to emulate.

Along with this technique, we have spear-phishing, which has different sub-techniques (T1566.001, T1566.002, T1566.003). It uses fraudulent emails to entice the victim to click on a link, open an attachment, etc.

_Overview

AZORult is one of the best known malware within the Stealer family. It is usually sold on Russian forums for prices ranging up to $100. This malware has been used by a large number of important threat actors, including some dedicated to crime such as FIN11 or TA505 (GracefulSpider) or others that are part of a state-sponsored model such as GorgonGroup from Pakistan.

This malware usually starts from an initial point as documents via Spear-Phishing or compromised web pages and is characterized by performing different file drops that later will execute and check the connection to the C&C, after this, it will steal information and create persistence or a backdoor to, before performing the exfiltration of the data, have opportunities to persist in the system and thus, the actor continue obtaining information from the system to which the affected computer belongs and sometimes pivot.

_Overview

RecordBreaker or RacoonStealerV2 is the new version of the stealer Racoon that we can buy as malware-as-a-service at the black markets under $300. Widely used in mass campaigns or used by criminal groups where they try to infect repositories or attach this malware usually compressed in ZIP/RAR format. Its main objective is to reach the largest number of victims and contains different phases including process injection, binary downloading and information theft.

_Overview

SmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other malware. Attributed to the criminal group Smoky Spider, a group that uses SmokeLoader and Sasfis, loader and downloader respectively. SmokeLoader has been used as a bot in infrastructures and contains strong evasion capabilities as well as Anti-Analysis, Anti-VM and Anti-DBG techniques.

_Overview

Tofsee is a malware used for mass campaigns, which does not have an associated group or actor. It has gone through different phases, but has generally been used to create Botnets or SpamBots, as well as mining actions. The starting point of Tofsee is usually a Loader or an email using the SpearPhishing technique that will launch the malware. It has been in all its stages a really worked malware, with code obfuscations, packaged samples, anti-analysis techniques, which led to a backdoor to perform minings taking advantage of the botnet features or to perform Spam.

_Machete Weapons: Lokibot

Machete is a group that currently has no associated country, but it is believed that its origin or part of it belongs to Spanish-speaking countries. This group began operating in 2010 and this year has had a major impact in many countries, being particular in this area, as it attacks a large number of them, with an emphasis on Latin America, Spain and Russia.

Being their main targets defense departments, government entities and companies dedicated to energy and telecommunications, they gain initial access using the social engineering distribution method, with a great eagerness for Spear-Phishing emails, although they have also been seen exploiting vulnerabilities, once they have gained access, the phases vary depending on the malware they use, but the main objective is to generate persistence, open connections outside creating a secure channel and steal information from the victim that will exfiltrate through the previously created channel.

_Overview

SilentBuilder is a campaign that is being used to launch bankers such as Emotet to increase the Epoch5 botnet as well as the usual tasks of this malware. The similarities between other loaders that launch Emotet and that, once the banker is in our computer, tries to contact C&C, we could understand that this is a typical modus operandi of the criminal group Mummy Spider or TA542.

_Overview

SysJoker is a backdoor which appeare for the first time at the beginning of 2022 whose power resides in being cross-platform. Its main objective is to install itself in our computer and perform espionage and/or data theft tasks. Currently it has not yet been attributed to any group or campaign.