To evade detection by security software, threat actors use compromised code-signing certificates to sign their software.
This trend was demonstrated this week when Microsoft disclosed that developer accounts were compromised to sign malicious hardware drivers in the Windows Hardware Developer Program.
Microsoft allowed these drivers to be loaded into Windows so they could gain the highest level of privileges.
STONESTOP and POORTRY were part of a toolkit that disabled security software processes and Windows services on the computer.
Multiple threat actors used the compromised accounts to carry out their operations, including the Hive and Cuba ransomware operations, according to reports from Microsoft.
Microsoft fixed a Windows Mark of the Web zero-day vulnerability that threat actors actively exploited in distribution campaigns.
This week’s research includes:
There were a lot of cyberattacks this week, but only a few of them were confirmed to be ransomware.
The LockBit attack on the California’s Department of Finance was one of the attacks.
Contributors and those who provided new information and stories this week include:struppigel, VKIntel, Billtoulas, FourOctets, BleepinComputer, and DanielGallagher.
December 11th
TrueBot is used for access to networks by Clop Ransomware.
There has been a spike in the number of devices that have TrueBot on them.
December 12th
There is an attack on Belgium city of Antwerp.
A recent cyberattack on the Belgium city of Antwerp was claimed by the Play ransomware operation.
Pulling the Curtains on Azov is not a Skidsware but a Polymorphic wiper.
Azov’s modification of certain 64-bit executables to execute its own code is something that sets it apart from other ransomware. Before the advent of the modern-day internet, this behavior used to be the royal road for the proliferation of malicious software, and now it is the textbook definition of computer virus.
There are new Stop Ransomware variant.
There are new STOP ransomware variant that have the.maos and.manw extensions.
December 13th, 2022,
California’s Department of Finance was attacked by LockBit.
The Department of Finance in California was attacked by the LockBit gang.
Microsoft-signed drivers are used in attacks.
Several Microsoft hardware developer accounts have been revoked by Microsoft after drivers signed through their profiles were used in cyberattacks.
There is a deep dive into BianLian Ransomware.
BianLian was a Golang malware that was used to attack multiple industries. Some automated analysis systems would likely be crashed by the anti-analysis techniques employed by the Ransomware. All the drives identified on the machine are targets by the malware.
There is a new variant of theranware.
There is a new version of STOP that has the.matu extension.
The new Dharma variant is a type of ransomware.
PCrisk found a new variant of Dharma that has a.hebem extension and drops a note with a message.
There is a new Lucknite Ransomware.
PCrisk found a new Lucknite ransomware that has a.lucknite extension and a ransom note.
The new Chaos variant is a new type of ransomware.
There is a new Chaos ransomware variant that has a.xllm extension and a note that says read_it.txt.
December 14th 2022,
Microsoft patched Windows zero-day, which used to be a problem.
Microsoft has fixed a security vulnerability used by threat actors to subvert the Windows SmartScreen security feature.
The analysis of royal Ransomware.
Since the middle of the year, the Royal group has gained steam. Multiple organizations across the globe have been impacted by the group’s cyberattacks. Researchers believe that the group is made up of former members of other ransomware groups.
There is a cyber intelligence report on Masscan Ransomware Threat Analysis.
Korean companies reported a lot of cases of ransomware damage in the second half of the century. An attacker penetrated a database server with a vulnerable security system and added a “.masscan string” to the file.
There is a new type of ransomware.
There is a new Blocky ransomware that has a.Locked extension and drops a note with a message.
There is a new HentaiLocker.
There is a new ransomware that has a.HENTAI extension and a note that says UNLOCKFILES.txt.
December 16th is in the year 2022.
The energy supplier EPM has been hit by a cyberattack.
Empresas Pblicas de Medelln (EPM) was hit by a BlackCat/ALPHV attack on Monday, disrupting the company’s operations and taking down online services.
Agenda uses Rust to target more vital industries.
This year, groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor the software to different operating systems. We shed light on Agenda, a group that is using this language.
There are new Stop Ransomware variants.
There are new STOP ransomware that have the.btnw,.btos, and.BTtu extensions.
Agenda uses Rust to target more vital industries.
This year, groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross- platform language that makes it easier to tailor the software to different operating systems. Agenda is a group that has started using this language.
This week, that’s it! Hope you have a good weekend!
