ResearchBlog
Windows Downdate: Downgrade Attacks Using Windows Updates
Read More
In this version of the Hacker’s Playbook Threat Coverage round-up, we highlight attack coverage for several new threats. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.
NotLockBit Ransomware – What you need to know
Threat researchers from SentinelOne have identified a new ransomware family known as “macOS.NotLockBit” that can potentially affect macOS machines. It was believed until now that ransomware threats for macOS were nothing more than proof of concepts and/or were incapable of succeeding in their goals. However, the discovery highlights that a new threat actor is leveraging the LockBit name to gain notoriety.
This ransomware is written in Go and is distributed as an x86_64 binary – it is intended to run on Intel Macs or Apple silicon Macs with the Rosetta emulation software installed. On execution, the ransomware gathers system information from the host. On Mac targets, it can read the property list file at /System/Library/CoreServices/SystemVersion.plist to collect the product name, version, and build and to query sysctl hw.machine to gather the architecture and sysctl kern.boottime for the time since last boot.
The malware uses an embedded public key to encrypt a randomly generated master key used in the file encryption process and is written to a README.txt file deposited in each folder containing encrypted files, recognizable by their .abcd file extension. Before the file-locking operation, the malware attempts to exfiltrate the user’s data to a remote server. The threat actor abuses AWS S3 cloud storage using credentials hardcoded into the binary.
It is believed that this ransomware is still being developed and has the potential of threat actors leveraging it to attack macOS machines in the near future cannot be ignored.
SafeBreach Coverage of NotLockBit Ransomware
The following individual attacks were added to the Hacker’s Playbook and can be individually run to validate organizational controls:
- NotLockBit Sample_1
- #10576 – Write NotLockBit_Sample_1 (cd67ac) ransomware to disk
- #10577 – Transfer of NotLockBit_Sample_1 (cd67ac) ransomware over HTTP/S
- #10578 – Transfer of NotLockBit_Sample_1 (cd67ac) ransomware over HTTP/S
- #10579 – Email NotLockBit_Sample_1 (cd67ac) ransomware as a compressed attachment
- #10580 – Email NotLockBit_Sample_1 (cd67ac) ransomware as a compressed attachment
- NotLockBit Sample_3b
- #10581 – Write NotLockBit_Sample_3b (97d564) ransomware to disk
- #10582 – Transfer of NotLockBit_Sample_3b (97d564) ransomware over HTTP/S
- #10583 – Transfer of NotLockBit_Sample_3b (97d564) ransomware over HTTP/S
- #10584 – Email NotLockBit_Sample_3b (97d564) ransomware as a compressed attachment
- #10585 – Email NotLockBit_Sample_3b (97d564) ransomware as a compressed attachment
Embargo Ransomware and MDeployer– What you need to know
Threat researchers from ESET have discovered a new Rust-programming language-based toolkit that is being used to distribute Embargo ransomware. This toolkit also contains a malware loader and an EDR killer tool named MDeployer and MS4Killer respectively.
The Embargo group primarily leverages MDeployer to facilitate malicious activities on the compromised network. Its main purpose is to decrypt two encrypted files a.cache and b.cache (dropped by an unknown previous stage) and execute two payloads: MS4Killer and Embargo ransomware. Initially, MS4Killer is decrypted from the file b.cache, which is then dropped into praxisbackup.exe and executed. The ransomware payload is then decrypted from the file a.cache, saved as pay.exe, and then executed. Once the ransomware completes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system.
The Embargo ransomware, also written in Rust, appends encrypted files with a random six-character extension containing letters and numbers (ex. .b58eeb) and drops the ransom note titled “HOW_TO_RECOVER_FILES.txt” in all encrypted directories. The ransomware group has its own infrastructure with which to secretly communicate with victims, the researchers found, but also provides the option to negotiate over Tox chat.
SafeBreach Coverage of Embargo Ransomware and MDeployer
The following individual attacks were added to the Hacker’s Playbook and can be individually run to validate organizational controls:
- MDeployer loader
- #10564 – Write MDeployer (d7f149) loader to disk
- #10565 – Pre-execution phase of MDeployer (d7f149) loader (Windows)
- #10566 – Transfer of MDeployer (d7f149) loader over HTTP/S
- #10567 – Transfer of MDeployer (d7f149) loader over HTTP/S
- #10568 – Email MDeployer (d7f149) loader as a compressed attachment
- #10569 – Email MDeployer (d7f149) loader as a compressed attachment
- Embargo ransomware
- #10570 – Write Embargo (ab173c) ransomware to disk
- #10571 – Pre-execution phase of Embargo (ab173c) ransomware (Windows)
- #10572 – Transfer of Embargo (ab173c) ransomware over HTTP/S
- #10573 – Transfer of Embargo (ab173c) ransomware over HTTP/S
- #10574 – Email Embargo (ab173c) ransomware as a compressed attachment
- #10575 – Email Embargo (ab173c) ransomware as a compressed attachment
Iranian Threat Group Emennet Pasargad (bd.exe RAT and First.exe Trojan) – What you need to know
A joint cybersecurity advisory released by the Federal Bureau of Investigation (FBI), U.S. Department of Treasury, and Israel National Cyber Directorate highlights new IOCs being leveraged by the Iranian threat group Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten. Emennet Pasargad has conducted operations that have affected multiple countries, including the United States, France, Israel, and Sweden.
According to the advisory, the threat group has undertaken a project to harvest data and content from IP cameras to further its malicious goals. Additionally, it has leveraged using fictitious resellers to provision operational server infrastructure that it provides to its members to perform malicious activities.
In July 2024, this threat group used “VPS-agent” infrastructure to compromise a French commercial dynamic display provider, attempting to display photo montages denouncing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games. This cyberattack was coupled with disinformation maneuvers including publication of a fake news article onto a French collaborative media website and the spread of threat messages to several Israeli athletes and their entourage under the banner of a fake French far-right group ‘Regiment GUD’, impersonating the real French far-right group ‘GUD’.
SafeBreach Coverage of bd.exe RAT and First.exe Trojan
- Bd.exe RAT
- #10586 – Write bd (781713) RAT to disk
- #10587 – Pre-execution phase of bd (781713) RAT (Windows)
- #10588 – Transfer of bd (781713) RAT over HTTP/S
- #10589 – Transfer of bd (781713) RAT over HTTP/S
- #10590 – Email bd (781713) RAT as a compressed attachment
- #10591 – Email bd (781713) RAT as a compressed attachment
- First.exe Trojan
- #10592 – Write First (d20727) trojan to disk
- #10593 – Pre-execution phase of First (d20727) trojan (Windows)
- #10594 – Transfer of First (d20727) trojan over HTTP/S
- #10595 – Transfer of First (d20727) trojan over HTTP/S
- #10596 – Email First (d20727) trojan as a compressed attachment
- #10597 – Email First (d20727) trojan as a compressed attachment
Other Threats We Added Coverage for in November 2024
In addition to the prominent threats above, we also added coverage to the following additional threats to ensure an additional, comprehensive level of coverage for our customers.
- HustleCon Trojan – Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. The malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server.
- #10598 – Write hustlecon (a9d881) trojan to disk (HOST_LEVEL)
- #10599 – Transfer of hustlecon (a9d881) trojan over HTTP/S (LATERAL_MOVEMENT)
- #10600 – Transfer of hustlecon (a9d881) trojan over HTTP/S (INFILTRATION)
- #10601 – Email hustlecon (a9d881) trojan as a compressed attachment (LATERAL_MOVEMENT)
- #10602 – Email hustlecon (a9d881) trojan as a compressed attachment (INFILTRATION)
- Vaccinerende Trojan – Fortinet’s FortiGuard Labs recently noticed a phishing campaign in the wild. It is initialized with a phishing email containing a malicious Excel document. This campaign is used to spread a new variant of the Remcos RAT. Remcos is a commercial RAT (remote administration tool) sold online. It provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer. This new variant deploys Remcos in the current process’s memory (Vaccinerende.exe), making it a fileless variant of Remcos.
- #10608 – Email Vaccinerende (b126be) trojan as a compressed attachment (INFILTRATION)
- #10603 – Write Vaccinerende (b126be) trojan to disk (HOST_LEVEL)
- #10604 – Pre-execution phase of Vaccinerende (b126be) trojan (Windows) (HOST_LEVEL)
- #10605 – Transfer of Vaccinerende (b126be) trojan over HTTP/S (LATERAL_MOVEMENT)
- #10606 – Transfer of Vaccinerende (b126be) trojan over HTTP/S (INFILTRATION
- #10607 – Email Vaccinerende (b126be) trojan as a compressed attachment (LATERAL_MOVEMENT)
