Poseidon Infostealer, DoNex Ransomware, ElDorado Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: July 2024

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats by the SafeBreach Labs team. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.

US CERT Alert AA24-207A – North Korean Cyber Espionage Activities

On July 25^th, the Federal Bureau of Investigation (FBI) along with its national and international cyber intelligence partners released an advisory highlighting cyber espionage activities being conducted by Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.

The RGB 3rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.

• Technical Details
  • These threat actors are known to gain initial access by weaponizing vulnerabilities to deploy a web shell and access sensitive information and applications. They use standard system discovery and enumeration techniques, establish persistence via scheduled tasks, and elevate privileges with tools like Mimikatz. They also deploy custom malware implants, RATs, and open-source tools for execution, lateral movement, and data exfiltration.
  • They depend on tunneling tools like 3Proxy, PLINK, and Stunnel, along with custom proxy tunneling utilities, to route traffic over various protocols from within a network to a C2 server. This allows them to conduct C2 operations over network configurations that would usually be restrictive.
  • To exfiltrate data, these threat actors commonly rely on cloud storage or servers separate from their primary C2. They usually log into their cloud storage accounts directly from victim networks and using tools like PuTTY and WinSCP to transfer data to North Korea-controlled servers via FTP and other protocols.

SafeBreach Coverage of US- CERT Alert AA24-207A

Coverage for several of the attack TTPs and IOCs listed in the US CERT Alert already exists in the SafeBreach playbook. Additionally, the following new attacks were added to the playbook:

• (NEW) #10420 – Pre-execution phase of MagicRAT (0c0ee6) RAT (Windows)
• (NEW) #10421 – Transfer of MagicRAT (0c0ee6) RAT over HTTP/S
• (NEW) #10422 – Transfer of MagicRAT (0c0ee6) RAT over HTTP/S
• (NEW) #10423 – Email MagicRAT (0c0ee6) RAT as a compressed attachment
• (NEW) #10424 – Email MagicRAT (0c0ee6) RAT as a compressed attachment
• (Existing) #8590 Write Maui (9b0e7c) ransomware to disk
• (Existing) #8591 Transfer of Maui (9b0e7c) ransomware over HTTP/S
• (Existing) #8592 Transfer of Maui (9b0e7c) ransomware over HTTP/S
• (Existing) #8593 Email Maui (9b0e7c) ransomware as a compressed attachment
• (Existing) #8594 Email Maui (9b0e7c) ransomware as a compressed attachment
• (Existing) #7181 Write Maui ransomware to disk
• (Existing) #7182 Transfer of Maui ransomware over HTTP/S
• (Existing) #7183 Transfer of Maui ransomware over HTTP/S
• (Existing) #7184 Email Maui ransomware as a compressed attachment
• (Existing) #7185 Email Maui ransomware as a compressed attachment
• (Existing) #7700 Pre-execution phase of NukeSped trojan

Additionally, several scenarios pertaining to North Korean threat actors exist in the platform (See images below). You can choose to run these to get an additional level of protection against other North Korean state-sponsored groups.

Fake CrowdStrike Update Trojan (CERT-IL-W-1779): What You Need to Know

Threat actors have begun leveraging the recent IT outages caused by a faulty CrowdStrike update to target gullible victims. These threat actors have been registering potentially malicious domains and naming files after ‘CrowdStrike remediation’ themes. These domains are being used by threat actors to lure in victims for a variety of extortion/scamming opportunities, including phishing and the distribution of malicious ‘fixes’ for the issue. 

We advise all current CrowdStrike users to only use the instructions offered by CrowdStrike through their official blog and support portal. We request all CrowdStrike users to be careful of any email (not from the official channels) purporting to share a “fix” for the issue. 

SafeBreach Coverage of Fake CrowdStrike Update Trojan

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this trojan variant: 

• #10407 – Write CrowdStrike fake updater (b331a3) trojan to disk
• #10408 – Pre-execution phase of CrowdStrike fake updater (b331a3) trojan (Windows)
• #10409 – Transfer of CrowdStrike fake updater (b331a3) trojan over HTTP/S
• #10410 – Transfer of CrowdStrike fake updater (b331a3) trojan over HTTP/S
• #10411 – Email CrowdStrike fake updater (b331a3) trojan as a compressed attachment
• #10412 – Email CrowdStrike fake updater (b331a3) trojan as a compressed attachment

Poseidon Infostealer: What You Need to Know

Threat researchers from Malwarebytes Labs have uncovered a new malicious campaign that is targeting Mac users via Google ads. These malicious ads, being displayed on their browser, are used to distribute an infostealer known as the Poseidon infostealer. The creator of this infostealer intended for it to be a competitor to the Atomic Stealer. 

Victims who clicked on the malicious Google ad were redirected to arc-download[.]com, a completely fake site offering the Arc browser for Mac only.  The Arc browser is marketed as a competitor to the Google Chrome browser. When downloaded, the DMG file resembles what one would expect when installing a new Mac application, with the exception of the right-click to open trick to bypass security protections. The Poseidon infostealer has been used to steal configurations from Fortinet and OpenVPN and also includes code for data exfiltration. 

Other capabilities of this infostealer are similar to that of the Atomic Stealer, including, file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.

SafeBreach’s Coverage of Poseidon Infostealer

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this infostealer variant:

• #10379 – Write Poseidon (f34a05) infostealer to disk
• #10380 – Transfer of Poseidon (f34a05) infostealer over HTTP/S
• #10381 – Transfer of Poseidon (f34a05) infostealer over HTTP/S
• #10382 – Email Poseidon (f34a05) infostealer as a compressed attachment
• #10383 – Email Poseidon (f34a05) infostealer as a compressed attachment

DoNex Ransomware: What You Need to Know

The DoNex Ransomware (which Avast Threat Research is monitoring) is the most recent rebranded version of a ransomware variant formerly known as Muse (first seen in April 2022), fake LockBit 3.0 (November 2022), and DarkRace (May 2023). The ransomware has been used in targeted attacks across the US, Italy, and the Netherlands.

Researchers have observed that during the ransomware execution, an encryption key is generated by the CryptGenRandom() function, which is then used to initialize the ChaCha20 symmetric key and encrypt files. After encrypting a file, RSA-4096 encrypts the symmetric file key and appends it to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config. At the end of encryption, the symmetric key is encrypted via RSA-4096 and appended to the end of the file. Small files up to 1 MB are fully encrypted, while files larger than 1 MB are split into blocks that are encrypted separately. 

The ransomware variants can be identified by their ransom notes, with the fake LockBit 3.0 ransom note claiming to be from the real LockBit ransomware gang. No new samples of DoNex-related ransomware have been detected since April 2024 and its dark web site has also been down. 

SafeBreach’s Coverage of DoNex Ransomware

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this ransomware variant: 

• #10384 – Write DoNex (e1e3ca) ransomware to disk
• #10385 – Pre-execution phase of DoNex (e1e3ca) ransomware (Windows)
• #10386 – Transfer of DoNex (e1e3ca) ransomware over HTTP/S
• #10387 – Transfer of DoNex (e1e3ca) ransomware over HTTP/S
• #10388 – Email DoNex (e1e3ca) ransomware as a compressed attachment
• #10389 – Email DoNex (e1e3ca) ransomware as a compressed attachment

AvNeutralizer Hacktool: What You Need to Know

The threat group Fin7 is now selling a new version of their highly specialized tool, AvNeutralizer, which is intended to tamper with EDR security controls. They have priced this tool between $4,000 to $15,000. Analysis of the latest version of this tool by SentinelOne researchers has revealed a new technique that leverages the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver). The tool is delivered to buyers as a customized build targeting specific security solutions as requested by the buyer. While multiple samples of the tool exhibit the same code, the list of targeted process names may vary based on the attacker’s chosen build.

According to the information available, the unpacked AvNeutralizer payload employs more than 10 different user mode and kernel mode techniques to tamper with the security solutions installed on the system. AvNeutralizer uses a combination of drivers and operations to create a failure in some specific implementations of protected processes, ultimately leading to a denial-of-service condition. Researchers have observed multiple ransomware groups leveraging the latest version of this tool in their campaigns. 

SafeBreach Coverage of AvNeutralizer Hacktool

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this hacktool variant:

• 10413 – Write FIN7 AvNeutralizer (604b7f) hacktool to disk
• 10414 – Pre-execution phase of FIN7 AvNeutralizer (604b7f) hacktool (Windows)
• 10415 – Transfer of FIN7 AvNeutralizer (604b7f) hacktool over HTTP/S
• 10416 – Transfer of FIN7 AvNeutralizer (604b7f) hacktool over HTTP/S
• 10417 – Email FIN7 AvNeutralizer (604b7f) hacktool as a compressed attachment
• 10418 – Email FIN7 AvNeutralizer (604b7f) hacktool as a compressed attachment

Eldorado Ransomware: What You Need to Know

Group-IB researchers have uncovered a new ransomware-as-a-service (RaaS) group called Eldorado that has been observed targeting VMware ESX servers across the real estate, education, professional services, healthcare, and manufacturing sectors. This group has been attributed to 16 ransomware attacks in 2024 alone, 13 of which were in the United States. 

Eldorado uses Golang (Go) for cross-platform capabilities, and employs ChaCha20 for file encryption, as well as RSA-optimal-asymmetric-encryption-padding (RSA-OAEP) for key encryption. This ransomware comes in two versions – one each for Windows and Linux. All encrypted files will have the extension “.00000001”. During the locking process, the following logs are printed to the console. Here is an example of the output logs when we tried encrypting a single directory. A ransom note titled “HOW_RETURN_YOUR_DATA.TXT” will be written in the Documents and Desktop folder, containing instructions for contacting the TA. The filename and text for the ransom note can be customized during the building process. 

Eldorado can be configured in Windows to not affect certain kinds of files that are critical for normal operation. The Windows variant of this malware is highly configurable, allowing the attackers to create different variations in the method of attack.

SafeBreach Coverage of Eldorado Ransomware

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this ransomware variant: 

• #10390 – Write Eldorado (6174a7) ransomware to disk
• #10391 – Pre-execution phase of Eldorado (6174a7) ransomware (Windows)
• #10392 – Transfer of Eldorado (6174a7) ransomware over HTTP/S
• #10393 – Transfer of Eldorado (6174a7) ransomware over HTTP/S
• #10394 – Email Eldorado (6174a7) ransomware as a compressed attachment
• #10395 – Email Eldorado (6174a7) ransomware as a compressed attachment

LockBit 4.0 Ransomware: What You Need to Know

LockBit 4.0 is a new variant of the LockBit ransomware that was released in February 2024. LockBit 4.0 is designed to encrypt data and demand ransoms for its decryption. The previous versions of LockBit were built in C/C++, however, the latest version is written in .NET that appears to be compiled with CoreRT and packed with MPRESS. It includes a configuration file in JSON format that outlines parameters such as the execution date range, ransom note details, RSA public key, unique IDs and other operational flags.

LockBit 4.0 supports three encryption modes using AES+RSA, fast, intermittent, and full. It can also randomize the file naming to make the restoration efforts harder, and it has custom file or directory exclusions. Additional features include a self-delete mechanism.

SafeBreach Coverage of LockBit 4.0

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this new ransomware variant: 

• #10401 – Write Lockbit 4 (7b2eb1) ransomware to disk
• #10402 – Pre-execution phase of Lockbit 4 (7b2eb1) ransomware (Windows)
• #10403 – Transfer of Lockbit 4 (7b2eb1) ransomware over HTTP/S
• #10404 – Transfer of Lockbit 4 (7b2eb1) ransomware over HTTP/S
• #10405 – Email Lockbit 4 (7b2eb1) ransomware as a compressed attachment
• #10406 – Email Lockbit 4 (7b2eb1) ransomware as a compressed attachment

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.