Emerging Cyber Threats of September 2022

The Cyber threat landscape is always changing, and new malware and ransomware campaigns were the top threats of September 2022. As always, Picus Labs swiftly added attack simulations to Picus Threat Library for these new threats as they were discovered.

This blog briefly explains the top five cyber threats observed in September 2022. You can easily simulate these threats and validate and improve your security controls against them with the Picus Complete Security Validation Platform.

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of September 2022

1. BROKEYOLK Malware Downloader 

2. Gamaredon Malware Downloader

3. MagicRAT Remote Access Trojan 

4. Slam Ransomware Builder

5. FARGO Ransomware

1. BROKEYOLK Malware Downloader

In September 2022, a new type of malware downloader, BROKEYOLK, started to reveal itself in the attack cycle of an Iranian state-sponsored cyber espionage group, APT42. This threat actor has been active since 2015 and is infamous for leveraging sophisticated spearphishing attacks and surveillance activities aligned politically with the Iranian government.

Unlike other regional and/or ​​Islamic Revolutionary Guard Corps (IRGC) related threat actors, APT42 does not limit themselves only to geological opponents. The threat group also targets Western journalists, academics, government officials, and former Iranian government officials. In their social engineering campaigns, APT42 often takes days or even weeks to establish trusted relationships with the victim. Using this relationship, threat actors send malicious links or attachments to unsuspecting victims and gain initial access to their network.

Figure 1: APT42 actors pretending to be a vaccinologist from the University of Oxford [1]

After they get initial access, the APT42 group establishes persistence in the victim's environment. In this stage, APT actors generally rely on a list of lightweight malware, many of which are based on publicly available scripts. In the table below, you can find some of the malware primarily used in the attack lifecycle of APT42. 

Since APT42 mainly runs cyber espionage campaigns, they focus on internal reconnaissance, lateral movement, privilege escalation, and maintaining persistence for as long as possible. 

Picus Labs recently added new attack simulations for malware variants used in the APT42 Threat Group campaigns.

We strongly recommend you test the effectiveness of your security controls against malware attacks leveraged by APT42 Threat Group. Picus Threat Library includes the following threats for the APT42 Threat Group. 

2. Gamaredon Malware Downloader

Researchers from the Cisco Talos Threat Intelligence team noticed Gamaredon threat group activity, mainly targeting users in Ukraine with malicious LNK files distributed in RAR archives [2]. 

Gamaredon has been active since 2013 and has a strong affiliation with Russia. This threat group mainly targets critical infrastructures, organizations, and important entities that are affiliated with the Ukrainian government. However, the Ukrainian government is not their only target. It is known that Gamaredon targets other governmental, military-based, and even humanitarian and non-profit organizations in Europe. The group generally gains initial access to the victim's network through malicious Microsoft Office documents attached to a phishing email.

Even though Gamaredon has been active in the wild for many years, researchers have found a new type of infostealer deployed by the group. This infostealer exfiltrates files with specific extensions from the victim's endpoint such as .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. Once it is deployed, the malicious binary scans all attached storage devices, even the removable ones, looking for the corresponding extensions. For each file it finds, the malicious binary creates an HTTP POST request about the exfiltrated file and its content.

Further analysis shows that the malware searches for files in local and remote drives, especially in C:\Users folders. Another feature that is worth mentioning is that the malware avoids enumerating the system files in the following folders.

• Program Files
• Program Files (x86)
• Programdata
• Perflogs
• Prog
• Windows
• Appdata
• Local
• Roaming

The motivation behind this practice is probably not to identify the victim's system but to exfiltrate the personal and sensitive user data only. For each file the malware exfiltrates to the Gamaredon's Command and Control server (C2), it calculates the MD5 hash for the file-related information concatenated in the following form:

This information gets stored in the %LocalAppData%\profiles_c.ini file. In a sense, the malicious binary keeps track of which files are exfiltrated to the C2 server. The very same process applies to the files found in the removable drives. Once the malware finds a file with the aforementioned extensions, it creates a random folder under the %TEMP% directory and copies the file from its original path to the following location.

The content of these folders is also sent to the C2 server.

Picus Threat Library already had simulations for Gamaredon Threat Group's attack campaigns. Picus Labs added new attack simulations to Picus Threat Library for new malware that Gameredon group uses. 

Picus Threat Library includes the following threats for the Gamaredon threat group.

3. MagicRAT Remote Access Trojan 

Researchers discovered a new remote access trojan (RAT) activity called MagicRAT. It is believed with high confidence that this trojan-activity belongs to a North Korean-based state-sponsored threat actor, Lazarus APT group. This threat group has been active since 2010 in the wild and is famous for its self-developed malware families, including backdoors, pseudo-ransomware/wipers, DDoS botnets, and, of course, RATs.

The reverse analysis of a compromised machine shows that the threat actors got initial access to the system via exploiting publicly exposed VMware Horizon platforms. Even though its capabilities are mid-level, MagicRAT is built in C++ with recourse to the Qt Framework [3]. Qt Framework is a programming library used to develop graphical user interfaces. One thing that is worth mentioning is that MagicRAT does not have a graphical user interface. Researchers believe that authors of the MagicRAT solely used the Qt Framework by statically linking it to the RAT on 32-bit and 64-bit versions to make human analysis harder and evade machine learning-based automated detection by increasing the complexity. 

Further analysis of the malware samples indicates the three hardcoded Command and Control (C2) URLs. These URLs are used to register infections and then receive commands to execute on the infected endpoint.

Once MagicRAT is deployed, it executes hard-coded commands that create scheduled tasks starting at a specific time on the victim's machine. Adversaries often use this sub-technique (T1053.005) to maintain their persistence in the compromised host. 

Figure 2: The commands that MagicRAT executes to establish persistent [3]

Once MagicRAT achieves persistence, it contacts the C2 server via an HTTP POST request. 

Figure 3: MagicRAT is communicating with the C2 server

Upon initial access, MagicRAT performs internal reconnaissance to identify the victim system and environment on which the adversaries are operating. MagicRAT does not drop additional tools, which are likely to get detected by the security controls, on the target's network, yet relies on the built-in and simple commands to perform reconnaissance.

• whoami
• systeminfo
• ipconfig/all

Overall, we can say that MagicRAT is a simple RAT that allows adversaries to execute arbitrary commands on the victim's machine and move and rename files in the compromised endpoint. MagicRAT is fileless malware deployed as an implant similar to TigerRAT, another RAT used by Lazarus that shares C2 infrastructure with MagicRAT. Since it is fileless malware, threat actors can change the C2 URLs, determine the time for the implant to sleep, or even delete itself from the infected victim's endpoint.

Picus Threat Library includes the following threat for the MagicRAT malware and other Lazarus:

4. Slam Ransomware Builder

While Ransomware as a Service (RaaS) is highly popular among cyber threat actors, there has been a dramatic increase in the publicly-available ransomware builder software in famous hosting platforms such as GitHub, and the Slam Ransomware Builder is one of them. 

Slam Ransomware Builder was first seen in late 2021, and other related payloads were observed on publicly available repositories in GitHub throughout 2022. The authors of the builder gave detailed guides on how to build ransomware and malicious payload on YouTube. In September 2022, Slam Ransomware Builder was removed from GitHub by its authors.

The capabilities of the Slam Ransomware Builder are given in Figure 4. 

Figure 4: Description of the Slam Ransomware Builder [4]

Even though the builder is free to use, the payloads that the Slam Ransomware Builder generates are capable of causing severe damage. The builder allows threat actors to create fully customizable and advanced ransomware payloads with the following capabilities:

• UAC bypass,
• Advanced Encryption Standard (AES-256) encryption,
• encryption passphrases,
• shadow backup copy (VSS) deletion,
• data exfiltration capabilities over HTTP,
• customized ransomware notes.

In addition to these capabilities, the builder provides more advanced configuration options to its users.Figure 5: Advanced Options Provided in the Slam Ransomware Builder [4]

"block antivirus websites" option in the builder prevents victims from being able to install security software and/or upload suspicious-looking files on publicly available malware checker websites like VirusTotal. When this option is selected, the generated ransomware payload modifies the compromised device's Hosts file and forces antivirus websites to resolve to the loopback address "127.0.0.1". Thus, when the victim tries to visit the VirusTotal to upload a suspicious file, it directly loops back to the current device that the victim is using. 

Figure 6: The Modified Hosts File on the Victim's System [4]

Picus Threat Library includes the following threats for the Slam Ransomware Builder. 

5. FARGO Ransomware

TargetCompany ransomware group, aka Mallox, has been active in the wild since June 2021. In September 2022, TargetCompany released a new ransomware variant, FARGO, that mainly targets Microsoft's MS-SQL servers and English-speaking organizations [5]. In this variant, developers of the FARGO ransomware used a hybrid encryption method where they leveraged the following cryptographic algorithms.

• ChaCha20 - (A stream cipher with the combination of Poly1305 message authentication code)
• AES-128 - (Advanced Encryption Standard with 128-bit key length.)
• Curve25519 - (Elliptic Curve Cryptography with Curve25519) 

After encrypting the files, FARGO ransomware appends their file extension with ".FARGO3". 

Picus Threat Library includes the following threats for FARGO ransomware: 

For further information, please visit our latest blog on FARGO ransomware. 

References

[1] "[No title]." [Online]. Available: https://www.mandiant.com/media/17826. [Accessed: Oct. 10, 2022]

[2] G. Venere, "Gamaredon APT targets Ukrainian government agencies in new campaign." [Online]. Available: http://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html. [Accessed: Oct. 11, 2022]

[3] V. Ventura, "MagicRAT: Lazarus' latest gateway into victim networks." [Online]. Available: http://blog.talosintelligence.com/2022/09/lazarus-magicrat.html. [Accessed: Oct. 11, 2022]

[4] J. Walter, "From the Front Lines," SentinelOne, Sep. 15, 2022. [Online]. Available: https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/. [Accessed: Oct. 11, 2022]

[5] "취약한 MS-SQL 서버를 대상으로 유포 중인 FARGO 랜섬웨어 (Mallox)," ASEC BLOG, Sep. 19, 2022. [Online]. Available: https://asec.ahnlab.com/ko/38849/. [Accessed: Oct. 11, 2022]