Emerging Cyber Threats of July 2022

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

July 2022 was another restless month for cyber attack campaigns of new cyber threat groups and malware families. Fortunately, Picus Labs swiftly added attack simulations to Picus Threat Library for these new threats as they were discovered. 

This blog provides a brief analysis of the top five cyber threats observed in July 2022. You can easily simulate these threats, and validate and improve your security controls against them with the Picus Complete Security Control Validation Platform.

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of July 2022

1. Maui Ransomware

2. Green Stone Malware Dropper

3. HavanaCrypt Ransomware

4. Lilith Ransomware

5. H0lyGh0st Ransomware Group


1. Maui Ransomware

On July 06, 2022, The Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury of US, and the Federal Bureau of Investigation (FBI) released a joint advisory on a North Korean-based cyber threat actor using the Maui ransomware. Affiliated groups using the Maui ransomware are mainly known for launching state-sponsored ransomware attacks on healthcare industries. The Maui ransomware employs a single extortion method. In other words, it does not exfiltrate data or remove system backs up to cause extra stress and pressure on its victim. Moreover, the malware does not employ any lateral movement techniques and does not drop any ransom notes instructing its victims to pay the ransom.

Even though the Maui ransomware does not incorporate any lateral movement techniques, it utilizes a hybrid encryption method involving AES, RSA encryption, and XOR encoding to increase the impact. While the RSA algorithm generates a new public-private key pair, the AES algorithm encrypts each file in the CBC mode. After each file is encrypted with a unique secret key, these secret keys are encrypted with the public key that is generated in the first place.

The tactics, techniques, and procedures (TTPs) used by the Maui ransomware are given below:

Execution

  • T1059.008 Command and Scripting Interpreter: Network Device CLI

Impact

  • T1486 Data Encrypted for Impact

We strongly recommend you test the effectiveness of your security controls against the Maui ransomware. Picus Threat Library includes the following threats for the Maui ransomware:

Threat ID

Threat Name

56700

Maui Ransomware Download Threat (Network Infiltration)

64940

Maui Ransomware Email Threat (Email Infiltration (Phishing))

For more detailed information, you can check our blog post on "Maui Ransomware”.

2. Green Stone Malware Dropper

In late July 2022, many Iranian companies received an Office Open XML document containing a malicious macro. The functions within the macro unpacks and runs the executable in a temporary directory, which is a common practice employed by adversaries to avoid detection. Later analysis showed that the executable has cyber-espionage capabilities. It collects information about the operating system, takes screenshots of the screen, and sends collected data to a remote server. 


Figure 1: Executable Contained within the Malicious Office Open XML Document: Green Stone Malware Dropper

The analysis of the Green Stone malware points to an uncommon technique of exchanging commands using a Telegram bot. This technique avoids unnecessary communication to a remote server and hides the C2 server. 

Figure 2: Supported Commands via a Telegram Bot

Since many APT groups prefer to embed malicious payloads within an innocent-looking document, organizations should be aware of possible threats coming from emails and assess how effective their security controls are against the Green Stone Malware Dropper.

The tactics, techniques, and procedures (TTPs) used by the Green Stone Malware Dropper are given below:

Execution

T1204 User Execution

Persistence

T1137 Office Application Startup

Credential Access

T1056.001 Keylogging

T1056.004 Credential API Hooking

Discovery

T1012 Query Registry

T1082 System Information Discovery

Collection

T1056.001 Keylogging

T1056.004 Credential API Hooking

Picus Threat Library includes the following threats for the Green Stone malware dropper:

Threat ID

Threat Name

69096

Green Stone Malware Dropper Email Threat (Email Infiltration (Phishing))

70452

Green Stone Malware Dropper Download Threat (Network Infiltration)

3. The HavanaCrypt Ransomware 

The 2022 year was a bit busy with the distribution of malware masquerading itself under legitimate programs and software updates like Windows 10, Google Chrome, and Microsoft Exchange updates. This month, a brand-new malware family, HavanaCrypt, was found in the wild. HavanaCrypt malware disguises itself as a legitimate Google Software application and uses an IP address belonging to a Microsoft web hosting service as their C2 server to evade detection. Later analysis showed that the malware uses the QueueUserWorkItem function to implement thread pooling for its other payloads and a .NET System.Threading namespace method, which is responsible for queuing an execution method. HavanaCrypt uses the KeePass Password Safe modules, an open-source password manager, during the file encryption process.  

Further analysis shows that HavanaCrypt malware is a .NET-compiled application and secures its code in a .NET assembly by using the Obfuscar, an open source .NET obfuscator. 

Figure 3. Obfuscated HavanaCrypt Sample 

HavanaCrypt malware was designed to have multiple anti-virtualization techniques to avoid dynamic analysis in the case of being executed in a virtual machine. It even checks the services mainly used by virtual machines such as VMware Tools, VMTools, and wm mouse. To analyze this malware, researchers used deobfuscation tools like DeObfuscar and de4dot.


Figure 4. Services Checked by the HavanaCrypt Malware 

It is seen that Tor directories are one of the directories that the HavanaCrypt avoids encrypting. The adversaries may have planned to maintain communication with their victims via the Tor browser. Another strange thing that draws attention is that the adversaries do not drop any ransom notes. Considering that, researchers think HavanaCrypt is still in the process of development. Nevertheless, it is important that organizations test their system against this brand-new malware family. 

The tactics, techniques, and procedures (TTPs) used by the Havana ransomware are given below:

Credential Access

  • T1056.004 Credential API Hooking

Discovery

  • T1012 Query Registry
  • T1057 Process Discovery

Collection

  • T1056.004 Credential API Hooking

Command and Control

  • T1056.004 Credential API Hooking

Impact

  • T1486 Data Encrypted for Impact

Picus Threat Library includes the following threats for HavanaCrypt ransomware:

Threat ID

Threat Name

24728

HavanaCrypt Ransomware Email Threat (Email Infiltration (Phishing))

91290

HavanaCrypt Ransomware Download Threat (Network Infiltration)

4. Lilith Ransomware

A C/C++ console-based ransomware called Lilith is discovered in the wild. This malware is designed for the Windows x64 architecture and like many other ransomware operations, the Lilith ransomware uses the double-extortion method: It steals the sensitive data, encrypts it and drops a ransom note providing a Tor chat address on the target system. 

Figure 5: Ransom Note Dropped by the Adversaries 

Analysis shows that the Lilith malware encrypts not every file type on the target system. For instance, EXE, DLL, SYS and Program Files, web browsers, and Recycle Bin Folders are excluded from the encryption process. In addition to these files, one strange file found on the victim’s system takes attention: ecdh_pub_k.bin. This file is also excluded from the encryption process and stores the local public key of BABUK ransomware infections, indicating that these two malware families might be linked in some way. 

The malware performs the encryption using Windows cryptographic API and Windows’ CryptGenRandom function to generate the random key.  Even though the researchers say that the new Lilith family does not introduce any novelty, it is one of the latest threads that the organizations need to test their systems against.  

The tactics, techniques, and procedures (TTPs) used by the Lilith ransomware are given below:

Defense Evasion

  • T1497 Virtualization/Sandbox Evasion

Discovery

  • T1012 Query Registry
  • T1082 System Information Discovery
  • T1497 Virtualization/Sandbox Evasion

Collection

  • T1114.001 Local Email Collection

Impact

  • T1486 Data Encrypted for Impact

Picus Threat Library includes the following threats for the Lilith ransomware

Threat ID

Threat Name

35395

Lilith Ransomware Email Threat (Email Infiltration (Phishing))Lilith Ransomware Download Threat (Network Infiltration)

94407

Lilith Ransomware Download Threat (Network Infiltration)

5. H0lyGh0st Ransomware

The H0lyGh0st is a North Korea-based cyber extortion threat group known for developing malware payloads and performing ransomware attacks since June 2021. In 2018, they launched many successful attacks on small-to-midsize industries like banks, manufacturers, schools, and event and meeting planning organizations worldwide. 


Figure 6: Timeline of the Payloads Developed and Used by H0lyGh0st 

Even though H0lyGh0st has been in the wild since 2021 and tracked by the MSTIC back then, the group now strikes back with a more persistent and more improved variant of malware: BTLC.exe.

Below, you will find the tactics, techniques, and procedures (TTPs) used by the H0lyGh0st cyber threat actor group:

Initial Access

  • T1133 External Remote Services
  • T1190 Exploit Public-Facing Application

Execution

  • T1059.003 Windows Command Shell

Persistence

  • T1133 External Remote Services

Privilege Escalation

  • T1134.001 Token Impersonation/Theft

Defense Evasion

  • T1027.002 Software Packing
  • T1134.001 Token Impersonation/Theft

Credential Access

  • T1056.004 Credential API Hooking

Discovery 

  • T1012 Query Registry
  • T1033 System Owner/User Discovery
  • T1049 System Network Connections Discovery
  • T1057 Process Discovery
  • T1082 System Information Discovery
  • T1083 File and Directory Discovery
  • T1135 Network Share Discovery

Collection

  • T1056.004 Credential API Hooking
  • T1114 Email Collection

Command and Control

  • T1571 Non-Standard Port
  • T1573 Encrypted Channel

Impact

  • T1486 Data Encrypted for Impact

Picus Threat Library includes the following threats for the H0lyGh0st ransomware

Threat ID

Threat Name

20076

H0lyGh0st Ransomware Malware Download Threat (Network Infiltration)

41450

H0lyGh0st Ransomware Malware Email Threat (Email Infiltration (Phishing))

97451

DEV-0530 Threat Group Campaign Malware Download Threat (Network Infiltration)

75946

DEV-0530 Threat Group Campaign Malware Email Threat (Email Infiltration (Phishing))

Please check our blog post on "H0lyGh0st" for more detailed information.