At a glance.
- Defray777/RansomExx gets a Linux port.
- Malicious news sites operated by OceanLotus.
- More information on Operation North Star.
- Ransomware gangs fail to keep promises.
Defray/RansomExx gets a Linux port.
Palo Alto Networks' Unit 42 describes a lesser-known threat group tracked as PyXie or GOLD DUPONT, which uses the Vatet loader and the PyXie Remote Access Tool to deploy the Defray777 ransomware (also known as "RansomExx"). Unit 42 believes this criminal group developed and maintains all three of these malware strains. The group has been using these three strains in attacks since 2018, but they've managed to keep a low profile until recently.
Notably, Unit 42 says Defray777/RansomExx is now capable of targeting Linux systems:
"During the course of our research, we found that Defray777 ransomware has been ported over to Linux. Before Defray777, ransomware that impacted both Windows and Linux operating systems was limited to being written in Java or scripting languages such as Python. These ransomware variants would be considered cross-functional since they were written in a single language that must be installed and supported by both operating systems. Defray777's port to Linux ensures that the ransomware has standalone executables for each platform with no external dependencies."
Kaspersky has also published a report on Defray777/RansomExx, highlighting the malware's Linux-focused capabilities. The researchers also note that attacks involving this malware are highly targeted: "Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name." We noted in last week's Research Briefing that this ransomware operator is one of the reprehensible gangs that intentionally targets healthcare providers.
Malicious news sites operated by OceanLotus.
Volexity says the Vietnamese threat actor OceanLotus (APT32) has been using convincingly crafted phony news, activist, and anti-corruption websites for spearphishing and watering-hole attacks. The sites consisted of thousands of harmless pages scraped from legitimate news outlets, with a few malicious pages mixed in. The attackers put enough effort into designing the sites that the researchers initially thought they had compromised legitimate news sites. The malicious pages would fingerprint visitors' devices and attempt to either try to trick them into installing malware or send them to a credential-harvesting page, depending on whether the visitor was on desktop or mobile.
Volexity says the structure of the sites—mostly harmless with just a few booby-trapped articles—allowed them to act as watering holes in addition to phishing landing pages. The attackers could send links to the malicious pages via spearphishing messages, while visitors who were interested in specific topics could end up on those pages on their own.
One sidelight: a surprising fraction of OceanLotus activity may have been directed against targets in Germany, Bayerischer Rundfunk reports.
More information on Operation North Star.
McAfee offers additional insights into Operation North Star, a North Korea-linked espionage campaign targeting the aerospace and defense industries. The researchers describe a previously unobserved second-stage malware payload dubbed "Torisma," which "executes a custom shellcode, depending on specific victim profiles, to run custom actions." McAfee notes that the threat actor has taken measures to improve its operational security, as the malware uses a list of victims to prevent later-stage payloads from being delivered from organizations that weren't targeted.
McAfee also found that the threat actor "launched attacks on IP-addresses belonging to internet service providers (ISPs) in Australia, Israel and Russia, and defense contractors based in Russia and India."
Ransomware gangs fail to keep promises.
Coveware's ransomware report for the third quarter of 2020 found that nearly half of ransomware attacks now involve data exfiltration and extortion. Notably, the security firm says it's identified instances of ransomware gangs leaking data after victims paid the ransom, or returning to demand additional payment:
"Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data. The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / not leaked:
- "Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
- "Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.
- "Netwalker: Data posted of companies that had paid for it not to be leaked.
- "Mespinoza: Data posted of companies that had paid for it not to be leaked.
- "Conti: Fake files are shown as proof of deletion."
Coveware advises against paying the ransom, but concludes that victims should treat these incidents as data breaches from the start, regardless of whether or not they decide to pay. Emsisoft's Fabian Wosar agrees with this view, telling KrebsOnSecurity, "Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated."