At a glance.
- Sandworm deploys new ransomware against Ukraine.
- Chinese threat actor uses USB sticks to spread malware.
- RansomExx rewritten in Rust.
- CYBERCOM and DARPA announce new pilot program.
Sandworm deploys new ransomware against Ukraine.
ESET has observed a ransomware campaign targeting Ukrainian organizations with a new strain of ransomware dubbed "RansomBoggs." The malware is written in .NET, and its deployment bears similarities to previous attacks by the Russian threat actor Sandworm:
"As for similarities with other onslaughts by Sandworm, the PowerShell script used to distribute RansomBoggs from the domain controller is almost identical to the one used in Industroyer2 attacks against Ukraine’s energy sector in April of this year. The same script was used to deliver data-wiping malware called CaddyWiper that leveraged the ArguePatch loader and hit several dozen systems in a limited number of organizations in Ukraine in March."
Chinese threat actor uses USB sticks to spread malware.
Mandiant warns that a China-linked threat actor is using USB drives to deploy malware against organizations in Southeast Asia, particularly in the Philippines. The USB sticks deploy three stages of malware, dubbed MISTCLOAK, DARKDEW, and BLUEHAZE. Once installed, the malware will also infect any new USB drives that are plugged into the system:
"Based on available data, such as PE compile timestamps for the malware involved in the aforementioned activity, this campaign potentially extends back to September 2021. Given the worming nature of the malware involved, we may have detected the later stages of this malware’s proliferation.
"We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant."
RansomExx rewritten in Rust.
Researchers at IBM Security have found a version of the RansomExx ransomware that's been written in Rust to help the malware evade detection:
"Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission. As of the time of writing, the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform."
CYBERCOM and DARPA announce new pilot program.
US Cyber Command and DARPA have launched a pilot program dubbed "Constellation" that's designed to accelerate the development and delivery of new cyber capabilities for Cyber Command. CYBERCOM stated:
"In the research and development community, the “valley of death” is a metaphor commonly used to describe the most difficult phase of transitioning a prototype to an operational capability. Fostering an agile-style pipeline from research to operations becomes essential to addressing the challenges the Department of Defense faces when developing software systems, such as rapidly evolving technology and acceptance and usability for both expert and non-expert providers.
"Constellation will provide a framework and create mechanisms to provide virtual and physical infrastructure, people and contracts, sustainment of relationships required to bridge the gap between science and technology, research, development, and operational warfighting capabilities, and feedback to the S&T community regarding evolving cyber threats and mission needs."