At a glance.
- Cl0p's use of MOVEit exploits.
- RedDelta focuses on Eastern Europe.
- TOITOIN Trojan targets Latin America.
- Big Head ransomware.
Cl0p's use of MOVEit exploits.
Researchers at Huntress note that the Cl0p gang, despite compromising many entities via the MOVEit vulnerabilities, still hasn’t used the access to deploy ransomware or compromise entire organizations. The group appears to be monetizing compromises that took place in late May by posting stolen data to its leak site. The researchers believe Cl0p “overloaded itself with opportunities and is working to monetize as many of them as possible until discovery or eviction”:
“The steady drumbeat of new MOVEit victims, whether through cl0p’s leak site or through victim notifications to users, seemingly implies continued exploitation of this vulnerability. However, within Huntress telemetry and in discussions with industry partners, no significant exploitation of this vulnerability is observed after late May 2023. Presumably, a threat actor with a viable exploit for a service that is high-availability in nature (thus not easily patched) and typically exposed externally would continue to follow up on this advantage, yet instead, the broader security community observed an initial ‘burst’ of activity, followed by limited or no action as the calendar turned to June.”
RedDelta focuses on Eastern Europe.
Check Point says a Chinese threat actor is using HTML smuggling to deploy a new variant of the PlugX malware against foreign affairs ministries and embassies in Eastern Europe. The researchers say the campaign "has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent)." Check Point adds, "While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while. As for PlugX, it also remained largely unchanged from previous appearances, although one new aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously utilized XOR encryption."
TOITOIN Trojan targets Latin America.
Zscaler is tracking a new campaign that's targeting businesses in Latin America with the TOITOIN Trojan. The malware is delivered via phishing emails that pose as payment notifications:
"This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage. These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks. The ultimate payload of this campaign is a new Latin American Trojan called TOITOIN, which incorporates a unique XOR decryption technique to decode its configuration file. Once decrypted, the trojan gathers crucial system information, as well as data pertaining to installed browsers and the Topaz OFD Protection Module, before sending it to the command and control server of the attackers in an encoded format."
Big Head ransomware.
Trend Micro describes a new ransomware family dubbed "Big Head" that surfaced in May. The researchers believe the malware is distributed "via malvertisement as fake Windows updates and fake Word installers."
Trend Micro states, "From a technical point of view, these malware developers left recognizable strings, used predictable encryption methods, or implementing weak or easily detectable evasion techniques, among other 'mistakes.' However, security teams should remain prepared given the malware's diverse functionalities, encompassing stealers, infectors, and ransomware samples. This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention."