IT NEWS

Discord, the Voice over IP (VoIP) and instant message communications tool, is changing how usernames function in a major way soon. Many users are not keen on this change at all.

What is going on over there, and why are so many people concerned about the upcoming alterations?

When Discord launched back in 2017, the developers didn’t want you to try and sign up only to be told “Username taken”. They wanted you to jump straight into the chatroom-based action. When people started wanting to talk to their friends located in other servers (essentially, another chat room) Discord introduced a friend system and a number system called “discriminators”.

This is just another way of saying “We put a four digit number at the end of your username”. If you wanted to be Steve, into the chat you’d go as Steve#3857. If another Steve signed up, they’d be Steve#3858. And so on. A drawback of this system is that if 9,999 Steves already exist, then we’re all out of Steves because this is the maximum number you can have of one particular username.

It remained like this for about 8 years, and now we’re at the point where everything is changing. Very soon, Discord will ask you to amend your username to something more specific. All of our Steves will fight to the death in order to become the one true Steve, shorn of numbers forever. If you miss out on landing the Steve handle, sorry: you’re probably going to be St3ve from now on.

This isn’t so bad, you may think. However, a lot of privacy related issues are bubbling up to the surface. Users of Discord quite enjoy the level of anonymity afforded by the numbers system. It’s a bit like having a giant online user directory, but one where the user is in full control of how that information leads back to them in the majority of situations.

With the numbers system in place, it’s as good as impossible for someone to track you down specifically inside of Discord. Where would you start? The answer, of course, is likely “From Steve#0001 all the way up to #9999″. Nobody is going to do this, and so users are afforded some degree of privacy as a result.

This is not to say using Discord keeps you 100% anonymous. Even so, someone usually has to tie a profile to something external and identifiable to run into trouble.

The new system means people have to make a choice. Secure a username that unambiguously ties to your online presence for as long as you use the service, or run the risk of impersonators grabbing your desired identifier.

yo this sucks actually?

people not being able to add me on discord without me telling them the discriminator was a feature not a bug

so now i either get to allow impersonators, or pick a random unguessable name and have to override it constantly

truly incredible work https://t.co/SoTMZZxGNe

— christina 死神 (@chhopsky) May 3, 2023

Worse still, the way this is going to happen is that name availability will be done on a first come, first served basis with people who’ve been on the platform longer getting first choice. Lots of early adopters of the platform will no doubt have amassed many alternate accounts down the years. This not only gives them a distinct advantage in the “name yourself first” stakes, it also provides an opportunity for trolling or security threats. It would theoretically be straightforward to use an army of dormant accounts to “squat” usernames of famous people or business entities. From there, those accounts could be used for phishing or other scams. This isn’t a far-flung theory; you can read folks already raising this issue and thinking about the potential ramifications of Discord’s intended plan.

There are some additional wrinkles added to the new scheme. Users will be able to have a “non-unique display name” which is how your name will appear to other users. Users of social media will already be familiar with this approach. For example, your Twitter URL (here the equivalent of a Discord username) may be twitter(dot)com/Steve, but your display name might say Steven LotsOfNumbers.

The default for this display name when the changes kick in will be whatever your original Discord username happened to be. So, for a while, #Steve0001 will live on.

The sheer generic aspect of user accounts also helped relieve anxiety over phishing and compromise to some degree. Lost your account to a scammer? Assuming you haven’t spent a small fortune on premium features tied to your account, no big deal. Spin up a new one and #Steve0002 rides again.

Now that usernames will be very specific and tied to individuals, it’s not hard to imagine scammers increasing returns on stolen accounts. Streamers and other visible people in gaming circles lose their accounts all the time. What happens when Steven the Streamer, with three million YouTube subscribers, loses his account due to phishing?

Blackmail and potentially juicy returns for fraudsters, that’s what.

Discord has long been a home for entirely (and semi) anonymous folks to hang out in a stress free environment. It’s long since stopped being a hang out spot for gamers only. TV shows, films, products, and more may have a dedicated Discord space. I, myself, have used it for tech support from PC hardware suppliers.

In fact, it’s now so popular that it’s slowly tipping into the realm of unpopular where some user collectives are concerned. Old school forums, filled with search engine indexed solutions to obscure problems are being replaced by Discord, which cannot be indexed. Increasingly, more things are ending up in Discord which should be available elsewhere too. Video game mods, patch updates notes, and more are all drifting toward Discord. This is because it’s simple and easy to set up, and you don’t have to worry about maintaining a website or forum while chasing after security updates.

This tendency toward making information which would be better served existing outside of a chat room has been frustrating folks for a while now. Adding a username controversy on top of this may put some users off for good.

Tips for keeping your Discord account safe and private

If you’re a Discord user, here are some of the ways you can keep your account safe from scammers and other slices of fraud:

• Beware Nitro offers. Nitro is a paid service which adds more features to Discord. “Free Nitro” messages in Discord channels from Bots, other users, and non Discord websites should be treated with caution. Check the official page for genuine offers.
• Non-Discord theft: Scammers will target gamers with phishing links targeting gaming platforms such as Steam. As before, check official sites for word of special offers.
• Don’t join the spam chain conga line: Bots are common in Discord channels, often there to help with admin tasks. Rogue bots will send direct messages and ask you to spam on its behalf, or invite you to a channel so it can send spam there. Don’t fall for it! 
• Compromised server peril: If the admin is hijacked, any message sent in public or privately could be risky. Server admins should enable two-factor authentication on their accounts to minimise the risk.
• Privacy settings: Current name policy changes aside, Discord offers several useful features including direct message filtering, explicit image filters, automatic spam filters, and granular control over who can add you as a friend.

---

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This blog post was authored by Malwarebytes’ Roberto Santos and Fortinet’s Hossein Jazi

While the official conflict between Russia and Ukraine began in February 2022, there is a long history of physical conflict between the two nations, including the 2014 annexation of Crimea by Russia and when the regions of Donetsk and Luhansk declared themselves independent from Ukraine and came under Russia’s umbrella. Given this context, it would not be surprising that the cybersecurity landscape between these two countries has also been tense. 

While looking for activities from the usual suspects, one of our former coworkers at Malwarebytes Threat Intelligence Team discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.

This investigation remained private for a while, but Kaspersky recently published information about the same actor (who it called Bad Magic). Now that the existence of this group is public, we will also share some of our information about the actor and its tactics.

Our investigation could be helpful to the community as we will provide new undisclosed data about the group. We have identified attacks from the group starting in 2020, meaning that they have remained under the radar for at least three years. Additionally, we will provide insights into the latest campaigns performed by Red Stinger, where we have found that the group has targeted entities in different places of Ukraine.

Military, transportation and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums. Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.

Finally, we will reveal unknown scripts and malware run by the group in this report.

Timeline

Our investigation started in September 2022, when one of our former coworkers Hossein Jazi discovered an interesting lure, that seemed to target some entities over the war context:

Tweet published by @hjazi in September 2022

In fact, this is the attack that Kaspersky analyzed in its blog. However, this was not the only activity carried out by the group. Malwarebytes has identified multiple operations, first dated in 2020. The next infographic shows some of the operations recognized by us:

Operations performed by Red Stinger

Since our investigation started in September 2022, information about the initial campaigns has been limited. However, the actor’s tactics, techniques, and procedures (TTPs) are very distinctive, which gives us a high level of confidence in our attribution.

Notes about activity before the war

OP#1 – Late 2020

The first operation we know of happened in December 2020. Although the infection chain is similar to what was already reported, the attackers were using a slightly different process back in 2020:

OP#1 Infection phase

An MSI file is downloaded from hxxp://91.234.33.185/f8f44e5de5b4d954a83961e8990af655/update.msi. This first MSI file, when executed, will show the following error to the user:

MSI file used in OP#1

In the background, this MSI file will execute a .vbs file that runs a dll file. The content is encoded using base64:

Contents of zip file and detail of shortcut.vbs

So finally, cachelib.dll will be executed. That file will drop two files named iesync.so and iesync.vbs.

iesync.so and iesync.vbs were dropped as part of OP#1 infection phase

After that, the iesync.vbs file will apply a XOR operation to iesync.so. After applying that conversion to the file, we can see that this file is what we called DBoxShell (also called PowerMagic by Kaspersky):

DboxShell variant used in OP#1

OP#2 – April 2021

We believe that the attack started with this zip file named ПОСТАНОВЛЕНИЕ № 583-НС.zip. How attackers sent this file to victims is still unknown. The lure in this case was themed about Luhansk:

Lure used in OP#2

A valid translation of this document would be:

RESOLUTION

dated March 25, 2021 No. 584-NS

Lugansk

On consideration in the second reading of the draft law

of the Luhansk People’s Republic dated March 19, 2021 No 417-PZ / 21-3

“On Amendments to the Law of the Luhansk People’s Republic

“On physical culture and sports”

ПОСТАНОВЛЕНИЕ № 583-НС.zip contains a lnk file as well as the previous pdf. This .lnk file will download an MSI file from the url hxxp://91.234.33.108/u3/ebe9c1f5e5011f667ef8990bf22a38f7/document.msi, and from there, the attack is pretty similar as the one performed in OP#1. Just a few differences to note, for example, in this case the dll used is named libsys.dll.

Dll used  at infection phase in OP#2

Also, as the image shows, paths used the folder winappstorepackage or WinStoreApps instead of CacheWidgets, that was used in OP#1. Also, the powershell script is slightly different in this case:

Powershell snippet run in OP#2

Nevertheless, the infection phase finally used DBoxShell, as before.

OP#3 – September 2021

We have very little information about this operation, but based on the TTPs, we have identified overlapping techniques with both previous and subsequent attacks.

• MSI files usage is a known signature from the group. Also, the MSI file was downloaded from hxxp://185.230.90.163/df07ac84fb9f6323c66036e86ad9a5f0d118734453342257f7a2d063bf69e39d/attachment.msi. Note the common pattern in urls.

• 185.230.90.163 belongs to ASN number 56485. All IPs used from 2020 till now belong to the same ASN.

• VT telemetry showed common patterns with OP#2.

Activity at the onset of war

After the war began, we collected information about two distinct operations.  

OP#4 – February 2022

OP#4 is perhaps one of the most interesting attacks performed by the group. As you can see in the following lines, this attack still has some characteristics that led us to attribute it to Red Stinger. Furthermore, the attack has some unique features that make it stand out as one of the most interesting ones.

In this case, the group used hxxp://176.114.9.192/11535685AB69DB9E1191E9375E165/attachment.msi to download the malicious MSI file. Note once more this common pattern in all URLs used by the group. This MSI file contained a PDF, a .vbs file, and a .dat file:

Lure used in OP#4

The group followed a similar infection chain as in previous operations. Finally, a .vbs file was responsible for XORing and executing a .dat file, which contained a small loader and a variant of DBoxShell:

DboxShell variant used in OP#4

DBoxShell is malware that utilizes cloud storage services as a command and control (C&C) mechanism. This stage serves as an entry point for the attackers, enabling them to assess whether the targets are interesting or not, meaning that in this phase they will use different tools.

A better look of how RedStinger operates can be seen in the next infographic:

Common pattern in Red Stinger operations

After the infection phase, we are aware that actors dropped at least the following artifacts:

SolarTools

In the reconnaissance phase, we noticed the execution of 2 MSI files named SolarTools.msi and Solar.msi. Both had inside tools named ngrok.exe and rsockstun.exe:

• Ngrok.exe is a legitimate tool that allows web developers to deploy applications and expose services to the internet. Other groups also used ngrok for malicious purposes.

• Rsockstun is a tool that allows attackers to route connections through external proxies.

More important, we have seen the same version of Solar.msi (02f84533a86fd2d689e92766b1ccf613) on OP#4 and OP#5, allowing us to connect the dots between these two attacks.

vs_secpack.msi

In addition to SolarTools, starting the exfiltration phase, we also found another file named vs_secpack.msi. This file contains two files: ntinit.exe and ntuser.dat, which will be located under c:/ProgramData/NativeApp. Ntinit.exe is a file that was developed as a Windows Service, named ntmscm.

Service created by ntinit.exe

Inside that service, eventually a thread will be executed. This thread contains all the functionality. Its main purpose is to execute one of the binaries hidden inside ntuser.dat, after some parsing. Also, it will execute C:/ProgramData/user.dat, if found.

vs_secpack.msi will drop ntuser.dat and ntinit.exe files

Ntuser.dat is an aggregation of PE files with a leading header and a final chunk. These executables are xored, each one with a different value. The next image shows the header:

Detail of Ntuser.dat header

This header can be seen as a C structure, defined like this:

struct head_FirstChunk{
    DWORD signature;
    DWORD osInstallDate;
    int sizeMz1;
    int sizeMz2;
    int sizeMz3;
    int sizeMz4;
    int sizeConfig;
    DWORD xorValsMZ1;
    DWORD xorValsMZ2;
    DWORD xorValsMZ3;
    DWORD xorValsMZ4;
}

Following this header, four PE files are stored consecutively and XORed. As the previous structure shows, the size and XOR value used to decode these files can be recovered from the header.

ntuser.dat contents

We won’t analyze all MZs one by one, as we want to avoid overwhelming the reader with technical details that are out of scope. For a quick reference, the first MZ was a copy of ntinit.exe and the second was a dll capable of injecting files using the Process Doppelganging technique. Curiously, InjectorTransactedHollow.dll string was found inside the binary, so possibly that was how attackers named the file originally:

Process Hollowing technique was used to perform injections in OP#4

The third was also used for injection purposes. The fourth was the most interesting, because it communicates with a new Dropbox account. Some of these will be injected or used to inject MZs into legitimate process mobisync.exe

Finally, the last chunk of ntuser.dat was a configuration file. The configuration was encrypted, and looked like this:

Config file forms the end of ntuser.dat

That configuration was encrypted using AES. The IV is the first 16 bytes of the config. The key can be recovered from the fourth MZ. In fact, this executable will use this configuration to communicate with Dropbox.

Decrypted configuration is shown next:

Decrypted config file

This configuration is pretty representative of the group’s motivation. First of all, we see a new Dropbox account being used. This Dropbox account will be used to gather exfiltrated victims data. It can be seen like the exfiltration phase starts here. Note that attackers will use one account for reconnaissance and a different one for exfiltration.

The object field was also revealing. It contained a Russian name (redacted for privacy) followed by the DNR letters (probably Donetskaya Narodnaya Respublika, referring to one of the cities declared independent in 2014, and a known target to the group). Victimology will be discussed later.

OP#5

OP#5 was the last known activity we will cover. As Kaspersky already revealed some technical details about this operation, we won’t repeat that analysis again. A link to the analysis made by them can be found at the beginning of this report.

What we can do here is provide some extra insights regarding the attack. Let’s start at the Reconnaissance phase. Reconnaissance phase starts right after DBoxShell / GraphShell is executed. This is the GraphShell version used in OP#5:

OP#5 used GraphShell instead of DBoxShell

The way GrapShell works is pretty simple, and also can be almost guessed by viewing the image. A folder tree is created:

Root

       ___ AmazonStore

                             ___ clients

                             ___ tasks

                             ___results

And as DBoxShell does, clients will hold heartbeats from clients, tasks will store tasks that will be executed at some point by victim systems, and results will be uploaded to results.

DETAIL – RECONNAISSANCE PHASE

As we were actively tracking the actors for a while, we managed to recover most of the actions performed by the attackers at this phase:

Below are indicated some of the scripts used in this phase:

ListFiles

StartNgrok

Reconnaissance

InstallPZZ

Ld_dll_loader

StartRevSocks

After that, by using some of the tooling analyzed by Kaspersky, the exfiltration phase starts.

Victimology

OP#4

As this operation happened before our investigation started, we cannot determine how many victims were infected. However, at the time we began monitoring, we still had information about two victims. Surprisingly, these two victims were located in central Ukraine. This is interesting because all the information had previously pointed to East Ukraine, where the Donbass region is located.

Map of Ukraine, where known targets in OP#4 were highlighted

One of the victims was a military target, but the activity on this target was only carried out for a few hours. We have reason to believe that the user noticed something wrong, and executed an antimalware solution shortly after being infected, which likely detected and cleaned the system. 

As far as we know, attackers managed to exfiltrate on this target several screenshots, microphone recordings and some office documents.

The other victim we found was located in Vinnitsya. Target was an officer working in critical infrastructure. Attackers made a great and long surveillance of this victim, which extended until Jan 2023. They have exfiltrated screenshots, microphone and office documents, but also keystrokes were uploaded.

OP#5

With the victimology shared in OP#4, we may think that this was a group targeting only UA-aligned entities. However, the analysis of OP#5 revealed an interesting fact: it mainly targeted RU-aligned entities.

REFERENDUM TARGETS

OP#5 started in September 2022. Back in those days, Russia made referendums at Luhansk, Donetsk, Zaporizhzhia and Kherson. While that was happening, Red Stinger targeted and made surveillance to officers and individuals involved in those elections. 

Two victims attacked in OP#5 were workers at Yasinovataya Administration (Donetsk). Another victim was also part of DPR administration, in Port Mariupol. All of them were performing different activities regarding elections. We also have found one victim holding the advisor position from CEC (Central Election Commission). According to Wikipedia, “The Central Election Commission of the Russian Federation (Russian: Центральная избирательная комиссия Российской Федерации, abbr. ЦИК, also Центризбирком) is the superior power body responsible for conducting federal elections and overseeing local elections in the Russian Federation”.

Central Election Commission of the Russian Federation (CIK) stamp

Regarding CEC, we had seen another victim codenamed CIK_03D502E0. CIK is also another term that could refer to CEC. Attackers showed great interest in this one, as this victim was one of the only ones with its own name (some were just identified by using a drive ID). Also, USB drives from that victim were uploaded. Next image shows a small fraction of filenames exfiltrated by the attackers. To clarify, TИK probably stands for TEC (Territorial Election Commision).

Detail of exfiltrated USB from CIK_03D502E0

Reconnaissance phase also revealed some nice info. DNS records obtained from another victim showed mail.gorod-donetsk.org, pop.gorod-donetsk.org, which could suggest that the victim was part of DPR administration. 

From that same victim, those DNS records revealed connections against xn--j1ab.xn--b1adbccegehv4ahbyd6o2c.xn--p1ai (лк[.]лидерывозрождения[.]рф) translate Revival Leaders. That website was created “in behalf of Putin”, and is a contest to find potential leaders and fill out positions at Kherson, Zaporozhye, DPR and Lugansk. It is unclear which positions will be filled by that, but winners were promised to get 1.000.000 rubles for a personally chosen training program in the Russian Federation.

лк[.]лидерывозрождения[.]рф webpage photo

OTHER VICTIMS

In addition to the victims involved in the September referendums, we also identified two other victims that did not seem to be related to the elections. One of them appeared to be related to the transportation ministry or equivalent, codenamed by the attackers as ZhdDor, which could be translated as “railroad.” We also found additional data that suggested that the attackers could be interested in transportation.

Furthermore, we discovered that a library in Vinnitsya was infected in OP#5. Although this victim was UA-aligned, we do not understand why it was a target, especially since it was the only UA entity targeted in OP#5. However, it is worth noting that in OP#4, an entity located in Vinnitsya was also targeted.

EASTERN EGG

Finally, we have 2 victims named TstSCR and TstVM. It turns out that attackers, at some point, infected their own machines in order to carry out some testing, or by mistake.

Exfiltrated screenshot showing one of the attacker’s machine

This first image is a good example of that. First of all, we noticed that the keyboard language was set to ENG, which is unexpected. This may suggest that the group was composed of native English speakers. However, we find it strange because of the way they named the project folder (internet_WORK). We cannot be certain, but we believe that no native speaker would use that naming convention.

Exfiltrated screenshot showing one of the attacker’s machine while debugging Overall.exe

This second image is also nice to show. As you may notice, this is the source code of the file Overall.exe (reported by researchers), while being debugged. Also, some of the victim folders we named in this report are shown as part of the sources.

Exfiltrated screenshot showing one of the attacker’s machine. Some internal paths were shown in that screenshot.

For the account TstVM we choose this screenshot. In this case, attackers were developing a tool they use to tunnel victim communications. It can be seen (redacted) how source code reveals external IP addresses used by them, as some internal ones, naming for machines that we have not redacted and even passwords.

Analysis of these machines also revealed the usage of the application AdvOr, used for tunneling communications through TOR.

Attribution

In this case, attributing the attack to a specific country is not an easy task. Any of the involved countries or aligned groups could be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine.

What is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different layers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities. Perhaps in the future, further events or additional activity from the group can shed light on the matter.

Indicators of Compromise

OP#1

Type	SHA256
Host	91[.]234.33.185
LNK	41589c4e712690af11f6d12efc6cca2d584a53142782e5f2c677b4e980fae5bd
MSI	C68ce59f73c3d5546d500a296922d955ccc57c82b16ce4bd245ca93de3e32366
DLL	9e73dacedf847410dd4a0caa6aac83d31f848768336514335d4872d0fde28202
DLL	B6491d99d7193499a320bf6ad638146193af2ced6128afe8af3666a828f1b900
	B2c2b232bc63c8feb22b689e44ce2fb5bf85f228fef665f2f1517e542e9906c6
	A924dd46b6793ec82e1f32e3fb4215295e21c61eaafc7995cb08c20c5fbadc47

OP#2

Type	SHA256
Host	91[.]234.33.108
ZIP	301e819008e19b9803ad8b75ecede9ecfa5b11a3ecd8df0316914588b95371c8
LNK	D956f2bf75d2fe9bf0d7c319b22a834976f1786b09ff1bba0d2e26c771b19ca2
DLL	9a6d4ac64fa6645c58a19b8c8795a8cb586b82f6a77aaf8f06eb83ba1f1390e8
	2643B38BDAD89168BAEA4226DD6496B91ED283330B2C5D8CA134BEFA796E0F34
	1FA2B3315FB2A12E65FD5258D1395597101F225E7BC204F672BCF253C82AEA55

OP#3

Type	SHA256
Host	185[.]230.90.163

OP#4

Type	SHA256
Host	45[.]154.116.147
Host	176[.]114.9.192
MSI	2ac977e6883405e68671d523eab41fe4162b0a20fac259b201ac460a691d3f79
PowerShell	78634be886ccb3949c8e5b8f0893cff32c474a466e4d4ceba35ba05c3d373bff
	F7437b4b011e57394c264ed42bb46ad6f2c6899f9ca62f507bebbff29f2a3d3f
	Dfc1e73685d3f11a3c64a50bb023532963807193169d185584f287aa8ce22a8b
EXE	Ce9af73be2981c874b37b767873fa4d47219810e2672bf7e0b5af8c865448069
	Fbe650223893284282e0be8f7719b554ff7a1d9fbbc72d3e17a47a9a1ceb6231
	Dfa442780702863bf5c71af0c475743eef754743c3d0336ff8c5032a30f30dc0
	12f16409b6191e3b2c5fd874cca5010711347d28900c108506dbc7f4d403c365

OP#5

Type	SHA256
Host	185[.]166.217.184
ZIP	961c52567232c1f98c04b1e605c34b0309ff280afe01e1a31384589e30eccf05
LNK	Fb48b9102388620bb02d1a47297ba101f755632f9a421d09e9ab419cbeb65db8
MSI	9c16cf1f962bf736e3d6fb9ec3a37bb6f92c5f6cb1886d4332694ccc94735de8
VBS	78634be886ccb3949c8e5b8f0893cff32c474a466e4d4ceba35ba05c3d373bff
MSI	4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51
ZIP	22bb73e97b01be2e11d741f3f4852380b3dae91d9ac511f33de8877a9e7c0534
LNK	C75d905cd7826182505c15d39ebe952dca5b4c80fb62b8f7283fa09d7f51c815
	F405a26904d2f6aaf4ff5f24dc345a24751d13b691a0bf17ba8c94f08ebb8b5b
	Aa0e722832b1a039c96fd9ff169df8f48419f48e1dacf88633a5c561e6db0ba5
	8aa19e3654f6c26b6c564a8103781174abc540384b20f645e87531c754814cf1
	0e4b133fe7562fe5a65a8b7463f0c4f69d951f18d351cafe44e5cae393392057
EXE	Bc93ef8e20f2a9a8799934d629fe494d5d82ea49e06ed8fb00ea6cc2e96f407e
EXE	82e4b4fddf5ea7b7c846d44bcc24d75edcec5726dfa5b81b9f43387a1fc1922a
	332f6e99403841998f950ce2543b4a54c78aace2a2e1901b08917f63c7faa2f4
EXE	052309916380ef609cacb7bafbd71dc54b57f72910dca9e5f0419204dba3841d
EXE	D6b5f48d4e94207a5a192c1784f9f121b59311bfd6a5e94be7c55b0108c4ed93
EXE	4a5f9f62ef8dfae47b164a4d46d242a19a11061284325e560df22b4da44bb97d
EXE	70801ef4f485ba4eb8a76da0d50fc53563d82fdf37951b421b3ae864a04ccd1c

---

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

It’s that time of the month again: We’re looking at May’s Patch Tuesday roundup. Microsoft has released its monthly update, and while the total number of patched vulnerabilities is relatively low at 38, among them are three zero-day vulnerabilities.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. Of the three included in this month’s update cycle, two have been found to be actively exploited and the third has been publicly disclosed.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three zero-days are listed as:

• CVE-2023-29336: a Win32k Elevation of Privilege (EoP) vulnerability. Exploitation of this vulnerability in the Win32k Kernel driver could provide an attacker with SYSTEM privileges. The Cybersecurity & Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
• CVE-2023-24932: a Secure Boot security feature bypass vulnerability. To exploit the vulnerability, an attacker needs either physical access or administrative rights to a target device to install an affected boot policy. The vulnerability has been used to install the BlackLotus UEFI bootkit, a type of malicious infection which targets the Master Boot Record located on the physical motherboard of the computer.  Attaching malicious software in this manner can allow for a malicious program to be executed prior to the loading of the operating system. The primary benefit to a bootkit infection is that it cannot be detected by standard operating systems processes because all of the components reside outside of the Windows file system. UEFI and Secure Boot have been very effective in reducing the number of bootkits, but this vulnerability allows an attacker to bypass those restrictions.
• CVE-2023-29325: a Windows OLE Remote Code Execution (RCE) vulnerability. This vulnerability is present in Microsoft Outlook and Explorer and can be exploited by attackers in order to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane. This type of RCE vulnerability is bound to become very popular among malware peddlers, and knowing that it has been publicly disclosed means that it is available for them to use. Microsoft advises users that can’t install the patch immediately to read email messages in plain text format.

Another vulnerability to keep an eye on is an RCE vulnerability with a CVSS score of 9.8 out of 10. Listed as CVE-2023-24941 this is a Windows Network File System (NFS) RCE vulnerability which can be exploited over the network by making an unauthenticated, specially crafted request. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation. More information about how to do this and when not to can be found in the Microsoft advisory about this vulnerability under Mitigation.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Apple released an update addressing two actively exploited zero-day flaws.

Cisco released security updates.

Google has released Android updates.

Mozilla releases security advisories for Firefox 113 and Firefox ESR 102.11.

SAP released patch day updates.

VMWare fixed four vulnerabilities in virtualization software.

---

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Whether a company gives them out or they’re owned by the employees or students, mobile devices are like honey for cybercriminals. And the kicker? Most of these devices are not protected enough.

Just check out the following stats from last year:

• 18 percent of clicked phishing emails in 2022 came from a mobile device. (Verizon Mobile Security Index 2022)
• 46 percent of organizations that had suffered a mobile-related security breach in 2022 said that app threats were a contributing factor. (Verizon Mobile Security Index 2022)
• 9 percent of organizations suffered a mobile malware attack in 2022. (Check Point 2023 Cyber Security Report)

For Managed Service Providers (MSPs), these stats represent more than just figures; they underscore the need for proactive action across their customers’ mobile endpoints.

In this post, we’ll delve into mobile malware trends, gather critical insights, and anticipate future scenarios to prepare MSPs for the complex landscape of mobile malware.

Mobile devices: A new security frontier for MSPs

Understanding Android Droppers: A serious threat to mobile devices

In terms of malware, the most menacing of mobile threats MSPs need to watch out for are Android droppers.

“Mobile Droppers represent the most ‘Trojan’ of all the Trojan Horses,” said Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes. “Pretending to be an innocent app, like an app you have to pay for on Google Play found free on a third-party app store, tricks the user to allow [the malicious dropper] to enter onto their mobile device.“

Once installed, droppers secretly drop another piece of malware, often more vicious than the dropper itself. This could be any other type of malware, such as HiddenAds or Adware to generate money by ads-per-click. Or even scarier—a backdoor could be placed or a nefarious piece of spyware.

“Droppers can install copies of themselves, and because they can be used to drop software that downloads other malware, they can act as a permanent backdoor into a smartphone.”

According to our 2023 State of Malware Report, droppers accounted for 14 percent of Android detections.

Examples of recent Android malware

iOS isn’t off the hook

While it’s generally harder for malware to get a foothold on iOS, phishing attacks are still a threat. These scams trick users into visiting malicious websites that masquerade as legitimate ones, usually with the promise of a prize or with a request that users install a bogus security app.

“Another trick is a fake ‘You’re infected’ phishing site to install a fake security app,” Collier said. “Although the app you install, often from the Apple store, may be safe, the scammers still get paid-per-click for redirecting to the app.”

The number of phishing sites targeting mobile has shot up by 50 percent from 2019 to 2021. These scams come in all shapes and sizes, like email, banking, and SMS-based (smishing) threats. Some even try to con users into giving up legit two-factor authentication codes.

These scammers often pretend to be big-name companies like Apple, PayPal, or Amazon, making their scams harder to spot.

Predicting the future of mobile malware

Each year, we’re seeing more and more mobile malware, and there’s little evidence that trend will stop.

“Year over year, we have seen an increase of mobile malware since its induction,” said Collier. “As the use of mobile devices increases, so does mobile malware. This is a trend that will continue for the unforeseeable future.”

As an MSP, you need to stay one step ahead of mobile malware to help keep your clients safe. Collier is predicting an uptick in malware and potentially unwanted programs (PUPs) targeting the financial sector.

“This includes fake banking apps to steal online banking credentials, and fake credit loan apps to trick users into entering highly personal information as you would for a loan application,” Collier said. “More specifically, Android/Trojan.Bankbot and Android/PUP.Riskware.FakeCreditLoan.”

Understanding mobile malware trends and being proactive in defending against them is key, but what options are available for comprehensive combined endpoint protection?

Mobile Device Management (MDM) isn’t the solution

A common misconception that we hear when we talk about mobile endpoint security is that MDM is the solution to all of our mobile malware and phishing woes.

It’s not.

Mobile device management services only secure use of corporate data, but are not designed to counter threats such as malware and phishing on iOS and Android devices.

MSPs should look beyond MDM platforms and toward mobile security products that use a variety of techniques, including behavioral analysis, to detect mobile threats. Some features of a robust mobile threat defense product include:

• 24/7 real-time protection against emerging threats
• Advanced antivirus, anti-malware, anti-spyware capabilities
• Malicious app protection
• App privacy audit
• Safe web browsing
• Block ads and ad trackers
• Filters suspicious fraudulent texts
• Spam call blocking
• Malwarebytes makes mobile device security easy

With Malwarebytes Mobile Security for MSPs, you can monitor and protect your clients’ mobile investments from a single pane of glass.

In OneView, our cloud-hosted security platform made for MSPs, all you have to do to get started is activate the endpoint agent for your clients’ mobile devices.

From there, you set how your mobile endpoints behave by adding a new policy and selecting Web protection and Ad block for iOS and Behavior protection for ChromeOS and Android.

Once you save this policy, you’re set!

MSPs can easily begin protecting Chromebooks, Android, iPadOS, and iOS devices, guarding against the latest mobile threats such as ransomware, malicious apps, and PUPs.

With real-time protection, your customers can also prevent accidental access to harmful websites, safeguard against malicious apps, block unwanted in-app ads, and enable a secure mobile experience for their employees.

The Malwarebytes Mobile Security app on IOS (left) and Android (right)

The statistics don’t lie—phishing and malware pose a big threat to mobile endpoint security in 2023. But with a mobile threat defense solution like Malwarebytes Mobile Security, MSPs can crush threats like these and more. Get a free trial and/or quote below!

Try MSP Mobile Security

Despite the occasional arrests and FTC fines for tech support scammers (TSS) and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.

According to the FBI’s IC3 Report, in 2022 Tech and Customer Support fraudsters made 32,538 victims with total reported damages amassing $806,551,993 in the US alone.

Most people associate tech support scams with technicians sitting in a crowded and buzzing boiler room somewhere offshore, and they are not wrong. The scams primarily emanate from call centers in South Asia, mainly India. In response, the Department of Justice (DOJ) and the FBI are collaborating with law enforcement in India to combat cyber-enabled financial crimes and transnational call center fraud.

At the same time, the legal case against tech support scams originating in the US has proven to be difficult over the past few years, and prosecution has been limited. Courts are not tech-savvy enough to understand the latest scam tactics, making it very easy for scammers to get away with certain technical intricacies.

Malwarebytes researchers have been actively engaged in the fight against tech support scammers overseas but also in the US. With a commitment to helping protect consumers from all dangerous cyber threats, they are working hand in hand with the Federal Trade Commission to help provide technical evidence in support of shutting tech support scammers down while simultaneously educating Internet users on how to protect against the latest TSS tactics.

How to deal with tech support scams

As a security provider with a good reputation, we do get a lot of impersonators, like in the example below.

Maybe we should be flattered, but frankly we are annoyed. So here are a few tell-tale signs that you are dealing with an impersonator:

• The company gives you any name at all other than Malwarebytes. Malwarebytes does not outsource support. We have our own Support team. There are no third parties “authorized” to provide support. Nobody is “licensed” to use our name, logo, or any other intellectual property. 
• The company can’t or won’t take your credit card the first time you ask. Reputable organizations don’t do this. Period. Malwarebytes has a credit card processor that takes payments for all transactions. Credit card processors do things like vet clients for risk, fraud, and abuse. So any company having trouble doing business with one, probably fits into one of those three categories. Credit cards also have reasonably robust consumer fraud protection, so if you’re being steered away from using one, that is also a red flag that the company is about to do something they probably shouldn’t.
• The company makes outbound support calls. Malwarebytes does not do this. Tech support companies that make outbound unsolicited calls tend to do so because they bought your personal information from a data broker who classified you as a vulnerable target. How would they know you have a problem with your computer? How would they even know you own a computer? Generally speaking, if someone calls you out of the blue claiming your computer has a problem, hang up.

There are some other methods that tech support scammers use to get access to your system. Here are a few of the basics to get you up to speed:

• Beware the lock up. If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely part of a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible, or restart your device if this doesn’t work.
• Screenlocker issues. These are typically fake Windows Blue Screen of Death error pages, except they come with the tech support scammer’s phone number included. You may need one of our removal self-help guides to resolve this.
• Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders. 

Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:

• Did you already pay? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC, or contact your local law enforcement agency depending on your region.
• If you shared your password with a scammer, change it on every account that uses this password. Consider using a password manager and enable 2FA for important accounts.
• Scan your system. If scammers have had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove backdoors and other software left behind by scammers.
• Keep an eye out for unexpected payments. Be on the lookout for suspicious charges/payments on your credit cards and bank account(s) so you can revert and stop them.
• Be wary of suspicious emails. You have been marked as a target. By falling for one scam, scammers my try other methods to defraud you.

For a very detailed breakdown of tech support scams, how they operate, and more suggestions to keep yourself safe from harm, please check out our dedicated tech support scams page.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On April 7, 2023 MSI (Micro-Star International) released a statement confirming a cyberattack on part of its information systems. While the statement does not reveal a lot of tangible information, this snippet is important:

“MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website.”

As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI fell victim to ransomware gang Money Message. Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US, and from various industries, including MSI.

The Money Message gang claimed to have stolen 1.5TB of data during the attack, including firmware, source code, and databases.

Image courtesy of BleepingComputer

When the $4 million ransom demand was not met, Money Message began leaking the MSI data on its data leak site.

According to BleepingComputer, a Money Message operator said in a chat with an MSI agent:

“Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios.”

Researchers are now starting to unravel the significance of the stolen data.

The leaked data includes private keys, some of which appear to be Intel Boot Guard keys. Having the signing keys potentially allows an attacker to create fake firmware updates that would bypass Intel Boot Guard. Intel Boot Guard is a hardware-based technology intended to protect personal computers against executing fake UEFI (Unified Extensible Firmware Interface) firmware.

A bypass could provide an attacker with full access to a system, access secure data or use it for any number of malicious purposes. Boot Guard is a key element of hardware-based boot integrity that meets the Microsoft Windows requirements for UEFI Secure Boot. Secure Boot is an option in UEFI that allows you to make sure that your PC boots using only software that is trusted by the PC manufacturer.

Binarly compiled a list of 57 MSI PC systems which have had firmware keys leaked, and 166 systems which have had Intel Boot Guard BPM/KM keys leaked. Among them are household names like Lenovo and HP.

Update from vendor websites

Although no attacks of this kind have been found in the wild and Binarly, after a lengthy and detailed analysis, states that “the leaked Boot Guard keys are intended for debug building lines and most likely we will never see such devices in the wild,” the advice to obtain firmware/BIOS updates only from official vendor’s websites is solid.

Also watch out for phishing emails claiming that you need new firmware for whatever reason. They are likely from sources that are trying to trick you into installing malware. As a PC user there is not much you can do about this incident, but be prudent. We will keep you posted here in case there are any developments or more news becomes available.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft.

The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to ‘patch’ this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.

A convincing “system update”

Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.

Figure 1: A fake system update hijacks the screen

As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.

Figure 2: The ‘Chrome update’ downloaded from the web browser

Fully Undetectable (FUD) malware

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:

Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.

We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).

Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn’t until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.

Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec’s blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service’s built-in OSINT identified similar samples and linked them with security articles. 

Figure 6: Threatray analysis page

Patching the loader

Invalid Printer performs a check on the computer’s graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.

We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.

Figure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138[.]218) as one mentioned in Morphisec’s blog.

Figure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.

Campaign stats

The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.

Figure 9: Panel showing browser visits and downloads

Figure 10: Browser user-agents, IP addresses and geolocation

War and Russia references

We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.

We couldn’t help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:

Figure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:

Figure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.

Protection

Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.

Special thanks to Roberto Santos for help with the sample and binary patching.

Indicators of Compromise

Malvertising gate

qqtube[.]ru
194.58.112[.]173

Fake system update page

activessd[.]ru
chistauyavoda[.]ru
xxxxxxxxxxxxxxx[.]ru
activehdd[.]ru
oled8kultra[.]ru
xhamster-18[.]ru
oled8kultra[.]site
activessd6[.]ru
activedebian[.]ru
shluhapizdec[.]ru
04042023[.]ru
clickaineasdfer[.]ru
moskovpizda[.]ru
pochelvpizdy[.]ru
evatds[.]ru
click7adilla[.]ru
grhfgetraeg6yrt[.]site
92.53.96[.]119

Invalid Printer samples

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

Aurora Stealer C2

103.195.103[.]54:443
94.142.138[.]218:4561

Amadey Stealer panel

193.233.20[.]29/games/category/Login.php

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A pediatric behavioral health startup called Brightline informed its customers that their protected health data may have been stolen as part of a separate ransomware attack on a Brightline third-party service provider. 

“Based on the investigation, we identified a limited amount of protected health information/personal information in the files that the unauthorized party acquired, potentially including some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names,” wrote Brightline in its public notice online.

Though Brightline did not disclose the number of affected customers, recently updated records with the US Department of Health and Humans Services Office of Civil Rights showed that at least 964,301 people were impacted. 

The third-party service provider at the heart of the data breach is Fortra, which was recently targeted by the Cl0p ransomware gang in a string of attacks that leveraged an undisclosed vulnerability in the file transfer software called GoAnywhereMFT, which Fortra develops and which is used by businesses worldwide. Malwarebytes Labs reported on the vulnerability in February, urging users to deploy a patch. 

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

Brightline was just one of the many victims on the list that Cl0p made using the same vulnerability. The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies.

For many organizations, Brightline offers virtual behavioral and mental health services for the children of benefits-eligible employees. In this light, Brightline has published a list of covered entities impacted by the breach.

Interestingly, the 964,000 number released by the US government may not be complete. 

According to the online resource Databreaches.net, by the end of May 3, 2023, the subtotal number of Brightline patients affected by the GoAnywhere incident stood at 1,081,716.

Another remarkable fact Databreaches.net disclosed is that the listing for Brightline on Cl0p’s leak site has disappeared. This is usually an indicator that the victim has paid, but there might be something else going on in this case, since Brightline has been exemplary at providing public information and details about the breach.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

According to the information provided by Brightline, no Social Security numbers or financial accounts were stolen, nor did the stolen files contain anything related to medical services, conditions, diagnoses, or claims for the plan participant or their dependent.

If you are affected by this data security incident, you should have received or will receive a letter (or letters, if you have dependents) from Brightline. Each letter will have a unique code for the member and/or dependent to register for free identity theft and credit monitoring. Brightline will also have a call center available to answer questions. More information, including frequently asked questions, is available on Brightline’s website.

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware is becoming bespoke, and that could mean trouble for businesses and law enforcement investigators. 

It wasn’t always like this. 

For a few years now, ransomware operators have congregated around a relatively new model of crime called “Ransomware-as-a-Service.” In the Ransomware-as-a-Service model, or RaaS model, ransomware itself is not delivered to victims by the same criminals that make the ransomware. Instead, it is used almost “on loan” by criminal groups called “affiliates” who carry out attacks with the ransomware and, if successful, pay a share of their ill-gotten gains back to the ransomware’s creators.

This model allows ransomware developers to significantly increase their reach and their illegal hauls. By essentially leasing out their malicious code to smaller groups of cybercriminals around the world, the ransomware developers can carry out more attacks, steal more money from victims, and avoid any isolated law enforcement action that would put their business in the ground, as the arrest of one affiliate group won’t stop the work of dozens of others. 

And not only do ransomware developers lean on other cybercriminals to carry out attacks, they also rely on an entire network of criminals to carry out smaller, specialized tasks. There are “Initial Access Brokers” who break into company networks and then sell that illegal method of access online. “You also have coders that you can contract out to,” Liska said. “You have pen testers that you can contract out to. You can contract negotiators if you want. You can contract translators if you want.”

But as Liska explained, as the ransomware “business” spreads out, so do new weak points: disgruntled criminals. 

“This whole underground marketplace that exists to serve ransomware means that your small group can do a lot,” Liska said. “But that also means that you are entrusting the keys to your kingdom to these random contractors that you’re paying in Bitcoin every now and then. And that, for example, is why the LockBit code got leaked—dude didn’t pay his contractor.”

With plenty of leaked code now circulating online, some smaller cybercriminals gangs have taken to making minor alterations and then sending that new variant of ransomware out into the world—no affiliate model needed.  

“Most of what we see is just repurposed code and we see a lot of what I call ‘Franken-ransomware.'” 

Today, on the Lock and Code podcast with host David Ruiz, Liska explains why Franken-ransomware poses unique challenges to future victims, cybersecurity companies, and law enforcement investigators. 

Tune in today.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim didn’t pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit’s macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit’s work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Cl0p ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they’ve set their sights on PaperCut. So, if you’re using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

Vice Society, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs “living off the land” (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the Play ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims’ systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization’s defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The education sector has its highest number of attackers (21) since January. Meanwhile, the healthcare sector saw a huge surge in attacks (37) in April, the highest it’s been all year.

New players

Akira

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

CrossLock

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

Trigona

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

Dunghill Leak

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company’s data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

Money Message

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called “money_message.log.” 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW