loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

APT41

Wanniti

Spyder Loader

loading..
loading..
loading..

Operation CuckooBees: A sophisticated resurrection to Spyder Loader

Operation CuckooBees resurfaced since its inception in May, involved in a series of attacks targeting IPs of Hong Kong companies by Spyder Loader…

loading..
  31-Oct-2022
loading..
 9 min read

Related Articles

loading..

Discord

Ransomware

Discord servers credentials are being exploited involving newly emerged ransomwa...

Discord accounts are getting compromised in a fresh wave of a ransomware attack. The campaign involves multiple newly emerged ransomware families out of which we will be deciphering 'AXLocker' ransomware family. 'AXLocker' ransomware family is found to be encrypting numerous file types of targeted operating systems. In addition to that, the operators behind it have also started to steal Discord tokens from both the victim's machine and their servers. The ransomware operator leaves a ransom note that is displayed on the infected system of the victim in order to obtain the decryption tool used for recovering the encrypted files. After a user logs in to Discord using their credentials, the platform responds with a token that may be used for further authentication. After obtaining this token, the user may either log in as themselves or send API queries to access their account details. Ransomware operators are trying to gain this token since it may be used to gain access to accounts or, even worse, to launch further attacks. Theft of a moderator token or that of another verified community member could allow threat actors to conduct scams and steal funds from NFT platforms and cryptocurrency groups, as Discord has become the community of choice for these groups. ## Technical Analysis We have thoroughly [analyzed](https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/) a sample of this new AXLocker ransomware family. Following the execution, the file disguises itself as the `startencryption()` function to targets by encrypting certain file extensions and excluding specific folders, as shown in the image below. ![AXLocker main function.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/AX_Locker_main_function_2b6f583926.jpg) ***AXLocker main function*** In order to locate a specific code, the `startencryption()` function uses a directory enumerator to scan the whole C:/ disk. As can be seen in the illustration below, it scans for certain file extensions to encrypt and avoids encrypting a set of specified folders. ![File extension to encrypt.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/File_extension_to_encrypt_5ab9b38322.jpg) ***File extension to encrypt and directories to exclude from encryption*** The ransomware then runs the ProcessFile function, which in turn performs the EncryptFile function with the fileName as an input, thus encrypting the victim's system files. Files are encrypted using the advanced encryption standard AES algorithm however, their actual file names are maintained; no file extension is added. The code snippet below seen in the picture is ransomware, and it is responsible for looking for and encrypting the victim's data. ![AXLocker searching & encrypting.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/AX_Locker_searching_and_encrypting_eee0b9e1da.jpg) ***AXLocker ransomware encrypting files*** Following the encryption of the victim's data, the ransomware captures and transmits personally identifiable information such as the victim's Computer name, Username, Machine IP address, System UUID, and Discord tokens. ![Exfiltrate victim stolen details.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Exfiltrate_victim_stolen_details_0cc2118677.jpg) ***Exfiltrate victim stolen details*** AxLocker scans the following directories and extracts tokens [Discord](https://www.secureblink.com/cyber-security-news/opensea-impersonators-targeting-crypto-wallets-and-nfts-under-discord-phishing-campaign) tokens using regular expressions: - Discord\Local Storage\leveldb - discordcanary\Local Storage\leveldb - discordptb\leveldb - Opera Software\Opera Stable\Local Storage\leveldb - Google\Chrome\User Data\\Default\Local Storage\leveldb - BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb - Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb ![Function for stealing Discord tokens.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Function_for_stealing_Discord_tokens_e07e79e8f8.jpg) ***Functions to steal Discord tokens*** Once the intended files are encrypted, the AXLocker ransomware will display a pop-up window with a ransom message and contact information for the operators so that the data may be restored back. It is worth mentioning that the victim gets 48 hours to contact the ransomware operators with the victim ID, but doesn't specify the ransom amount. ![AXLocker Ransom Note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/AX_Locker_Ransom_Note_597d503294.jpg) ***AXLocker ransom note*** ## Indicators of Compromise ab2c19f4c79bc7a2527ab4df85c69559 60a692c6eaf34a042717f54dbec4372848d7a3e3 d51297c4525a9ce3127500059de3596417d031916eb9a52b737a62fb159f61e0 07563c3b4988c221314fdab4b0500d2f a5f53c9b0f7956790248607e4122db18ba2b8bd9 0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224 a18ac3bfb1be7773182e1367c53ec854 c3d5c1f5ece8f0cf498d4812f981116ad7667286 c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c 9be47a6394a32e371869298cdf4bdd56 ca349c0ddd6cda3a53ada634c3c1e1d6f494da8a 9e95fcf79fac246ebb5ded254449126b7dd9ab7c26bc3238814eafb1b61ffd7a ad1c2d9a87ebc01fa187f2f44d9a977c 03d871509a7369f5622e9ba0e21a14a7e813536d d9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57

loading..
  21-Nov-2022
loading..
  1 min read
loading..

Dropper

BOMB

Malware

BOMB, a dropper malware concealed as crack actively circulated following it's do...

Dropper malware, which posed as a crack, is yet again aggressively in circulation. The infection caused by this malware is widespread and occurs all at once when it is run on the infected system. A "bomb" of malware, in a sense. Commercial software cracks that are really malware have been widely circulated, either as "single malware" or dropper malware. This malware is often disseminated through compromised websites that rank highly in search engines and are, therefore, easily accessible to the target audience. The threat actor used a wide variety of keywords to mask their infected websites as legitimate crack download sites. The Download button on these sites leads readers straight to the malware's distribution website. The malware's outward appearance may alter regularly, but the downloaded file will always be a password-protected zipped file. ![Malware Bombing.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Malware_Bombing_c2c187d0d8.jpg) ***file compressor*** As of late June, dropper-style malware had vanished from the chain of events outlined above, giving way to an epidemic of extensive malware. Approximately one hundred new hash malware copies were discovered weekly, with CryptBot, Vidar Stealer, and Raccoon Stealer (RecordBreakerStealer) being the most widely spread. On other occasions, hitherto unreported malware distributions have been observed. ![Hashes.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Hashes_23b1d6d729.jpg) ***background programs*** Until recently, dropper-type malware was not often downloaded and run directly from distribution websites but rather via other malware. These days, though, their dissemination is even more active than it was in the past, and they continue to use websites that look like crack download portals to spread themselves. The "install setup.exe"(NSIS) file is produced when the ZIP file from the distribution page is unzipped. A 7z SFX file named "setup installer.exe" is created in the TEMP folder and executed when this file is run. A loader is included in this file along with 10–15 malware programs. Therefore, each malware file is generated and run independently. As a result, users must exercise caution since their computers are vulnerable to many forms of malware at once. ![Configs.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Configs_03ee60f95e.jpg) ***Installer Setup*** While there have been no major changes to the malware's execution method or the types of malware included in the file, there have been a number of rare instances when the malware restarted its distribution in which there were only two malware files or duplicates of the malware program with the same hash. Previous incidents of dissemination have been seen as either a mistake by the threat actor or as test samples. ![malware script.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/malware_script_735e966d61.jpg) ***Distribution Chain*** The V3 product series prevents malware infections in advance by detecting malware files, although caution is urged since the detection log shows that malware often disables real-time scanning or makes itself an exception before being executed. #### Indicators of Compromise `7769efb6d572c0ae6e542ecd7cbc4ee4` `8a718060c076e93578ca8fb516991fdb` `c90fef418b5cc33bf216ea01897d4ad2` `d622d818487ce01a3c1b727a5328e80c` `fec3a3324d0bcdbef841072b91ae0eb4`

loading..
  16-Nov-2022
loading..
  1 min read
loading..

Amadey

LockBit

Phishing

LockBit 3.0 Ransomware affiliates acting as a lure with phishing emails to deplo...

Amadey Bot is being used by ransomware affiliates, as validated by our threat research team, to deploy LockBit 3.0. In 2018, hackers uncovered a new malware called Amadey Bot, which could follow commands from its attacker to steal data and install other malware. To this day, it is being utilized by numerous attackers and is being sold on illegal marketplaces with other malware strains. In the past, it has been used by GandCrab attackers to deploy ransomware and by the notorious TA505 gang, responsible for the [Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware), to deploy FlawedAmmyy. More recently, malware has been spreading while posing as a popular Korean messenger app. ## The Amadey Bot Pretends to Be a Well-Known Korean Instant Messenger Program So That It Can Spread There are now two attack vectors for distributing Amadey Bot, the malware responsible for installing LockBit: infected Word documents and executables that pretend to be Word files. ### 1. Malicious Word file as a Case of Distribution _"Sia Sim.docx"_ is a malicious Word document that contains malicious code. The file was sent to VirusTotal. When opened, the external Word file downloads another Word file from the given URL, which includes a malicious VBA macro. ![image-152.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_152_1184ba3935.jpg) ***Figure 1: Reference external URL*** The graphic in the text body serves to prompt the user to choose _"Enable Content"_ so that the VBA macro may run. ![image-153.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_153_a6a254b939.jpg) ***Figure 2: An example of a malicious Word file that activates a macro*** After the user hits _"Enable Content,"_ the malicious LNK file is installed using the VBA macro that was downloaded. The following command creates the LNK file in the `C:\Users\Public\skem.lnk`directory and runs it. `> rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk` ![image-154.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_154_e3d05ed75e.jpg) ***Figure 3: Saved as a VBA macro*** It's a downloader that launches PowerShell commands to get Amadey installed and running from the LNK file. ![image-155.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_155_8f55c2693a.jpg) ***Figure 4: LNK file that was made*** ### 2. In-Effect of Executable Concealment as a Word Document In one instance, the malicious malware was named _"Resume.exe."_ There has been no confirmation of the email used in the assault, but the file was reportedly named _"Resume.exe''_ when it was executed. The compression tool that made it also made it seem like a harmless Word file icon. Based on its features, it is likely that Amadey was spread using a malicious e-mail attachment. An executable retrieved on October 27th, 2022 is up next. ![image-151.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_151_6eb279dc91.jpg) ***Figure 5: Pictured here is Amadey Bot pretending to be a simple Word file icon.*** ## Amadey Bot Both of the above Amadeys downloaded from the same URL and spoke with the same C&C server, suggesting that the attacker is using several vectors to spread the malware. If Amadey completes the preceding steps, it makes a copy of itself in the Temp directory, registers with the task scheduler, and stays active even after the computer is rebooted. `> “c:\windows\system32\schtasks.exe” /create /sc minute /mo 1 /tn rovwer.exe /tr` `“c:\users[username]\appdata\local\temp\0d467a63d9\rovwer.exe” /f` Following that, it connects to the C&C server, provides the infected system's default information, and receives instructions. The capabilities and specifics of Amadey, such as the information stolen by the virus and the information sent from infected computers, were previously disclosed in the blog. #### [SmokeLoader](https://bit.ly/3OyFMJZ) is Being Used to Disseminate the Amadey Bot. ![image-145.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_145_538fd9fd85.jpg) ***Figure 6: C&C Communication Model Used by Amadey*** ![image-146.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_146_740efbd40e.jpg) ***Figure 7: Login screen for Amadey*** Each of the three commands sent to Amadey by the C&C server downloads and runs malicious code from the outside source. LockBits come in three different formats: "cc.ps1," "dd.ps1," and "LBB.exe," which is the executable version of LockBit. Each one is generated in a folder with a name that matches one given by the C&C server. – %TEMP%\1000018041\dd.ps1 – %TEMP%\1000019041\cc.ps1 – %TEMP%\1000020001\LBB.exe ### LockBit 3.0 LockBit is executed once the malware has finished downloading. After being unobfuscated in memory, the powershell files are structured for execution. ![image-149.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_149_e4378bb965.jpg) ***Figure 8: LockBit powershell malware with obfuscation*** If Amadey's downloaded file is a powershell form, the command below is executed. > “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -executionpolicy remotesigned -file “c:\users[username]\appdata\local\temp\1000018041\dd.ps1” Since 2022, when Amadey was first released, Lockbits have been widely spread in Korea, and the team behind it has published many studies analyzing ransomware. LockBit 3.0, whose distribution keywords include "job application" and "copyright," has just been verified. Themes suggest that this assault is aimed against businesses. The desktop is modified as shown below by the [Lockbit ransomware](https://bit.ly/3EFSu6g), which also warns the user and infects files in the user's surroundings. A ransom letter is then placed in each file's directory, claiming that the user's data has been encrypted and stolen and threatening to be made public unless the user pays a ransom. ![image-147.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_147_2a510f8448.jpg) ***Figure 9: LockBit 3.0 ransomware hijacked my desktop and messed things up*** ![image-148.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_148_d02095f95b.jpg) ***Figure 10: LockBit 3.0 Encryption Note*** Users should exercise extreme care, since LockBit ransomware is spreading through a number of channels. Users should always have the most recent versions of the programs they use and V3 installed, and they should never open a document file that they received from an unknown source. ## File Detection – Downloader/DOC.External (2022.10.31.02) – Downloader/DOC.Generic (2022.10.31.02) – Trojan/LNK.Runner (2022.10.31.02) – Malware/Win.Generic.R531852 (2022.10.27.03) – Trojan/Win.Delf.R452782 (2021.11.24.02) – Ransomware/Win.LockBit.R506767 (2022.07.27.01) – Ransomware/PowerShell.Lockbit.S1945 (2022.10.29.00) ## AMSI Detection – Ransomware/PowerShell.Lockbit.SA1945 (2022.10.29.00) ## Behavioral Detection – Ransom/MDP.Decoy.M1171 – Ransom/MDP.Event.M1875 – Ransom/MDP.Behavior.M1946 ## Indicators of Compromise #### MD5 – 13b12238e3a44bcdf89a7686e7179e16: Malicious Word Document (Sia_Sim.docx) – ae59e82ddd8d9840b79bfddbe4034462: Downloaded malicious VBA macro (v5sqpe.dotm) – bf4d4f36c34461c6605b42c456fa4492: Downloader LNK (skeml.lnk) – 56c9c8f181803ece490087ebe053ef72: Amadey (1234.exe) – bf331800dbb46bb32a8ac89e4543cafa: Amadey (Resume.exe) – ad444dcdadfe5ba7901ec58be714cf57: Amadey Stealer Plugin (cred.dll) – f9ab1c6ad6e788686509d5abedfd1001: LockBit (cc.ps1) – 1690f558aa93267b8bcd14c1d5b9ce34: LockBit (dd.ps1) – 5e54923e6dc9508ae25fb6148d5b2e55: LockBit (LBB.exe) #### C&C and Download – hxxp://188.34.187[.]110/v5sqpe.dotm: External URL – hxxp://188.34.187[.]110/1234.exe: Amadey Download URL – hxxp://62.204.41[.]25/3g4mn5s/index.php : Amadey C&C – hxxp://62.204.41[.]25/3g4mn5s/Plugins/cred.dll : Amadey Stealer Plugin Download – hxxp://188.34.187[.]110/dd.ps1 : LockBit – hxxp://188.34.187[.]110/cc.ps1 : LockBit – hxxp://188.34.187[.]110/LBB.exe : LockBit

loading..
  09-Nov-2022
loading..
  1 min read