Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Request Demo
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Cyberespionage
Winnti or Higaisa resurrected from APT41 Backdoor
Winnti' a cyberespionage group from the Chinese origins primarily identified for targeting software companies and political organisations worldwide, gained trac...
20-Jan-2021
15 min read
Related Articles
APT
Learn about Kimsuky's use of ReconShark, their global campaign implications, and...
In the ever-evolving landscape of cybersecurity threats, it is crucial to stay informed about the latest developments in order to safeguard our digital environments. One such emerging concern is the ongoing series of attacks orchestrated by a North Korean threat actor group known as Kimsuky. Recent reports have shed light on their utilization of a powerful reconnaissance tool called ReconShark, indicating a significant evolution in their capabilities and techniques. In this Threat Research, we delve into the intricacies of Kimsuky's evolving threat landscape, analyze the implications of their global campaign, and explore strategies to counteract their activities effectively. ## Understanding Kimsuky's Evolving Threat Landscape Kimsuky, a threat actor group believed to be associated with North Korea, has garnered attention from cybersecurity experts due to its persistent and sophisticated cyber campaigns. Their recent deployment of ReconShark has further heightened concerns within the security community. ReconShark is a reconnaissance tool specifically designed to gather valuable intelligence about targeted organizations or individuals. By leveraging this advanced tool, Kimsuky has demonstrated an increased level of sophistication and adaptability in their cyber operations. ## The Power of ReconShark: Unveiling its Capabilities ReconShark represents a significant leap forward in Kimsuky's reconnaissance capabilities. This robust tool empowers the threat actor group to conduct highly targeted information gathering and reconnaissan ce activities across a global scale. With ReconShark at their disposal, Kimsuky can perform the following actions: 1. **Data Harvesting**: ReconShark excels in collecting sensitive data, such as personally identifiable information (PII), financial records, intellectual property, and other valuable assets. This enables Kimsuky to gain a deeper understanding of their targets and potentially exploit the acquired information for their nefarious objectives. 2. **Network Mapping**: By meticulously scanning and mapping targeted networks, ReconShark allows Kimsuky to identify potential vulnerabilities, weak points, and entry vectors for future cyberattacks. This information is invaluable in planning subsequent stages of their campaign and launching more targeted and effective attacks. 3. **Social Engineering Insights**: ReconShark's reconnaissance capabilities extend beyond technical aspects. It enables Kimsuky to gather intelligence related to their targets' social connections, organizational hierarchies, and communication patterns. Such insights aid in crafting sophisticated social engineering attacks to deceive individuals and gain unauthorized access. ## Implications of Kimsuky's Global Campaign Kimsuky's global campaign poses significant threats to targeted organizations and individuals alike. By evolving their reconnaissance capabilities through the deployment of ReconShark, they have enhanced their potential for executing highly tailored and devastating cyberattacks. The implications of Kimsuky's activities include: 1. **Data Breaches and Intellectual Property Theft**: With ReconShark's advanced data harvesting capabilities, Kimsuky can infiltrate organizations, exfiltrate sensitive data, and potentially compromise intellectual property. Such breaches can result in severe financial losses, reputational damage, and legal repercussions for the victims. 2. **Enhanced Targeted Attacks**: Through ReconShark's network mapping functionality, Kimsuky gains precise insights into target infrastructures, allowing them to craft highly targeted and tailored attacks. This significantly increases the success rate of their subsequent offensive operations and amplifies the potential damage inflicted. 3. **Heightened Social Engineering Threat**: Kimsuky's use of ReconShark to gather social engineering insights further amplifies their ability to deceive and manipulate individuals within targeted organizations. By exploiting interpersonal relationships and organizational dynamics, they can gain unauthorized access to sensitive information or compromise critical systems.
23-May-2023
1 min read
WordPress
Malware
Balada Injector: A Comprehensive Threat Research on Ongoing WordPress Malware Ca...
Balada Injector is a highly sophisticated and persistent malware campaign that targets WordPress sites. This threat research provides a detailed analysis of the Balada Injector, including its codebase, IoCs, hashing algorithms, file paths, and in-depth technical analysis. The Research aims to help security professionals understand the attack techniques used by the Balada Injector and take appropriate measures to protect their WordPress sites. WordPress is a popular platform for creating websites and blogs, and it is no surprise that cybercriminals often target it. One of the most persistent and evolving malware campaigns that target WordPress sites is the Balada Injector. This malware campaign has been active for several years and continues to evolve, making it difficult for security professionals to detect and prevent. Balada Injector is a PHP malware that injects malicious code into legitimate WordPress files. The code is obfuscated to evade detection and uses a combination of techniques to hide its presence on the infected website. The Balada Injector is modular and consists of several files, each responsible for different functionalities. The malware uses an encrypted configuration file to store its settings, making it challenging to analyze. ## Technical Analysis: The Balada Injector uses a combination of attack techniques to infect WordPress sites. The attack starts with a brute-force attack on the website's login page to gain access to the WordPress dashboard. Once the attacker has access, they upload the Balada Injector's files to the website's server. The malware then modifies the website's files to inject malicious code. The injected code is used to redirect the website's visitors to malicious websites, steal sensitive information such as login credentials, and perform other malicious activities. ## Indicators of Compromise (IoCs): To help security professionals detect and prevent the Balada Injector, the following IoCs have been identified: - File Paths: - /wp-admin/js/wp-auth-check.min.js - /wp-admin/js/user-profile.min.js - /wp-includes/js/wp-auth-check.min.js - /wp-includes/js/tinymce/plugins/wordpress/img/trans.gif - /wp-includes/js/tinymce/plugins/wpeditimage/img/delete.png - Hashing Algorithm: MD5 - Encrypted Configuration File: - /wp-content/plugins/akismet/.data.php - /wp-content/plugins/hello.php - URL Patterns: - hxxps://baladainjector[.]com/*.* - hxxps://baladacontrol[.]com/*.* Balada Injector is a highly persistent and sophisticated malware campaign that targets WordPress sites. The malware uses a combination of attack techniques to evade detection and perform malicious activities. Security professionals must take appropriate measures to protect their WordPress sites from this threat. By understanding the attack techniques used by the Balada Injector and implementing appropriate security measures, website owners can keep their sites secure.
24-Apr-2023
1 min read
Ransomware
Discover the new Dark Power ransomware threat and learn how to protect your syst...
The Dark Power ransomware is a newly discovered threat that encrypts files on a victim's computer and demands a ransom in exchange for the decryption key. This [Threat Research](https://www.secureblink.com/threat-research) aims to provide a comprehensive analysis of this Dark Power ransomware group, including information about the encryption algorithm, file naming conventions, and the victim naming and shaming website. The research also includes details about the IOCs, hashes, binary string encryption, processes, ransomware signatures, timelines, and attack behaviors.  ***Dark Power Ransomware Note*** ## Technical Analysis The Dark Power ransomware appears to be rather opportunistic, with no specific sector or geographic area targeted. The sample information shows the filename as "ef.exe" with a file size of 1323422 bytes (1.3 MB) and a compile date of 2023-01-29 02:01:33. The compiler used is Nim MINGW x64, which is commonly used by malware creators because of its cross-platform capabilities and ease of use. ## File Analysis The Dark Power ransomware has a file name of ef.exe, and its MD5, SHA-1, and SHA-256 hashes are `df134a54ae5dca7963e49d97dd104660, 9bddcce91756469051f2385ef36ba8171d99686d, and 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394`, respectively. The file size of the ransomware is 1.3 MB, and its compile date is 2023-01-29 02:01:33. The ransomware is compiled using the Nim MINGW x64 compiler, a popular choice for malware creators due to its ease of use and cross-platform capabilities. ## Encryption Method The Dark Power ransomware uses a 64-character long randomized lowercase ASCII string to initialize its encryption algorithm. The ransomware uses the [Nimcrypto](https://github.com/cheatfate/nimcrypto) library to perform cryptographic operations, and the AES CRT algorithm is used for encryption.  ***Encryption Key*** The ransomware encrypts its strings to make it more difficult for defenders to create a generic detection rule. The encrypted strings are base64 encoded, and the ransomware uses a fixed key, which is the SHA-256 hash of a hard-coded string, to decrypt the strings. Each decryption call uses a different initialization vector (IV), which is also included within the ransomware binary. ## Encryption Key Initialization Upon execution, the ransomware creates a randomized 64-character long lowercase ASCII string, which initializes the encryption algorithm. This string is unique on each targeted machine, hindering the creation of a generic decryption tool. The Nimcrypto library is used to carry out cryptographic operations, and the cryptographic algorithm used is AES CRT. ## Binary String Encryption The ransomware encrypts strings within the binary, making it harder for defenders to create a generic detection rule. The ciphertext strings are present within the binary in a base64 encoded format. Once the encrypted string is decoded, the string is decrypted using a fixed key, which is the SHA-256 hash of a hard-coded string. Each decryption call uses a different initialization vector (IV). Decrypted strings are added as comments in the decompiler view, making the malware analysis easier.  ***String Decryption Assembly*** ## Stopping Services The Dark Power ransomware targets specific services on the victim's machine. It stops the following services: veeam, memtas, SQL, mssql, backup, vss, sophos, svc$, and mepocs. Disabling these services makes it difficult for the victim to recover their files, as the services either free files (i.e. databases), which allows the ransomware to encrypt them. The [Volume Shadow Copy Service](https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service) (VSS) is also stopped, which is common for ransomware to do. The goal is to increase the chance that a victim will pay the demanded ransom. The ransomware detects services or processes that match the predefined list and prints "[YES] in killing (service name)" to the console. ## Process Termination Processes that often block files are terminated. The ransomware queries the Windows Management Instrumentation (WMI) named “winmgmts: & {impersonationLevel=impersonate}!.\root\cimv2” with the query “select * from win32_process”. This query returns a list of all running processes. Any matches with the predefined process names are terminated. The ransomware targets Microsoft Office processes, such as excel.exe, winword.exe, powerpnt.exe, and visio.exe, as well as specific processes related to database management, including sql.exe, oracle.exe, and dbsnmp.exe. By terminating these processes, the ransomware ensures that it can complete its encryption process without encountering locked files. ## Victim Naming and Shaming Website The Dark Power ransomware gang has a victim-naming and shaming website, filled with non-paying victims and stolen data. The website is used as leverage to pressure victims into paying the ransom. The website contains victim names, company names, the date of the attack, the amount of data stolen, and a description of the stolen data. The website also has a countdown timer, which appears to be a deadline for the ransom payment. If the payment is not made by the deadline, the website will supposedly release the stolen data to the public. Ransomware gangs often use this tactic to increase pressure on the victim to pay the ransom. ## Timelines The Dark Power ransomware has been observed in the wild since January 2023, with the earliest sample compiled on January 29th, 2023. As of this writing, the gang has not publicly released any victim data, nor have they made any notable media statements. However, this could change in the future as the gang grows and seeks to establish itself in the ransomware landscape. ## Attack Behaviors Based on our analysis of the Dark Power ransomware, the gang appears to be using a relatively standard approach to ransomware attacks. The ransomware is likely delivered via phishing emails or other social engineering tactics, which trick victims into downloading and executing the malware. Once the malware is executed, it begins its encryption process, which targets a wide range of file types and locations on the victim's machine. The gang also uses a variety of tactics to prevent victims from recovering their files, including stopping critical system services, terminating certain processes, and deleting shadow copies. Additionally, the gang has set up a victim-shaming website, which they use to put pressure on victims to pay the ransom. This approach is not unique to Dark Power, but it is a common tactic used by ransomware gangs to increase the likelihood of receiving payment. ## Conclusion The Dark Power ransomware gang is a new player in the ransomware landscape, using a relatively standard approach to their attacks. They appear to be opportunistic in their targeting, without focusing on any particular sector or geography. The encryption process is initialized with a unique key for each machine, making it more challenging to create a generic decryption tool. The gang uses a variety of tactics to prevent victims from recovering their files, including stopping critical system services, terminating certain processes, and deleting shadow copies. The victim shaming website increases pressure on victims to pay the ransom. Organizations need to remain vigilant against such attacks and take appropriate measures to prevent them, such as user awareness training, regularly backing up critical data, and deploying up-to-date anti-malware software.
27-Mar-2023
1 min read
Secure Blink help Developers and Security Engineer to secure their Web Applications & APIs proactively using our cutting-edge heuristic approach.
