Global Threat Intelligence Report

SmokeLoader, which was first discovered in 2011, has undergone several iterations and remains a prominent threat used to load everything from crypto miners, ransomware, Trojans, and even point-of-sale (POS) malware onto infected systems. Earlier versions of this malware were sold in underground forums under the name SmokeLdr, but since 2014, it is only being sold to Russian-based threat actors. In 2018, SmokeLoader was the first malware to use the PROPagate code injection² technique. The malware can be distributed through a wide range of attack vectors, including malicious documents related to large-scale mass phishing campaigns. In July 2022, the BlackBerry Threat Research and Intelligence team observed SmokeLoader distributing a new version of Amadey Bot. During this attack, SmokeLoader was hidden in “cracked” software (aka “cracks”) and key-generation tools (aka “keygens”) for popular software applications. The threat actor behind the campaign relied on black-hat SEO techniques³ (aka SEO poisoning) to ensure that their malware sites appeared at or near the top of related search engine results to entice people seeking cracked files to download and run the malicious executable.

Because some antivirus solutions may block cracks and keygens, some people intentionally disable their security products before downloading these files or ignore detection alerts and proceed with the download. As a result, even widely detected threats can infect systems when a victim explicitly allows the download and execution of malware.

Warzone (aka Ave Maria) RAT is available for sale on underground and above-ground forums. Warzone’s comprehensive features include keylogging, process manipulation, command execution, password scraping, webcam access, reverse proxy configuration, and support for downloading and executing additional files or malware.

Warzone offers two tiers of pricing: an initial subscription to the basic RAT builder that begins at $22.95 USD per month, and a higher-priced premium version. Designed to appeal to novice threat actors, the premium version offers advanced features such as a rootkit, hidden process capability, premium dynamic DNS (DDNS), and customer support for approximately $800 USD for a three-month subscription.

This commodity malware has no specific targets and is used by various threat actors and cyber groups. Last quarter, Warzone was deployed in a campaign solely focused on Taiwanese semiconductor manufacturers and delivered via malicious .RAR file attachments.

DarkCrystal (also known as DCRat) was first released in 2018 and is one of the cheapest .NET backdoors available, with prices ranging from around $5 USD for a two-month license, up to $40 USD for a “lifetime” license (which typically means the lifetime of the threat group). 

An embedded configuration file dictates which features are enabled on execution, which may include but are not limited to screenshots, keylogging, and stealing cookies and passwords from web browsers and clipboards. The Computer Emergency Response Team of Ukraine (CERT-UA) observed⁷ DarkCrystal targeting Ukraine during the Russian-Ukraine conflict.

BlackBasta is a relatively new ransomware group operating as a ransomware-as-a-service (RaaS) that was first spotted in April 2022. It employs a double-extortion technique, demanding ransom to decrypt company data and extorting additional fees to keep the data from being leaked to the public.

BlackBasta uses tools like Qakbot (aka Qbot) and the PrintNightmare (CVE-2021–34527¹²) exploit in its attacks, and encrypts victim data with a combination of ChaCha20 and RSA-4096. BlackBasta’s infection chain differs from target to target, and it encrypts data faster than other ransomware groups. Some of BlackBasta’s behaviors are similar to malware previously produced by the Conti group.

BlackCat ransomware, which first appeared in the wild in November 2021, was the first major ransomware family authored in the Rust programming language. (As detailed in this report, Rust delivers more flexibility for threat actors to cross-compile binaries that target all major operating systems, widening its reach of potential targets and systems.) The group has used the Emotet botnet to deliver a ransomware payload. After a foothold is established, a Cobalt Strike beacon is deployed to allow the threat actors to move deeper within the target network.

BlackCat has been prolific since its inception, targeting numerous high-profile victims and using double and even triple-extortion methods. According to a 2022 FBI advisory¹³, BlackCat ransomware affiliates are potentially linked to two older threat groups: DarkSide and BlackMatter. BlackCat made headlines in February 2023 after an attack on Munster Technological University in Ireland.

Adware is sometimes viewed as merely a nuisance, but it can be far more damaging. Displaying the unwanted ads relies on malicious behaviors, including monitoring user activity, communicating with a server, and downloading additional data or code. For example, the UpdateAgent Trojan deploys the aggressive adware AdLoad. We prevented numerous AdLoad infections among our customers who use macOS devices during this reporting period.

We also identified the continued use of Pirrit adware. This malware downloads and launches scripts and additional Mach object file format (Mach-O) executables on the compromised machine, which could be used to execute more dangerous code.

Linux’s popularity continues to grow. Up to 90 percent of public cloud services¹⁴ run on Linux, and a significant number of businesses are migrating or planning a migration to cloud services. In addition, Linux is commonly used in the Internet of Things (IoT). Because Linux is not a common desktop OS in businesses, most infections rely on techniques such as brute-force attacks or exploiting network and server vulnerabilities instead of encouraging users to open an infected attachment. For these reasons, organizations that rely on Linux infrastructure require a comprehensive vulnerability management program to protect their servers.

During this reporting period, BlackBerry telemetry uncovered multiple Linux attacks attempting to deploy crypto miners that, in addition to consuming system resources, can allow the deployment of other malware such as backdoors that allow criminals remote system access.

The reporting period also included an increase in cross-platform ransomware that can target multiple operating systems. For example, the new Royal ransomware can target Linux as well as Windows and ESXi systems.

Crypto miners use a victim’s Linux system resources to mine digital cryptocurrency for financial gain, an activity known as cryptojacking¹⁵. BlackBerry researchers previously detected an attack using the Dota3 malware family¹⁶, which attacks SSH servers that use weak passwords and installs the known crypto miner XMRig¹⁷. The Sysrv¹⁸ crypto miner botnet, which has been active since early 2021, is compiled in the Go programming language and can execute on multiple operating systems. Sysrv attempts to download the loader from a .sh file, which indicates the attack was aimed at Linux systems. This botnet has multiple exploits and mines the cryptocurrency Monero using XMRig after compromising a system.

A recent attack exploited CVE-2022-35914¹⁹, which is a vulnerability on GLPI (an open-source service management software typically used to manage helpdesks and IT assets). The attacker attempted to escalate their privileges by abusing PwnKit (CVE-2021-4034²⁰). Several instances of malware were found on the victim’s endpoint, including XMRig and a DoS tool known as BillGates.

The first reports³⁸ of a massive new ransomware outbreak targeting unpatched VMware ESXi servers began online in early February 2023. Originating in France³⁹ but rapidly spreading worldwide, some reports specified that it encrypted several thousand servers on the first day of operation alone.

The threat actor behind this new ransomware exploited a two-year-old vulnerability (CVE-2021-21974⁴⁰) in Internet-facing VMware ESXi servers to gain entry and deploy ransomware. The following ESXi versions were amongst those susceptible to the attack:

• ESXi versions 6.5.x prior to ESXi650-202102101-SG
• ESXi versions 6.7.x prior to ESXi670-202102401-SG
• ESXi versions 7.x prior to ESXi70U1c-17325551

The ransomware components included an ELF file encryptor and an encrypted.sh shell script designed to coordinate the execution chain, including execution of the encryptor.

Upon execution, the malware modified the VMX configuration file name, terminated any running VMX processes, and identified and encrypted files with extensions .vmx, .vmxf,.vmsd, .nvram and .vmdk. Then, the malware deleted the originals.

Next, the malware dropped a ransom note requesting the seemingly arbitrary amount of 2.092716 Bitcoin (BTC), which was approximately $48,000 USD at the time of the attacks. According to the note, the data would be publicly exposed if the threat actor was not paid within three days.

The vendor issued a patch for the CVE-2021-21974 vulnerability two years earlier in February 2021. This attack highlights the critical importance of up-to-date patch management programs, and demonstrates that Linux-based systems are vulnerable to attacks and becoming an increasingly attractive target for threat actors.

In mid-February, the Technion Israel Institute of Technology was attacked by a new strain of ransomware called DarkBit. The threat actor appeared to have geopolitical motivations, and the ransom note contained anti-government and anti-Israeli messaging as well as remarks about tech layoffs occurring at that time.

The ransomware was written in Golang and, using an unknown infection vector, deployed an embedded config file with specific parameters for the malware to follow including which file types to exclude from encryption, the ransom note, and instructions to split larger files for segmented encryption.

The malware could also be executed using command-line options for a customized attack flow, including optional multithreading for a speedier encryption routine. Upon execution, the malware executed the following call:

- "vssadmin.exe delete shadow /all /Quiet"

This command deleted shadow copies, impeded recovery efforts, and located targeted file types on the host machine that would then be encrypted with AES-256 and appended with the extension .Darkbit.

A ransom note titled RECOVERY_DARKBIT.txt was dropped in all affected directories with instructions on how to pay the ransom, which was set at 80 BTC, equivalent to $1,869,760 USD at the time of the attack. The note stated that a 30 percent penalty would be added if the ransom was not paid within 48 hours, and that data would be leaked if the ransom was not paid within five days.

The wording of the ransom note and similar comments on the threat actor’s social media and web site suggest that the attack was the work of a disgruntled employee, group of employees, or hacktivists.

The Blackberry Threat Research and Intelligence team recently published findings about NewsPenguin, a previously unknown threat actor targeting Pakistan-based organizations with custom phishing lures.

The lures were themed around the Pakistan International Maritime Expo & Conference held February 10–12, 2023, and contained an attached weaponized Word document that was disguised as an exhibitor manual for the conference. The document used a remote template injection technique and embedded malicious macros to retrieve the next stage of the infection chain, which ultimately led to a final payload, updates.exe.

This previously undocumented espionage tool contains a wide array of anti-analysis, anti-sandbox, and information stealing features that include:

• Checking the size of the host hard drive
• Determining whether the host has more than 10GB of RAM
• Using GetTickCount to identify uptime
• Determining whether it is operating in a sandbox or virtual machine

Upon installation, the malware checks in and registers the compromised host with a hardcoded C2 server via a 12-character string identifier. The host can then receive instructions from the attacker as a series of built-in commands. The commands include the ability to:

• Identify and list process and host information
• Identify and copy, delete, move, and/or modify files and directories on the host
• Execute portable executables
• Terminate processes (including itself)
• Upload (exfiltrate) the victim's files and download files that could include additional malware

As an additional evasive technique, the malware waits exactly five minutes between issuing commands. This may help minimize noise associated with its C2 communications and help it remain undetected by security and detection mechanisms.

Because the targeted event was organized by the Pakistan Navy and focused on marine and military technologies, this new threat actor may have been motivated by infostealing or espionage purposes rather than financial ones. We will continue to track and monitor this group’s activities.

Gamaredon (aka ACTINIUM) is a publicly attributed state-sponsored Russian APT group that has targeted Ukrainian individuals and entities for a decade.

At the turn of the new year, the BlackBerry Threat Research and Intelligence team published findings on a new Gamaredon campaign in which the group leveraged the popular messaging app Telegram as part of a multi-stage execution chain. The use of Telegram helped the campaign’s activities blend in with normal network traffic and remain undetected.

The infection vector of the campaign was a series of highly targeted phishing lures with attached weaponized documents written in Russian and Ukrainian that were designed to appear as if they originated from real Ukrainian government agencies. The documents employed remote template injection techniques such as the exploitation of CVE-2017-0199⁴¹, which allows execution of code through infected Word files. When a malicious document is opened, the next stage of the attack begins.

Geofencing was used to ensure that only targets with Ukraine IP addresses were affected. If the target was confirmed to be in Ukraine, a script was downloaded that connected to a hardcoded Telegram account that led to a new malicious IP address. Each Telegram account periodically deployed a new IP address to construct a new URL, which would serve the next stage payload. This structure allowed the group to dynamically refresh their infrastructure while remaining difficult to detect by traditional security mechanisms.

We traced campaign activity to a node operating out of Crimea and determined that it has been active since at least spring 2022.

In late February 2023, the BlackBerry Threat Research and Intelligence team witnessed a new campaign that is attributed with a moderate degree of confidence to the South American threat group Blind Eagle (APT-C-36⁴²). Blind Eagle has been active since 2019, targeting industries in Colombia, Ecuador, Chile, and Spain.

The campaign’s overall goal was to drop and deploy AsyncRAT commodity malware. The group impersonates different government organizations, notably tax agencies. The initial attack often begins when a victim falls for a creditable phishing link that begins an elaborate multipart execution chain.

During Blind Eagle’s campaigns, the content delivery network of the popular social platform Discord was abused to host malware (Discord features have been weaponized by many threat actors and cyber crime groups).

During the reporting period, LockBit was most active RaaS provider—in January alone, 50 of 165 known ransomware attacks⁴⁴ were attributable to LockBit. Notable attacks include the following:

• On December 18, 2022, the group attacked the Hospital for Sick Children (aka SickKids.) Two weeks after the attack, LockBit claimed that a member broke their rules by attacking a healthcare institution, apologized, and released a free decryptor. During those two weeks, patient lab work and imaging were delayed, phone lines were disabled, and the staff payroll system was shut down.
• On December 25, 2022, the group launched an attack against the Port of Lisbon Administration (APL), which is one of Portugal’s largest ports.
• On January 27, 2023, researchers⁴⁵ shared information about a new variant named LockBit Green. Shortly after, other researchers determined that the new variant uses Conti-based leaked source code.
• In early February, the ransomware group claimed to be behind an attack on the Royal Mail (the British multinational postal service) and stated that the data would be published on their leak site. The leak site went live on February 23, 2023, and the data was still publicly available as of late March 2023.
  

In the past, threat actors frequently distributed Microsoft^® Office documents containing infected macros that executed automatically when the victim opened the document. In mid-2022, Microsoft disabled the automatic execution of Office macros, making these attacks less successful. As a result, threat actors looked for new ways to exploit the popular workplace software.

This reporting period has seen a surge in the use of Microsoft^® OneNote attachments⁴⁶ (a digital note-taking application in the Office 365^® suite) to distribute malware and ransomware. Attackers add OneNote attachments that contain payloads such as Windows executables, batch files, Visual Basic scripts, or HTML application files to phishing and mal-spam campaigns.

When a victim opens a malicious OneNote attachment, the next stage of the infection occurs, which is frequently downloading and deploying common commodity malware. Threat actors known to abuse OneNote attachments include Agent Tesla, AsyncRAT, IcedID, FormBook, RemcosRAT, RedLine, Qakbot, and more.

Our Forecast:

A key characteristic of Russia's invasion of Ukraine has included cyberattacks against Ukrainian military and civilian infrastructure. If hostilities continue, we are likely to see this pattern of targeted cyberattacks repeated.

Outcome:

As the conflict in Ukraine continues, assaults against the region's digital and physical critical infrastructure continue as well. In a November 2022 meeting⁴⁸ with EU energy ministers, the Ukrainian Energy Minister German Galushchenko suggested that large portions of civilian infrastructure had been damaged or destroyed and that attacks have not ceased.

Our Forecast:

Ransomware operations including attacks targeting hospitals and medical organizations will continue, especially in countries that support or provide funding to Ukraine.

Outcome:

Ransomware attacks continued this quarter although motives other than financial are unclear. The prominent LockBit ransomware group was active this reporting period and may have attacked a total of more than 1,500 victims. The group has no apparent qualms about targeting health and medical organizations, and victims included U.S.-based healthcare providers.

Attacks by BlackCat ransomware operators have also increased, targeting mostly U.S.-based victims. Furthermore, ESXiArg ransomware affecting hundreds of vulnerable unpatched systems was a cause for concern during this reporting period.

Our Forecast:

Cyberattacks on critical infrastructure will continue. AI may be increasingly used not only for attack automation, but also to develop advanced deepfake attacks.

Outcome:

Critical infrastructure will always be a target for both financially and politically motivated threat actors, and the use of deepfakes in the overall threat landscape has gained significant traction. The BlackBerry Threat Research and Intelligence team has observed complex cryptocurrency scams that leverage deepfakes and similar ploys to promote cracked software that has been laced with malware.

As the conflict continues, cyberattacks against Ukraine will continue as well. The Ukrainian State Cyber Protection Center reported an almost threefold increase in cyberattacks⁴⁹ throughout 2022 over the prior year, with a significant 26 percent increase⁵⁰ in attacks originating from Russian-based IP addresses.

In January 2023, ESET documented a new malware wiper dubbed SwiftSlicer, which is attributed to the infamous Sandworm Group. This Golang-compiled malware was the latest in a long line⁵¹ of wipers and destroys data when deployed on a target network.

Because cyberattacks are a well-documented⁵² element of Russian military campaigns, attacks against Ukraine are likely to continue.

The interactive AI chatbot ChatGPT⁵³ was released worldwide in November 2022. The first reports⁵⁴ of cyber criminals testing and discussing its potential for use in fraud and creating basic malware strains began in December 2022. In January 2023, researchers⁵⁵ demonstrated that ChatGPT could help write complex malicious code with polymorphic capabilities.

As AI-powered bots like ChatGPT become more advanced and more common, their capabilities will inevitably be abused for malicious purposes. Defending against these growing threats requires prevention and detection capabilities as well as effective threat intelligence.

Commodity malware attacks on the manufacturing and healthcare industries dominated our telemetry in this reporting period. These commodity information stealers were used as a tool for data theft and for obtaining access credentials to facilitate network intrusions. This type of access is frequently sold through IAB services, and infostealer logs are often sold on underground marketplaces. In many instances, successful breaches led to follow-on attacks such as ransomware deployment that amplify the impact of the initial intrusion.

Despite increased security efforts, cyberattacks targeting supply-chain partners will remain a significant threat over the next three months. While all industries are at risk of supply chain attacks, manufacturing is a particularly attractive target for financially motivated threat actors and state-sponsored actors because of their financial assets, patents, and other intellectual property.

Recent ransomware attacks that targeted automotive industry supply chains demonstrate the potential impact of these attacks on the manufacturing industry as a whole. Supply-chain disruptions affect not only the targeted company but all other organizations and systems in the industry value chain.

We expect that supply chain attacks will continue, as will the use of IABs to facilitate ransomware deployment.