SafeBreach Adds/Updates Coverage for New Malware & Ransomware Variants

The SafeBreach Platform has been updated with coverage for several newly discovered threats including novel malware and ransomware variants. SafeBreach customers can select and run these attacks from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.

Lockbit 3.0 Ransomware

Also known as LockBit Black, this ransomware family announced itself in July 2022 offering the data of its non-paying victims online in a freely available easy-to-use searchable form. It also introduced a bug bounty program to find defects in its ransomware. In September 2022, the builder for the ransomware was leaked and available for download on GitHub. This leaked source allows many new emerging groups to use the same or modified versions of LockBit 3.0 originating from this builder. LockBit continues its rise to the top of the ransomware ecosystem. This ransomware groups adopt a variety of tactics and tools depending on the victims involved in the attack. It mostly gains initial access via compromised servers or RDP accounts that are usually bought or obtained from dark web. In some cases, it is obtained via spam email or by brute forcing insecure RDP or VPN credentials. After gaining initial access, the ransomware propagates through insecure Remote Desktop connections (RDP), SMB, and via the group policy of the domain controller. In some instances, PsExec or Cobalt Strike are used to move laterally within the network. It is usually executed via the command line, scheduled tasks, and PowerShell scripts. Before running the ransomware program, the threat actor exfiltrates data over the C2 channel or uploads to cloud storage using tools like MegaSync, and Stealbit. Upon execution, ransomware encrypts all files one by one inside each folder excluding files with certain extensions that are important to the operating system like .dll, .exe, .sys, .lnk, .reg, .txt. A ransom note file is written inside each folder indicating that their all files are encrypted and a ransom is to be paid in order to restore access.

SafeBreach Coverage of Lockbit 3.0 Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant.

• #8101 – Write LockBit3 (62db) malware to disk
• #8102 – Transfer of LockBit3 (62db) malware over HTTP/S
• #8103 – Transfer of LockBit3 (62db) malware over HTTP/S
• #8104 – Email LockBit3 (62db) malware as a ZIP attachment
• #8105 – Email LockBit3 (62db) malware as a ZIP attachment
• #8106 – Write LockBit3 (da37) malware to disk
• #8107 – Transfer of LockBit3 (da37) malware over HTTP/S
• #8108 – Transfer of LockBit3 (da37) malware over HTTP/S
• #8109 – Email LockBit3 (da37) malware as a ZIP attachment
• #8110 – Email LockBit3 (da37) malware as a ZIP attachment
• #8111 – Write LockBit3 (ab92) malware to disk
• #8112 – Transfer of LockBit3 (ab92) malware over HTTP/S
• #8113 – Transfer of LockBit3 (ab92) malware over HTTP/S
• #8114 – Email LockBit3 (ab92) malware as a ZIP attachment
• #8115 – Email LockBit3 (ab92) malware as a ZIP attachment
• #8116 – Write LockBit3 (ea95) malware to disk
• #8117 – Transfer of LockBit3 (ea95) malware over HTTP/S
• #8118 – Transfer of LockBit3 (ea95) malware over HTTP/S
• #8119 – Email LockBit3 (ea95) malware as a ZIP attachment
• #8120 – Email LockBit3 (ea95) malware as a ZIP attachment
• #8121 – Write LockBit3 (5a56) malware to disk
• #8122 – Transfer of LockBit3 (5a56) malware over HTTP/S
• #8123 – Transfer of LockBit3 (5a56) malware over HTTP/S
• #8124 – Email LockBit3 (5a56) malware as a ZIP attachment
• #8125 – Email LockBit3 (5a56) malware as a ZIP attachment
• #8126 – Write LockBit3 (0bd7) malware to disk
• #8127 – Transfer of LockBit3 (0bd7) malware over HTTP/S
• #8128 – Transfer of LockBit3 (0bd7) malware over HTTP/S
• #8129 – Email LockBit3 (0bd7) malware as a ZIP attachment
• #8130 – Email LockBit3 (0bd7) malware as a ZIP attachment
• #8131 – Write LockBit3 (32ce) malware to disk
• #8132 – Transfer of LockBit3 (32ce) malware over HTTP/S
• #8133 – Transfer of LockBit3 (32ce) malware over HTTP/S
• #8134 – Email LockBit3 (32ce) malware as a ZIP attachment
• #8135 – Email LockBit3 (32ce) malware as a ZIP attachment
• #8136 – Write LockBit3 (3f6e) malware to disk
• #8137 – Transfer of LockBit3 (3f6e) malware over HTTP/S
• #8138 – Transfer of LockBit3 (3f6e) malware over HTTP/S
• #8139 – Email LockBit3 (3f6e) malware as a ZIP attachment
• #8140 – Email LockBit3 (3f6e) malware as a ZIP attachment

Venus Ransomware

This ransomware variant (also known as GOODGAME) has been active since August 2022 and has targeted victims worldwide. Threat actors leveraging Venus ransomware are targeting publicly exposed Remote Desktop Services (RDP), including those running on non-standard TCP ports to encrypt Windows devices. Based on the information available, Venus ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. The ransomware will delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. In each encrypted file, a ‘goodgamer’ filemarker and other information are added to the end of the file. Open-source reports indicate that initial ransom demands may start around 1 BTC or less than USD $20,000. Samples in the wild have been observed contacting IP addresses in various countries including the US, Great Britain, Denmark, France, Ireland, the Netherlands, Russia, and Japan.

SafeBreach Coverage of Venus Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware variant.

• #8015 – Write Venus ransomware malware to disk (Host-Level)
• #8026 – Transfer of Venus ransomware malware over HTTP/S (Lateral Movement)
• #8027 – Transfer of Venus ransomware malware over HTTP/S (Infiltration)
• #8028 – Email Venus ransomware malware as a ZIP attachment (Lateral Movement)
• #8029 – Email Venus ransomware malware as a ZIP attachment (Infiltration)

Lorenz Ransomware

The Lorenz ransomware group has been known to target enterprises worldwide since December 2020 with ransom demands ranging in the hundreds of thousands of dollars. The Lorenz gang typically sells stolen victim data prior to encryption to pressure their victims into paying the ransom. They are also known to sell access to victim networks to other threat actors. The group stores stolen victim data in password-protected RAR archives and if the demanded ransom is not paid, Lorenz also releases the password to access the leaked archives to provide public access to the stolen files.

SafeBreach Coverage of Lorenz Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware variant.

• #8030 – Write Lorenz ransomware malware to disk (Host-Level)
• #8031 – Transfer of Lorenz ransomware malware over HTTP/S (Lateral Movement)
• #8032 – Transfer of Lorenz ransomware malware over HTTP/S (Infiltration)
• #8033 – Email Lorenz ransomware malware as a ZIP attachment (Lateral Movement)
• #8034 – Email Lorenz ransomware malware as a ZIP attachment (Infiltration)

QakBot Malware/ BlackBasta Ransomware

The ransomware group BlackBasta which has been active since April 2022 has been observed targeting U.S.-based companies with the QakBot trojan to gain initial access, move laterally, and deploy BlackBasta or other ransomware in their victim networks. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.

SafeBreach Coverage of QakBot Trojan/BlackBasta Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new trojan and ransomware variants.

• #1359 – Transfer of the QakBot Malware over HTTP/S
• #1864 – Email the QakBot malware as part of a ZIP attachment
• #1359 -Transfer of the QakBot Malware over HTTP/S
• #7176 – Write Black Basta malware to disk
• #7177 – Transfer of Black Basta malware over HTTP/S
• #7178 – Transfer of Black Basta malware over HTTP/S
• #7179 – Email Black Basta malware as a ZIP attachment
• #7180 – Email Black Basta malware as a ZIP attachment
• #8080 – Write Qakbot_zip (QBot) malware to disk
• #8081 – Transfer of Qakbot_zip (QBot) malware over HTTP/S
• #8082 – Transfer of Qakbot_zip (QBot) malware over HTTP/S
• #8083 – Email Qakbot_zip (QBot) malware as a ZIP attachment
• #8084 – Email Qakbot_zip (QBot) malware as a ZIP attachment
• #8085 – Write Qakbot_dll (QBot) malware to disk
• #8086 – Transfer of Qakbot_dll (QBot) malware over HTTP/S
• #8087 – Transfer of Qakbot_dll (QBot) malware over HTTP/S
• #8088 – Email Qakbot_dll (QBot) malware as a ZIP attachment
• #8089 – Email Qakbot_dll (QBot) malware as a ZIP attachment

IceXLoader Malware

Researchers have discovered a new ongoing phishing campaign that has infected thousands of home and corporate users with a new version of the ‘IceXLoader’ malware. Previous versions of this malware loader have been aggressively promoted among cyber criminals and this new variation/update could see a sudden uptick in its deployment. The infection begins with the arrival of a ZIP file via a phishing email containing the first-stage extractor. Then, depending on the extract settings selected by the operator, the infected system may be rebooted, and a new registry key will be added to delete the temp folder when the computer restarts. The dropped executable is a downloader that fetches a PNG file from a hardcoded URL and converts it into an obfuscated DLL file which is the IceXLoader payload. After decrypting the payload, the dropper performs checks to ensure it’s not running inside an emulator and waits 35 seconds before executing the malware loader to evade sandboxes. To ensure persistence between reboots, the malware loader also creates a new registry key at “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.” For evasion, it uses a method of in-memory patching in AMSI.DLL, bypassing the Microsoft Windows Antimalware Scan Interface used by Windows Defender and other security products.

SafeBreach Coverage of IceXLoader Malware

• #8090 – Pre-execution phase of IceXLoader malware
• #8091 – Write IceXLoader malware to disk
• #8092 – Transfer of IceXLoader malware over HTTP/S
• #8093 – Transfer of IceXLoader malware over HTTP/S
• #8094 – Email IceXLoader malware as a ZIP attachment
• #8095 – Email IceXLoader malware as a ZIP attachment
• #8096 – Write IceXLoader_dll malware to disk
• #8097 – Transfer of IceXLoader_dll malware over HTTP/S
• #8098 – Transfer of IceXLoader_dll malware over HTTP/S
• #8099 – Email IceXLoader_dll malware as a ZIP attachment
• #8100 – Email IceXLoader_dll malware as a ZIP attachment

AwfulShred Malware and ArguePatch Loader

AwfulShred malware is a malicious shell script designed to corrupt Linux systems. It has been deployed by the Sandworm APT group to target critical infrastructure in Eastern Europe. ArguePatch is a malware loader that was previously used in campaigns against Ukraine which involved CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software. This ArguePatch variant includes a feature to set up a scheduled task in order to perform a specific action at a specified time.

SafeBreach Coverage of AwfulShred Malware and ArguePatch Loader

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new malware(s).

• #8060 – Write AwfulShred malware to disk
• #8061 – Transfer of AwfulShred malware over HTTP/S
• #8062 – Transfer of AwfulShred malware over HTTP/S
• #8063 – Email AwfulShred malware as a ZIP attachment
• #8064 – Email AwfulShred malware as a ZIP attachment
• #8065 – Write ArguePatch (AprilAxe) malware to disk
• #8066 – Transfer of ArguePatch (AprilAxe) malware over HTTP/S
• #8067 – Transfer of ArguePatch (AprilAxe) malware over HTTP/S
• #8068 – Email ArguePatch (AprilAxe) malware as a ZIP attachment
• #8069 – Email ArguePatch (AprilAxe) malware as a ZIP attachment

Interested In Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
• Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report – Receive a custom-built report that includes simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.