AMOS Infostealer, BiBi Wiper, FreeWorld Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: November 2023

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including NoEscape ransomware, AvosLocker ransomware, and Retch ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

AMOS Infostealer: What you need to know

Researchers from Cyble Labs came across a new information stealer known as Atomic macOS(AMOS). This new malware variant targets macOS systems and is being sold to cyber threat actors via private Telegram channels for a $1k monthly subscription. Threat actors who pay this subscription get an Apple Disk Image File (DMG) that allows them to  target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers. Researchers have also observed threat actors leveraging this malware to attempt stealing data from over 50 cryptocurrency extensions. 

The creators of this malware also provide their subscribers with a web panel for victim management, a MetaMask brute-forcer, and delivery of stolen logs via Telegram. When the “dmg” file is triggered, it enables a phony password prompt that searches for the system password in a bid to secure elevated privileges which is then followed by the extraction of the Keychain password, and exfiltration of stolen data via a zip file that is sent to the threat actor command and control server.  

SafeBreach Coverage of AMOS Infostealer

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the AMOS Infostealer. 

• #9303 – Write AMOS (fb9c7a) infostealer to disk (HOST_LEVEL) 
• #9304 – Transfer of AMOS (fb9c7a) infostealer over HTTP/S (LATERAL_MOVEMENT) 
• #9305 – Transfer of AMOS (fb9c7a) infostealer over HTTP/S (INFILTRATION) 
• #9306 – Email AMOS (fb9c7a) infostealer as a compressed attachment (LATERAL_MOVEMENT) 
• #9307 – Email AMOS (fb9c7a) infostealer as a compressed attachment (INFILTRATION) 

BiBi Wiper: What you need to know

The threat research team from Security Joes have identified a pro-Hamas hacktivist group using a new Linux-based wiper malware known as the BiBi-Linux Wiper to target several Israeli companies. This malware is an x64 ELF executable (coded in C/C++) that lacks any obfuscation or protection capabilities. This wiper malware allows threat actors to specifically target folders on victim computers that can potentially allow them to cripple victim computers and even destroy the installed operating system. 

It includes capabilities like multithreading that can be used to corrupt several files concurrently, allowing it to execute attacks with enhanced speed. It overwrites files and renames them with an extension that contains a hard-coded string “BiBi”.  Another notable aspect of this wiper is its use of the “nohup” command that allows it to run without any obstructions in the background. Once this wiper is initiated, it performs the following actions: 

• File bricking – rendering files unusable by overwriting their content
• File renaming – renaming files with a random string after corrupting them
• File type exclusions – refraining from altering files with the extensions “.out” or “.so”

SafeBreach Coverage of BiBi Wiper

The SafeBreach platform has been updated with the following new attacks to ensure our customers can validate their security controls against this wiper variant:

• #9308 – Write BiBi_Windows (747e17) wiper to disk (HOST_LEVEL) 
• #9309 – Pre-execution phase of BiBi_Windows (747e17) wiper (Windows) (HOST_LEVEL) 
• #9310 – Transfer of BiBi_Windows (747e17) wiper over HTTP/S (LATERAL_MOVEMENT
• #9311 – Transfer of BiBi_Windows (747e17) wiper over HTTP/S (INFILTRATION) 
• #9312 – Email BiBi_Windows (747e17) wiper as a compressed attachment (LATERAL_MOVEMENT)
• #9313 – Email BiBi_Windows (747e17) wiper as a compressed attachment (INFILTRATION) 
• #9314 – Write BiBi_Linux (58efad) wiper to disk (HOST_LEVEL) 
• #9315 – Transfer of BiBi_Linux (58efad) wiper over HTTP/S (LATERAL_MOVEMENT) 
• #9316 – Transfer of BiBi_Linux (58efad) wiper over HTTP/S (INFILTRATION) 
• #9317 – Email BiBi_Linux (58efad) wiper as a compressed attachment (LATERAL_MOVEMENT
• #9318 – Email BiBi_Linux (58efad) wiper as a compressed attachment (INFILTRATION) 

FreeWorld Ransomware: What you need to know

Researchers from Securonix have identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks to deliver ransomware and Cobalt Strike payloads. According to researchers, threat actors forced a MSSQL password and then used the database’s xp_cmdshell feature to run commands on the host machine the database was running on. 

The typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called “FreeWorld,” named for the inclusion of the word “FreeWorld” in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is “.FreeWorldEncryption.”. The attackers were also observed establishing a remote server message block (SMB) to mount a directory housing their tools, including a Cobalt Strike command-and-control agent (srv.exe), a network port scanner, and Mimikatz for credential dumping and lateral movement. Threat researchers have classified this campaign as highly sophisticated due to its use of various tools, malicious payloads, and rapid execution. 

SafeBreach Coverage of FreeWorld Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant: 

• #9325 – Write FreeWorld (9373e4) ransomware to disk (HOST_LEVEL) 
• #9326 – Pre-execution phase of FreeWorld (9373e4) ransomware (Windows) (HOST_LEVEL)
• #9327 – Transfer of FreeWorld (9373e4) ransomware over HTTP/S (LATERAL_MOVEMENT) 
• #9328 – Transfer of FreeWorld (9373e4) ransomware over HTTP/S (INFILTRATION) 
• #9329 – Email FreeWorld (9373e4) ransomware as a compressed attachment (LATERAL_MOVEMENT) 
• #9330 – Email FreeWorld (9373e4) ransomware as a compressed attachment (INFILTRATION) 

ZenRAT Malware: What you need to know

Proofpoint Emerging Threat researchers have identified a new malware called ZenRAT that they believe is being distributed via fake installation packages for the password manager Bitwarden. Upon receiving a tip, researchers came across a Windows software installation package that was being hosted on a website pretending to be associated with Bitwarden. This imposter website [bitwariden[.]com only displays the fake Bitwarden download if a user accesses it via a Windows host. If a non-Windows user attempts to navigate to this domain, the page changes to something entirely different. 

If Windows users click download links marked for Linux or MacOS on the Downloads page, they are instead redirected to the legitimate Bitwarden site, vault.bitwarden.com. Clicking the Download button or the Desktop installer for Windows download button results in an attempt to download Bitwarden-Installer-version-2023-7-1.exe. The installer places a copy of an executable, ApplicationRuntimeMonitor.exe into C:\Users\[username]\AppData\Roaming\Runtime Monitor\, and runs it.  ZenRAT (ApplicationRuntimeMonitor.exe) uses WMI queries and other system tools to gather information about the host which is then sent back to the C2 server along with stolen browser data and credentials in a zip file called Data.zip that include files InstalledApps.txt, and SysInfo.txt. Based on the analysis of the malware sample, ZenRAT appear to be designed as a modular, extendable implant that can potentially be used by other threat actors in their attack campaigns in the future. 

SafeBreach Coverage of ZenRAT Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant: 

• #9333 – Transfer of Zen (276536) rat over HTTP/S (LATERAL_MOVEMENT) 
• #9334 – Transfer of Zen (276536) rat over HTTP/S (INFILTRATION) 
• #9335 – Email Zen (276536) rat as a compressed attachment (LATERAL_MOVEMENT) 
• #9336 – Email Zen (276536) rat as a compressed attachment (INFILTRATION) – Automation

ExelaStealer: What you need to know

Threat researchers from Fortinet have discovered a new infostealer called ExelaStealer that is largely an open-source infostealer but can be customized after making additional payments to the threat actors. It appears to have been written in Python and can pull in resources from other languages where needed. It is intended to steal sensitive data from Windows-based hosts, including passwords, CC data, session data, and keylogs. 

The attackers advertise the open-source as well as paid-for versions of the infostealer. The paid-for version offers additional capabilities that can make the infostealer even more valuable to threat actors. The paid version costs $20/month or three months for $45. A lifetime subscription is also available for $120.

SafeBreach Coverage of ExelaStealer

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware variant: 

• #9348 – Write Exela (338757) infostealer to disk (HOST_LEVEL) 
• #9349 – Pre-execution phase of Exela (338757) infostealer (Windows) (HOST_LEVEL) 
• #9350 – Transfer of Exela (338757) infostealer over HTTP/S (LATERAL_MOVEMENT) 
• #9351 – Transfer of Exela (338757) infostealer over HTTP/S (INFILTRATION) 
• #9352 – Email Exela (338757) infostealer as a compressed attachment (LATERAL_MOVEMENT
• #9353 – Email Exela (338757) infostealer as a compressed attachment (INFILTRATION) 

MuddyWater Group Attacks (IL-CERT-W1649): What you need to know

Researchers from Deep Instinct have identified a new social engineering campaign that the Iranian threat group MuddyWater used to target two Israeli entities during the ongoing Israel-Hamas hostilities. This campaign from MuddyWater involves the use of known remote administration tools (previously used  by MuddyWater) as well as the use of a new file-sharing service called “Storyblok”.

Researchers believe that the campaign originates with a spear phishing email whose content lures the targeted victims into downloading an archive hosted at “a.storyblok[.]com”. The archive contains several hidden folders, including a deceptive LNK shortcut resembling a directory called “Attachments.” When the LNK file is opened, the infection sequence is initiated, executing the “Diagnostic.exe” file, present in both archives observed by the Deep Instinct researchers. This file then launches “Windows.Diagnostic.Document.EXE,” a legitimate installer for “Advanced Monitoring Agent.” After infection, MuddyWater operators likely conduct reconnaissance before executing PowerShell code, causing the infected host to communicate with a custom command-and-control (C2) server.

SafeBreach Coverage of Attacks related to IL-CERT-W1649

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the threat group: 

• #9337 – Write MuddyWater_AteraAgent (626357) trojan to disk
• #9338 – Transfer of MuddyWater_AteraAgent (626357) trojan over HTTP/S
• #9339 – Transfer of MuddyWater_AteraAgent (626357) trojan over HTTP/S
• #9340 – Email MuddyWater_AteraAgent (626357) trojan as a compressed attachment
• #9341 – Email MuddyWater_AteraAgent (626357) trojan as a compressed attachment
• #9342 – Write MuddyWater_Diagnostic (47ed75) trojan to disk
• #9343 – Pre-execution phase of MuddyWater_Diagnostic (47ed75) trojan (Windows)
• #9344 – Transfer of MuddyWater_Diagnostic (47ed75) trojan over HTTP/S
• #9345 – Transfer of MuddyWater_Diagnostic (47ed75) trojan over HTTP/S
• #9346 – Email MuddyWater_Diagnostic (47ed75) trojan as a compressed attachment
• #9347 – Email MuddyWater_Diagnostic (47ed75) trojan as a compressed attachment

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.