Hacker’s Playbook Threat Coverage Roundup: Feb. 9, 2023

In our first Hacker’s Playbook Threat Coverage round-up of 2023, we are highlighting newly added/ updated coverage for several newly discovered ransomware and malware variants, including the ESXiArgs ransomware. SafeBreach customers can select and run these attacks from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.

ESXiArgs Ransomware

On Feb 3^rd, the French Computer Emergency Response Team (CERT-FR) along with admins and several hosting providers warned about attackers actively targeting unpatched VMware ESXi servers to deploy a new ransomware. These attackers were exploiting a 2-year-old remote code execution (RCE) vulnerability in ESXi hypervisors – CVE-2021-21974 to deploy the new ESXiArgs ransomware.  By exploiting this vulnerability, attackers could gain access to ESXi servers which were either end-of-life or did not have the appropriate patch applied.

The ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.

SafeBreach Coverage of ESXiArgs Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware variant.

• Coverage for the shell script used to execute the encryptor
  • #8569 – Write ESXiArgs shell script malware to disk
  • #8570 – Transfer of ESXiArgs shell script malware over HTTP/S
  • #8571 – Transfer of ESXiArgs shell script malware over HTTP/S
  • #8572 – Email ESXiArgs shell script malware as a ZIP attachment
  • #8573 – Email ESXiArgs shell script malware as a ZIP attachment
• ESXiArgs backdoor –
  • #8574 – Write ESXiArgs Backdoor to disk
  • #8575 – Transfer of ESXiArgs Backdoor over HTTP/S
  • #8576 – Transfer of ESXiArgs Backdoor over HTTP/S
  • #8577 – Email ESXiArgs Backdoor as a ZIP attachment
  • #8578 – Email ESXiArgs Backdoor as a ZIP attachment
• ESXiArgs encryptor –
  • #8579 – Write ESXiArgs Ransomware to disk
  • #8580 – Pre-execution phase of ESXiArgs Ransomware (Linux)
  • #8581 – Transfer of ESXiArgs Ransomware over HTTP/S
  • #8582 – Transfer of ESXiArgs Ransomware over HTTP/S
  • #8583 – Email ESXiArgs Ransomware as a ZIP attachment
  • #8584 – Email ESXiArgs Ransomware as a ZIP attachment

According to CISA and FBI, the threat actors have compromised over 3800 servers globally. CISA and FBI have encouraged organizations managing VMware ESXi servers to:

• Update servers to the latest version of VMware ESXi software.
• Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service.
• Ensure the ESXi hypervisor is not exposed to the public internet.

Additionally, CISA has released an ESXiArgs recovery script here.

GammaLoad Malware

Ukraine’s State Cyber Protection Center (SCPC) has identified Russian state-sponsored threat actor Gamaredon for targeted attacks on its public authorities and critical information infrastructure using the GammaLoad and GammaSteel malware.

GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that’s capable of conducting reconnaissance and executing additional commands. The attacks are focused more on espionage and information theft rather than sabotage. SCPC also considers Gamaredon a “key cyber threat” given how often it evolves its tactics and techniques.

The attacks take the form of lookalike web pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) in an attempt to trick visitors into downloading software that claims to detect infected computers. However, upon launching the file – a Windows batch script named “Protector.bat” – it leads to the execution of a PowerShell script that’s capable of capturing screenshots and harvesting files with 19 different extensions from the workstation.

SafeBreach Coverage of GammaLoad Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against GammaLoad malware.

• #8564 – Write GammaLoad malware to disk
• #8565 – Transfer of GammaLoad malware over HTTP/S
• #8566 – Transfer of GammaLoad malware over HTTP/S
• #8567 – Email GammaLoad malware as a ZIP attachment
• #8568 – Email GammaLoad malware as a ZIP attachment

GraphicalNeutrino Malware

Recorded Future’s Insikt group has observed – BlueBravo, a threat group (possibly associated with APT29, a Russian state-sponsored APT group) with staging the GraphicalNeutrino malware within a malicious ZIP file using the malware dropper EnvyScout. BlueBravo used a compromised website containing the text “Ambassador`s schedule November 2022” as part of a lure operation targeting embassy staff and/or an ambassador.

GraphicalNeutrino acts as a loader with basic C2 functionality and implements numerous anti-analysis techniques including API unhooking, dynamically resolving APIs, string encryption, and sandbox evasion. It leverages Notion service (a US-based business automation service) for C2 communications and uses Notion’s database feature to store victim information and stage payloads for download.

SafeBreach Coverage of GraphicalNeutrino Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant.

• #8558 – Write GraphicalNeutrino malware to disk
• #8559 – Pre-execution phase of GraphicalNeutrino malware (Windows)
• #8560 – Transfer of GraphicalNeutrino malware over HTTP/S
• #8561 – Transfer of GraphicalNeutrino malware over HTTP/S
• #8562 – Email GraphicalNeutrino malware as a ZIP attachment
• #8563 – Email GraphicalNeutrino malware as a ZIP attachment

Titan Stealer Malware

A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors as being capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.

Titan is offered as a builder, enabling customers to customize the malware binary to include specific functionalities and the kind of information to be exfiltrated from a victim’s machine. The malware, upon execution, employs a technique known as process hollowing to inject the malicious payload into the memory of a legitimate process known as AppLaunch.exe, which is the Microsoft .NET ClickOnce Launch Utility.

Some of the major web browsers targeted by Titan Stealer include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. The crypto wallets singled out are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.

SafeBreach Coverage of Titan Stealer Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new malware:

• #8553 – Write Titan Stealer malware to disk
• #8554 – Transfer of Titan Stealer malware over HTTP/S
• #8555 – Transfer of Titan Stealer malware over HTTP/S
• #8556 – Email Titan Stealer malware as a ZIP attachment
• #8557 – Email Titan Stealer malware as a ZIP attachment

SwiftSlicer Wiper Malware

The Russian state-sponsored threat group SandWorm was observed deploying a new wiper malware dubbed SwiftSlicer against several industries in Ukraine. SwiftSlicer was launched using Active Directory Group Policy, allowing domain admins to execute scripts and commands throughout all of the devices in Windows network. According to ESET researchers, SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.

SwiftSlicer overwrites data using 4096 bytes blocks that are filled with randomly generated bytes. After completing the data destruction job, the malware reboots the systems. According to the information available, Sandworm developed SwiftSlicer in Golang programming language, which has been adopted by multiple threat actors for its versatility, and it can be compiled for all platforms and hardware.

SafeBreach Coverage of SwiftSlicer Wiper Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new malware:

• #8548 – Write SwiftSlicer malware to disk
• #8549 – Transfer of SwiftSlicer malware over HTTP/S
• #8550 – Transfer of SwiftSlicer malware over HTTP/S
• #8551 – Email SwiftSlicer malware as a ZIP attachment
• #8552 – Email SwiftSlicer malware as a ZIP attachment

Play Ransomware

Play ransomware (also known as PlayCrypt) is a new ransomware known for their big game hunting tactics, such as using Cobalt Strike for post-compromise and SystemBC RAT for persistence. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

Play’s ransomware name stems from its behavior, as the extension .play is added after file encryption. The ransomware note left behind also contains the single word PLAY, as well as the group’s contact email address. The ransomware note that Play leaves behind is not lengthy and is unusually simple. The note is only made at the root of a hard dive (C:\) and only contains the word PLAY and an email address for victims to contact. This kind of simplicity is not usual for ransomware operators.

SafeBreach Coverage of Play Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware:

• #8536 – Write Play Ransomware (d3f0) malware to disk
• #8537 – Transfer of Play Ransomware (d3f0) malware over HTTP/S
• #8538 – Transfer of Play Ransomware (d3f0) malware over HTTP/S
• #8539 – Email Play Ransomware (d3f0) malware as a ZIP attachment
• #8540 – Email Play Ransomware (d3f0) malware as a ZIP attachment
• #8541 – Write Play Ransomware (1934) malware to disk
• #8542 – Transfer of Play Ransomware (1934) malware over HTTP/S
• #8543 – Transfer of Play Ransomware (1934) malware over HTTP/S
• #8544 – Email Play Ransomware (1934) malware as a ZIP attachment
• #8545 – Email Play Ransomware (1934) malware as a ZIP attachment

Rhadymanthys Malware

Rhadamanthys is a stealer-type malware, and is designed to extract data from infected machines. This malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.

Threat actors have also been observed using spam emails to send false account statements and attempt to garner an immediate response. The emails contain a PDF attachment called “Statement.pdf” that, if clicked, displays a message with a link to download an update through Adobe Acrobat DC Updater to view the file. If downloaded and executed, the malware steals information from the victim’s system.

Rhadamanthys Stealer is capable of collecting system information, browser history and information, and account credentials with a target for various crypto wallets, crypto-wallet browser extensions, FTP clients, email clients, file managers, password managers, VPN services, and messaging apps.

SafeBreach Coverage of Rhadamanthys Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new malware:

• #8521 – Write Rhadamanthys malware to disk
• #8522 – Transfer of Rhadamanthys malware over HTTP/S
• #8523 – Transfer of Rhadamanthys malware over HTTP/S
• #8524 – Email Rhadamanthys malware as a ZIP attachment
• #8525 – Email Rhadamanthys malware as a ZIP attachment

Interested In Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
• Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report – Receive a custom-built report that includes simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.