Hacker’s Playbook Threat Coverage Roundup: March 2, 2023

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added/ updated coverage for several newly discovered ransomware and malware variants, including DarkBit, MortalKombat, and H0lyGh0st Ransomware strains. SafeBreach customers can select and run these attacks from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.

PureCrypter Malware Downloader

Researchers from Menlo Security have discovered threat actors targeting government entities with PureCrypter malware downloader to deliver multiple information stealers and ransomware variants. Various campaigns targeting multiple government organizations in APAC and North America were observed delivering malware including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware.

The attack begins with an email that has a Discord app URL pointing to a PureCrypter sample in a password-protected ZIP archive. PureCrypter is a .NET-based malware downloader first seen in the wild in March 2021. Its operator rents it to other cybercriminals to distribute various types of malware. When executed, it delivers the next-stage payload from a command-and-control server, which is the compromised server of a non-profit organization in this case. Researchers believe that the threat actors will continue using compromised infrastructure for as long as possible before being forced to find new ones.

SafeBreach Coverage of PureCrypter Malware Downloader

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this malware downloader.

• #8647 – Write PureCrypter downloader to disk
• #8648 – Transfer of PureCrypter downloader over HTTP/S
• #8649 – Transfer of PureCrypter downloader over HTTP/S
• #8650 – Email PureCrypter downloader as a ZIP attachment
• #8651 – Email PureCrypter downloader as a ZIP attachment

MortalKombat Ransomware and Laplas Clipper Malware

Cisco’s Talos group noticed a new threat actor deploying two relatively new threats – MortalKombat ransomware and Laplas Clipper malware with the primary objective of stealing cryptocurrency from victims. These threats were first observed being deployed in December 2022.

According to the researchers, a typical infection in this campaign begins with a legitimate-looking phishing email and kicks off a multi-stage attack chain in which the actor delivers either malware or ransomware, then deletes evidence of malicious files, covering their tracks and challenging analysis.

MortalKombat is a novel ransomware, first observed by threat researchers in January 2023, with little known about its developers and operating model. MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine. It drops the ransom note and changes the victim machine’s wallpaper upon the encryption process. It corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window on the victim’s machine, making it inoperable.

Laplas Clipper malware is a relatively new clipboard stealer first observed by threat researchers in November 2022. The stealer belongs to the Clipper malware family, a group of malicious programs that specifically target cryptocurrency users. Laplas Clipper targets users by employing regular expressions to monitor the victim machine’s clipboard for their cryptocurrency wallet address. Once the malware finds the victim’s wallet address, it sends it to the attacker-controlled Clipper bot, which will generate a lookalike wallet address and overwrite it to the victim’s machine’s clipboard.

SafeBreach Coverage of MortalKombat Ransomware and Laplas Clipper

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against MortalKombat ransomware.

• #8612 – Write MortalKombat (3553) Ransomware to disk (Malware Drop)
• #8613 – Transfer of MortalKombat (3553) Ransomware over HTTP/S (Malware Transfer)
• #8614 – Transfer of MortalKombat (3553) Ransomware over HTTP/S (Malware Transfer)
• #8615 – Email MortalKombat (3553) Ransomware as a ZIP attachment (Email Attachments)
• #8616 – Email MortalKombat (3553) Ransomware as a ZIP attachment (Email Attachments)
• #8617 – Write MortalKombat (db17) Ransomware to disk (Malware Drop)
• #8618 – Transfer of MortalKombat (db17) Ransomware over HTTP/S (Malware Transfer)
• #8619 – Transfer of MortalKombat (db17) Ransomware over HTTP/S (Malware Transfer)
• #8620 – Email MortalKombat (db17) Ransomware as a ZIP attachment (Email Attachments)
• #8621 – Email MortalKombat (db17) Ransomware as a ZIP attachment (Email Attachments)
• #8285 – Write Laplas Clipper malware to disk
• #8286 Transfer of Laplas Clipper malware over HTTP/S (Malware Transfer)
• #8287 Transfer of Laplas Clipper malware over HTTP/S (Malware Transfer)
• #8288 Email Laplas Clipper malware as a ZIP attachment (Email Attachments)
• #8289 Email Laplas Clipper malware as a ZIP attachment (Email Attachments)

DarkBit Ransomware

According to threat researchers from Blackberry, one of Israel’s top research universities – Technion – Israel Institute of Technology was targeted by a new ransomware strain known as DarkBit. The threat actors appear to have geopolitical motivations as the ransom note is full of anti-Israeli and anti-government rhetoric. The threat actors have demanded a ransom totaling 80-Bitcoin payout (around $1.8 million).

During the attack, affected devices had various files encrypted by the ransomware, with the file extension ‘.Darkbit’ being appended to signify encryption. Additionally, a ransom note with the filename ‘RECOVERY_DARKBIT.txt’ was added to all directories compromised by the ransomware. The ransomware boasts several capabilities, including accepting command-line arguments or being run autonomously. It encrypts the victim’s device by default, employing Advanced Encryption Standard 256-bits (AES-256) during its encryption routine, and impacts a wide range of file types. Furthermore, it utilizes the technique of multi-threading for faster and more efficient encryption.

SafeBreach Coverage of DarkBit Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant.

• #8606 – Write DarkBit Ransomware to disk
• #8607 – Pre-execution phase of DarkBit Ransomware (Windows)
• #8608 – Transfer of DarkBit Ransomware over HTTP/S
• #8609 – Transfer of DarkBit Ransomware over HTTP/S
• #8610 – Email DarkBit Ransomware as a ZIP attachment
• #8611 – Email DarkBit Ransomware as a ZIP attachment

Stealc Information Stealer

A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline. Stealc was originally spotted by a CTI company SEKOIA in January 2023. According to their research, Stealc is a fully featured and ready-to-use information stealer whose development relied on Vidar, Raccoon, Mars, and Redline stealers.

Stealc targets sensitive data from most used web browsers, browser extensions for cryptocurrency wallets, desktop cryptocurrency wallets, and information from additional applications, including email clients and messenger software. Stealc also implements a customizable file grabber, allowing its customers to steal files matching their grabber rules. The stealer also has loader capabilities that would be usually expected for an information stealer sold as a Malware-as-a-Service (MaaS).

SafeBreach Coverage of Stealc Information Stealer

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the information stealer:

• #8646 – Email Stealc infostealer as a ZIP attachment (INFILTRATION)
• #8645 – Email Stealc infostealer as a ZIP attachment (LATERAL_MOVEMENT)
• #8644 – Transfer of Stealc infostealer over HTTP/S (INFILTRATION
• #8643 – Transfer of Stealc infostealer over HTTP/S (LATERAL_MOVEMENT)
• #8642 – Write Stealc infostealer to disk (HOST_LEVEL)

H0lyGh0st Ransomware

A North Korean threat group known as DEV-0530 has been targeting small and medium-sized businesses with emerging ransomware called the H0lyGh0st ransomware. According to security researchers at Microsoft MSTIC, the H0lyGh0st ransomware threat actors have successfully targeted and compromised a number of manufacturing organizations, banks, schools, and event-planning companies in multiple countries since June 2021.

The group encrypts all files on the target machines using the file extension “.h0lyenc”. It then sends a few sample files to the victim demanding ransom in Bitcoin in exchange for restoring the files. In case the victims refuse to pay the ransom, the group also threatens the release of the files on social media.

The MSTIC researchers have also noted a likely overlap between DEV-0530 and the North Korean threat group known as PLUTONIUM. The PLUTONIUM group has repeatedly targeted energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

SafeBreach Coverage of H0lyGh0st Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware:

• #8600 – Email H0lyGh0st Ransomware as a ZIP attachment (INFILTRATION)
• #8599 – Email H0lyGh0st Ransomware as a ZIP attachment (LATERAL_MOVEMENT
• #8598 – Transfer of H0lyGh0st Ransomware over HTTP/S (INFILTRATION)
• #8597 – Transfer of H0lyGh0st Ransomware over HTTP/S (LATERAL_MOVEMENT
• #8596 – Pre-execution phase of H0lyGh0st Ransomware (Windows) (HOST_LEVEL)
• #8595 – Write H0lyGh0st Ransomware to disk (HOST_LEVEL)

Newly Added Behavioral Attacks

While IOCs are good for retrospective analysis, these indicators have a very short lifespan and SOC analysts want to rely on something more than just the evidence of previous attacks which expire soon after its detection.  Behavioral attacks can signify a kind of signature of the attack or an attacker. These behavioral attacks map to the MITRE ATT&CK framework. SafeBreach platform not only includes coverage for IOC-based attacks but also Behavior-based attacks. Recent additions include:

• #7198 Implant Malicious Container Image (Azure)
  • Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. This technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.
• #7230 Service Stop (Linux)
  • Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment.
• #7638 Scheduled Service Using Systemd Timers
  • Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
• #8021 SSH Scanning
  • Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).
• #8303 Pass the ticket
  • This attack combines two individual attack techniques – Credential Dumping and Use Alternate Authentication Material. Credential Dumping – Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.  Use Alternate Authentication Material – Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
• #8330 Create a shutdown entry (Linux)
  • Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services to achieve remote Execution.
• #8358 Process Injection – KernelCallbackTable
  • Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.
• #8359 Process Injection – Asynchronous Procedure Calls
  • Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
• #8360 Silver ticket
  • Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).[1] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
• #8361 Extracting Active Directory tickets using AS-REP Roasting
  • Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).[1] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
• #8362 Dynamic API resolution
  • Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection.

Interested In Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
• Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report – Receive a custom-built report that includes simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.