In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats by the SafeBreach Labs team. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

FakePenny Ransomware: What You Need to Know

Microsoft Threat Intelligence recently identified a new North Korean threat actor whom they have associated with attacks on individuals and organizations in the software and information technology, education, and defense industrial base sectors. These threat actors, known as Moonstone Sleet (formerly Storm-1789) have been observed using known TTPs (commonly used by other North Korean threat actors) and several unique techniques to achieve their malicious objectives (financial and cyberespionage). Moonstone Sleet is a North Korean state-affiliated threat actor who has been observed using unique techniques and reusing code from Diamond Sleet malware and several of their techniques to gain initial access to victim networks via social media. 

According to the researchers, these threat actors were observed setting up fake companies and job opportunities to target and engage with potential targets. They would then employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware (FakePenny Ransomware). This new custom ransomware includes a loader and an encryptor and has been primarily leveraged for intelligence collection and revenue generation. The ransom note that FakePenny left behind is eerily similar to the one that threat actor Seashell Blizzard used to distribute the NotPetya malware. 

SafeBreach’s Coverage of FakePenny Ransomware

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this ransomware variant:

• #10345 – Write FakePenny (f5fc58) ransomware to disk
• #10346 – Pre-execution phase of FakePenny (f5fc58) ransomware (Windows)
• #10347 – Transfer of FakePenny (f5fc58) ransomware over HTTP/S
• #10348 – Transfer of FakePenny (f5fc58) ransomware over HTTP/S
• #10349 – Email FakePenny (f5fc58) ransomware as a compressed attachment
• #10350 – Email FakePenny (f5fc58) ransomware as a compressed attachment

Qilin Ransomware: What You Need to Know

A ransomware attack that impacted several major hospitals in London has been formally attributed to the Russian threat group Qilin. This ransomware attack was performed against Synnovis – a partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust. Investigators believe that the Qilin ransomware gang leveraged the double extortion model to first steal and encrypt data and threaten to publish this data if ransom was not paid. This attack interrupted pathology services across the two hospitals as well as other primary care services across the boroughs of Bexley, Greenwich, Lewisham, Bramley, Southwark, and Lambeth and has been labeled as an ongoing critical incident.

Qilin is a ransomware-as-a-service (RaaS) affiliate program that uses a Rust-based ransomware to target its victims. Most of the attacks executed by Qilin are customized for each targeted victim. Qilin threat actors achieve this customization by changing the filename extensions of encrypted files and terminating specific processes and services. Qilin advertises the ransomware on the dark web and can generate samples for both Windows and ESXi versions. 

SafeBreach’s Coverage of Qilin Ransomware

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this ransomware variant: 

• #10352 – Pre-execution phase of Qilin (efbbd1) ransomware (Windows) (HOST_LEVEL)
• #10353 – Transfer of Qilin (efbbd1) ransomware over HTTP/S (LATERAL_MOVEMENT) 
• #10354 – Transfer of Qilin (efbbd1) ransomware over HTTP/S (INFILTRATION)
• #10355 – Email Qilin (efbbd1) ransomware as a compressed attachment (LATERAL_MOVEMENT) 
• #10356 – Email Qilin (efbbd1) ransomware as a compressed attachment (INFILTRATION)
• #10351 – Write Qilin (efbbd1) ransomware to disk (HOST_LEVEL)

SophosCleanup Trojan Malware: What You Need to Know

Sophos researchers recently stumbled across a new ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying the original content of these DLL libraries and executables and replacing it with a decrypted malicious payload. Based on the initial information available, this affects version 2022.4.3 of Sophos’ Windows Endpoint product.

This was discovered when Sophos’s new C2 interceptor detected and flagged a Brute Ratel C2 connection attempt on a customer network. Further analysis highlighted that the code at the entry point was overwritten by the malicious loader code, and the encrypted payload was stored as a resource within the resources section. Similarly, when the researchers analyzed the Cobalt Strike beacon executable, they identified the TitanLdr loader, a complex multifunction shellcode. Additional details about the campaign can be found on the Sophos website. 

SafeBreach Coverage of SophosCleanup Trojan

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this trojan variant:

• #10373 – Write SophosCleanup (007e37) trojan to disk
• #10374 – Pre-execution phase of SophosCleanup (007e37) trojan (Windows)
• #10375 – Transfer of SophosCleanup (007e37) trojan over HTTP/S
• #10376 – Transfer of SophosCleanup (007e37) trojan over HTTP/S
• #10377 – Email SophosCleanup (007e37) trojan as a compressed attachment
• #10378 – Email SophosCleanup (007e37) trojan as a compressed attachment

PlugX Worm: What You Need to Know

Sygnia researchers observed a Chinese state-sponsored threat actor called Velvet Ant conducting espionage operations after successfully establishing persistence in a large organizational network for over three years. This threat actor was able to gain a foothold in the victim network by exploiting 2 legacy F5 BigIP appliances (including a load balancer) whose operating systems were not updated. 

The techniques used by Velvet Ant are similar to those used by other Chinese state-sponsored threat actors. Researchers highlighted that Velvet Ant consistently hijacked execution flow by leveraging different methods, such as DLL search order hijacking, Phantom DLL loading, and DLL side loading.  During this attack, Velvet Ant leveraged the PlugX malware, a remote access trojan (RAT) that can remain dormant on victim networks for months. PlugX is primarily used to provide remote access to infected victim systems. 

The PlugX execution chain in this network consisted of three files: ‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’. 

• ‘iviewers.exe’ is a legitimate application called ’OLE/COM Object Viewer‘, that is part of the Windows SDK.
• ‘iviewers.dll’ is the malicious PlugX DLL loader, that is loaded by ‘iviewers.exe’ via DLL search order hijacking.
• ‘iviewers.dll.ui’ contains the actual malicious payload, which is loaded by ‘iviewers.dll’.

When ‘iviewers.exe’ is executed, these three files are copied to a sub-directory with a non-fixed name under ‘C:\ProgramData’ (or ‘C:\Documents and Settings\All Users\Application Data’, on Windows Server 2003 systems), and ‘iviewers.exe’ is installed as a Windows service. Afterwards, several ‘Svchost’ processes are launched, and malicious code is injected into them.

It is important to note that the group’s ability to quickly adapt and pivot between different methods to maintain their foothold is indicative of their ability to continuously refine their techniques to evade detection.

SafeBreach Coverage of PlugX Worm

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this malware: 

• #10368 – Write PlugX (77a292) worm to disk (HOST_LEVEL) 
• #10369 – Transfer of PlugX (77a292) worm over HTTP/S (LATERAL_MOVEMENT)
• #10370 – Transfer of PlugX (77a292) worm over HTTP/S (INFILTRATION) 
• #10371 – Email PlugX (77a292) worm as a compressed attachment (LATERAL_MOVEMENT) 
• #10372 – Email PlugX (77a292) worm as a compressed attachment (INFILTRATION)

PHP Vulnerability CVE-2024-4577 : What You Need to Know

Threat researchers from Imperva have identified threat actors leveraging CVE-2024-4577, a PHP vulnerability to deliver malware, including the “TellYouThePass” ransomware. Threat actors used a known exploit for CVE-2024-3577 to execute arbitrary PHP code on the victim network. They did so by leveraging the “system” function to run an HTML application file that was hosted on an attacker-controlled web server via the mshta.exe binary. The use of the “mshta.exe” binary highlights the attackers’ sophistication and their use of “living off the land” techniques.

Upon initial execution, the sample sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection. The callback masquerades as a request to retrieve CSS resources, likely designed to evade detection. The binary then enumerates directories, kills processes, generates encryption keys and encrypts files within each enumerated directory that has a defined file extension. Finally, the malware then publishes a ReadMe message in the web root directory as “READ_ME10.html”, containing the details required to “TellYouThePass”.

SafeBreach Coverage of CVE-2024-4577

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this vulnerability: 

• #10357 – Remote exploitation of CVE-2024-4577 (WAF) (INFILTRATION) 

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.