Researchers Observed New Capability in ALPHV Ransomware Involving Malicious Windows Kernel Drivers
The ALPHV (aka BlackCat) ransomware has been observed in February 2023 with a new capability that correlates with activity detailed in three (3) reports published in late 2022. The three (3) reports detailed "malicious kernel drivers being signed through signed Microsoft hardware developer accounts," which were seen in various cyberattacks involving ransomware-based incidents. Researchers noted the capability, which is a malware dubbed "POORTRY," was used in the recent activity for the defense evasion phase of the attack and was an updated version that "inherited the main functionality from the samples disclosed in previous research," as the threat actor initially attempted to deploy a kernel driver identified in December 2022. The updated POORTRY malware can conduct the following actions: activating and deactivating the driver, killing any user-mode processes, deleting specific file paths, copying files, force-deleting files, force-copying files, registering and unregistering process and thread notification callbacks, and rebooting the system. It is explained that the commands for the process and thread notification callbacks are currently in development and not working as of May 22, 2023. The malicious driver has been used previously by UNC3944 (aka oktapus and Scatter Spider) in order to bypass detection, so there is suspicion of a loose linkage between the two (2) threat groups. Researchers emphasized that ALPHV affiliates have "a high level of interest in gaining privileged-level access for the ransomware payloads they use in their attacks" and that kernel-based threats are most commonly observed in advanced persistent threat (APT) espionage malware and ransomware. CTIX analysts will continue to monitor ALPHV's activity and advancements as it evolves. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
- Bleeping Computer: ALPHV Ransomware's New Capability Article
- Trend Micro: ALPHV Ransomware's New Capability Report
Threat Actor Activity
FIN7 Deploys Cl0p Ransomware in Latest Attacks
FIN7 is known throughout the threat landscape as a longstanding financially motivated organization often targeting the United States during their operations. The group utilizes a variety of malware strains to carry out their attacks, including those developed by the REvil and Maze threat groups. Recent activity has shown that FIN7 actors have adopted a strain of the Cl0p ransomware variant to deploy during their attacks. Current attacks highlight the use of a PowerShell-based malware dropper script called “POWERTRASH” as first stage deployment in FIN7 attacks. In the second stage of deployment, a post-exploitation tool codenamed “Lizar” is executed on the compromised system allowing for remote access into the compromised entity. In addition, threat actors are given the capability to move laterally within the network and spread the Cl0p ransomware strain. Aside from Cl0p, security researchers note additional ransomware strains such as “Bl00dy” and “LockBit” being used in FIN7 attacks. This recent activity shows that the FIN7 organization is continuing to operate even though numerous key members were arrested several months ago. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Apple Device Vulnerabilities Likely Being Exploited by State-Affiliated Threat Actors to Deliver Spyware
Apple has released emergency security updates for iOS and iPadOS, macOS, tvOS, and watchOS devices that patch three (3) critical multi-platform Webkit browser engine zero-day vulnerabilities. According to researchers, there are indications that the flaws are likely being exploited in highly targeted attacks by state-sponsored threat actors to deliver spyware to the mobile devices of high-profile individuals, such as politicians, journalists, and dissidents. The first vulnerability, tracked as CVE-2023-28204, is an out-of-bounds read bug that may cause the browser to disclose sensitive information after the processing of certain web content. CVE-2023-32373 is a use-after-free vulnerability that could be exploited to allow arbitrary code execution through the processing of malicious web content. The third flaw, tracked as CVE-2023-32409, is a browser sandbox escape vulnerability that allows an attacker to break free of the constraints of the sandbox. The exploitation of this flaw could allow a remote attacker to directly access the host device and outside processes. Although Apple has stated that it is aware that these zero-days may be under active exploitation, it did not disclose any technical information regarding these attacks or information about the threat actors who may be exploiting them. These flaws have been fixed, and CTIX analysts recommend all Apple product users ensure that their devices are running the most up-to-date software to prevent exploitation.
- Bleeping Computer: Apple Webkit Vulnerabilities Article
- The Hacker News: Apple Webkit Vulnerabilities Article
- Apple: Patch Advisory
Researchers Infiltrate Qilin Ransomware Group, Gaining Insight into How the Gang Functions
Cybersecurity researchers have managed to infiltrate the Qilin ransomware group, shining light into the prosperous underworld of cybercrime. Qilin, also known as "Agenda," is a ransomware-as-a-service (RaaS) group that was founded back in July of 2022 and has attacked twelve (12) organizations across the globe, with the primary victims being healthcare organizations, tech companies, education, and critical infrastructure. Additionally, the group explicitly abstains from attacking Russia and several of its neighbors. Within the inner workings of the Qilin RaaS group, actors of the organization recruit affiliates to identify targets of interest and stage attacks. Researchers found that "many Qilin ransomware attacks are customized for each victim to maximize their impact." An administrative panel exists within the group to help oversee and coordinate operations. This panel helps divide sections of the operations into targets, blogs, stuffers, news, payments, and FAQs. Attacks carried out by Qilin typically begin with phishing emails containing malicious links to obtain access to victims' servers. Once access is gained, sensitive data is exfiltrated and encrypted. Researchers uncovered that affiliates take home 80% of ransom payments and will receive 85% if the ransom payment is over $3 million. These numbers are significantly higher than alternative RaaS models, such as that of the REvil ransomware group where affiliates take home 60% to 70% of the ransom payment. While the researchers did not release how or when they gained access to Qilin's RaaS program, their findings show an interesting look into how the gang functions and rewards affiliates for attacks. CTIX analysts will continue monitoring the evolving ransomware landscape.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.