Ransomware/Malware Activity
AceCryptor Malware-Packer Has Been Detected in Over 240,000 Attacks
AceCryptor, a prominent crypter malware that has been used to pack a handful of malware strains since 2016, has been detected 240,000 times between 2021 and 2022, accumulating over 10,000 hits per month. Unlike packers that use compression to obfuscate code, crypters use encryption to enhance stealth and increase the difficulty of reverse engineering. Researchers found that AceCryptor contained prominent malware families including SmokeLoader, RedLine Stealer RanumBot, Racoon Stealer, Stop ransomware, Amadey, and more. AceCryptor is sold to threat actors in a crypter-as-a-service (CaaS) format, and it has been observed being used to propagate a wide host of malware families by a multitude of threat actors. It can be both time-consuming and technically difficult for threat actors to maintain their own crypters that are difficult to detect, leading crimeware threat actors to seek CaaS options to pack malware. AceCryptor is heavily obfuscated with a three-layer architecture that decrypts and unpacks at each stage to eventually launch the payload and contains anti-VM, anti-debugging, and anti-analysis features to help avoid detection. AceCryptor’s malware is delivered using trojanized installers of pirated software, malicious links embedded in phishing emails, or with the help of other malware that has already compromised a host.
Threat Actor Activity
Threat Actor Tied to Tortoiseshell Compromises Israeli Websites, Steals User Information
A nation-state actor believed to be associated with the Tortoiseshell threat organization has conducted several cyber-attacks against Israeli websites. Tortoiseshell, also tracked as Crimson Sandstorm, is an Iran-based APT group conducting malicious activities throughout the Middle East, as well as targeting key United States officials within the government, military, and political atmosphere. One of the group’s most regarded tactics includes the use of detailed personas to lure individuals into social engineering compromises. In this most recent operation, a Tortoiseshell actor targeted eight (8) Israeli-related websites with a watering hole attack, which is a form of attack where websites frequently visited by a group of users are infected with malicious code. These websites reached across several industries including shipping and receiving, financial services, restaurant suppliers, medical, and supply importing. The threat actor was able to inject a block of malicious Javascript code allowing for the passive collection of digital footprint data of visiting users, including the user’s operating system, IP address, screen resolution, and redirection URL. Attribution to the Tortoiseshell group originates with the main typosquatted domain utilized in the attack and the usage of jQuery framework, Metaspolit, and Browser Exploitation Framework Project. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Adds Critical Barracuda Networks ESG Vulnerability to their Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical vulnerability affecting Barracuda Networks devices to their Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies apply the update by no later than June 16, 2023. The flaw tracked as CVE-2023-2868, is an improper input validation bug in Barracuda Networks' Email Security Gateway (ESG) appliances, stemming from a failure to properly sanitize .tar file archives. A threat actor could exploit this vulnerability by providing a maliciously crafted .tar file to conduct remote code execution (RCE) with the privileges of the ESG product. Barracuda Networks is a very popular company and serves more than 200,000 customers across the world. The CISA advisory states that these types of vulnerabilities “are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” Barracuda Networks has stated that any users who they believe were impacted by the exploitation of this vulnerability have been notified and given actions to take to mitigate the damage. Barracuda Networks sent out automatic patches on May 20 and 21, and CTIX analysts recommend that any administrators responsible for these devices ensure that they have been patched.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
