The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC).
"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively.
"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert.
Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia).
The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications.
Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies.
"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said.
One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons.
The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues.
Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks.
In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022.
Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations.
The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts.
In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members.
"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."
In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers.
Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger.
In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general.
Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform.
With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.
Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.
Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment.
Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers.
The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web.
One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited.
To avoid Snake Keylogger, one can opt for a number of measures:
In the world of cybersecurity, it is not uncommon for attackers to use multiple tactics to evade detection and carry out their malicious activities. The SYS01 campaign is a prime example of this. This campaign is known for using multiple attack evasion tactics to stay under the radar and avoid detection. In this blog post, we will explore the various tactics used by the SYS01 campaign and how they contribute to the campaign's success.
Firstly, let's understand what the SYS01 campaign is. The SYS01 campaign is a cyber espionage campaign that has been active since at least 2013. The campaign primarily targets government and military organizations in Southeast Asia, specifically in the Philippines, Taiwan, and Vietnam. The attackers behind the campaign are believed to be a Chinese state-sponsored group known as APT10.
One of the primary attack evasion tactics used by the SYS01 campaign is the use of multiple malware families. Rather than relying on a single malware family to carry out their attacks, the attackers use a variety of different malware families. This makes it much more difficult for defenders to detect and block the attacks, as they need to be aware of and able to detect multiple different types of malware.
Another tactic used by the SYS01 campaign is the use of file-less malware. Fileless malware is a type of malware that does not rely on files or executables to carry out its activities. Instead, it operates entirely in memory, making it much more difficult to detect and remove. The attackers behind the SYS01 campaign use file-less malware to avoid leaving a trail of evidence on the victim's system.
The SYS01 campaign also uses steganography to conceal its activities. Steganography is the practice of hiding information within another file, such as an image or document. The attackers use steganography to hide their malware within benign files, making it more difficult for defenders to detect the malware.
In addition to these tactics, the SYS01 campaign also uses advanced obfuscation techniques to make their malware more difficult to analyze. For example, the attackers may use code obfuscation techniques to make it more difficult for analysts to understand the code and how it works. They may also use encryption to protect the malware from the analysis.
Another evasion tactic used by the SYS01 campaign is the use of spear-phishing attacks. Spear-phishing is a targeted phishing attack that is designed to trick a specific individual into providing sensitive information or installing malware. The attackers behind the SYS01 campaign use spear-phishing attacks to target specific individuals within their target organizations, making it more difficult for defenders to detect the attacks.
Finally, the attackers behind the SYS01 campaign use command-and-control (C2) servers that are difficult to detect and block. C2 servers are used by attackers to communicate with their malware and control it remotely. The SYS01 campaign uses C2 servers that are located in countries that have lax cybersecurity laws and regulations, making it more difficult for defenders to block the traffic to these servers.
In conclusion, the SYS01 campaign is a prime example of how attackers use multiple tactics to evade detection and carry out their malicious activities. The campaign uses multiple malware families, fileless malware, steganography, obfuscation techniques, spear-phishing attacks, and difficult-to-detect C2 servers to avoid detection and stay under the radar. Defenders need to be aware of these tactics and have the tools and knowledge to detect and block them to protect their organizations from these types of attacks.
ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory.
As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus.
ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus.
WinorDLL64 is a backdoor that was first found by cybersecurity experts in 2019. It is a 64-bit variant of the original Winor backdoor, which the Lazarus group used in its previous attacks. WinorDLL64 is built to be highly deceptive, which makes it difficult for experts to identify.
WinorDLL64 is usually distributed via spear-phishing emails or malicious downloads. Once it compromises a system, it makes a backdoor that lets threat actors remotely gain entry and control the attacked system. It is built to avoid detection by using a number of techniques, this includes encrypting the communication process and concealing its sight on the system.
WeLiveSecurity by ESET reports "active since at least 2009, this infamous North-Korea aligned group is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA."
WinorDLL64 is a highly advanced backdoor that allows threat actors full control over the compromised system. Threat actors can steal important info, add malware, and do various malicious activities while evading detection. The dangers associated with WinorDLL64 are consequential, especially for companies that depend on sensitive data or critical systems.
In the case of malware, safety is fundamental when it comes to defending against WinorDLL64. Companies can take various measures to decrease the chance of compromise. This includes:
Familiarizing employees with the dangers of phishing emails and inspiring them to be careful while opening attachments or suspicious links.
Maintaining software and security systems up-to-date to make sure all vulnerabilities are patched.
Enforcing two-factor authentication and other login controls to reduce the damage from cyberattacks.
Daily monitoring of network activity and system logs for any hints of malicious behavior.
Using a trusted anti-malware solution that can find and stop WinorDLL64 and various kinds of malware.
In summary, we can say that WinorDLL64 is a highly effective backdoor that is a significant threat to companies. It is believed to be the work of the North Korean hacking group, Lazarus, and is designed to evade detection and provide attackers with complete control over an infected system. Organizations can take various measures to defend against WinorDLL64, this includes educating the workplace, having the latest software, enforcing access controls, checking network activity, and using anti-malware software. With a proactive approach to cybersecurity, companies can lower the threat of a successful cyber attack and safeguard their precious systems and data.