Search This Blog

Showing posts with label malware. Show all posts

Emotet Recurs: Avoids Macro Security Using OneNote Attachments

 

Microsoft OneNote email attachments are now being used to spread the infamous Emotet malware, which is making a brief comeback. This malware aims to compromise systems by getting around macro-based security measures. 

Despite attempts by law enforcement to neutralise it, Emotet, connected to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, remains a formidable and tenacious menace. 

Emotet is a variant of the banking worm Cridex, which was later replaced by Dridex around the time GameOver Zeus was shut down in 2014. Since then, Emotet has developed into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion."

While Emotet infections served as a conduit for Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its reappearance in late 2021 was made possible by TrickBot. 

"Emotet is renowned for extended periods of inactivity, which often occur numerous times per year, during which the botnet maintains a steady-state but does not send spam or malware," Secureworks writes in its profile of the actor. 

Dropper malware is typically disseminated via spam emails with malicious attachments. Nevertheless, with Microsoft taking steps to prevent macros from being included in downloaded Word files, OneNote attachments have emerged as an intriguing alternative avenue.

"The OneNote file is basic but effective at social engineering users with a bogus message claiming that the document is protected," Malwarebytes explained in a new alert. "Victims will accidentally double-click on an embedded script file when told to double-click on the View button." 

The Emotet binary payload can be retrieved and run from a remote server using the Windows Script File (WSF). Cyble, IBM X-Force, and Palo Alto Networks Unit 42 have all made results that are in line with ours. Nonetheless, Emotet still makes use of booby-trapped documents with malicious macros to spread its payload, luring users using social engineering tricks to enable the macros that start the attack cycle. 

According to several reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro, such documents have been seen to use a method known as a "decompression bomb" to cloak an extremely large file (more than 550 MB) within ZIP archive attachments so that it would go unnoticed.

This is accomplished by padding the document with 00-bytes at the conclusion in order to artificially increase the file size and go beyond the restrictions set by anti-malware programmes.

The most recent advancement shows how adaptable and quick the operators are when adjusting attachment types for initial delivery to avoid detecting signatures. It also coincides with a rise in the number of OneNote documents being used by threat actors to disseminate a variety of malware, including AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm. 

Manufacturing, high-tech, telecom, finance, and energy are emerging as the top targeted sectors, according to Trellix, which claims that the majority of malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia.

LockBit 3.0 Ransomware: Inside the Million Dollar Cyberthreat


US government organizations have recently published a joint cybersecurity advisory stating the indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) linked with the malicious LockBit 3.0 ransomware. 

The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC). 

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively. 

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert. 

 Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). 

The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications. 

Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies. 

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said. 

One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons. 

The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues. 

The Upsurge in LokBit Incidents 

Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks. 

In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022. 

Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations. 

The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts. 

In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members. 

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

Threat Actors Exploit Adobe Acrobat Sign to Propagate Redline Info-Stealing Malware

 

Cybercriminals are exploiting Adobe Acrobat Sign, an online document signing service, to trick users into downloading malware that steals their personal information. 

In order to get around security measures and dupe users into believing the email they got is legitimate, the service is being misused to send malicious emails that appear to come from the software business. 

The practice of misusing legal services is not new. Abuse of Google Documents comments, PayPal invoicing, and other platforms are current examples of situations similar to this. Researchers at Avast alerted the public to this new cybercrime trend and cautioned against its efficiency in evading security measures and deceiving targets. 

Exploiting legal services 

Adobe Acrobat Sign is a cloud-based e-signature service that allows users to send, sign, track, and manage electronic signatures for free. Threat actors register with the service and use it to send messages to certain email addresses that contain a link to a document published on Adobe's servers ("eu1.documents.adobe.com/public/"). 

The documents include a link to a website that asks visitors to complete a CAPTCHA in order to add authenticity before serving them a ZIP archive containing a copy of the Redline information stealer. Redline is a dangerous spyware that can steal account credentials, cryptocurrency wallets, credit cards, and other data from a compromised device. 

Avast has also detected highly targeted attacks using this strategy, such as one in which the victim had a popular YouTube channel with a large number of subscribers. 

The victim was taken to a document claiming music copyright infringement after clicking on the link in the specially-crafted letter sent via Adobe Acrobat Sign, a popular and credible theme for YouTube channel owners. 

This time, the document was stored on dochub.com, a renowned website for online document signing. The document's link points to the same CAPTCHA-protected website where a download of Redline is made available. The ZIP file in this instance, however, also included a number of executables from the GTA V game that weren't harmful, probably in an effort to confuse antivirus software programmes. 

Additionally, according to Avast, the Redline payload in both instances was artificially inflated to 400MB, aiding in the prevention of anti-virus scans. Recent phishing attacks utilising the Emotet malware employed this same technique. Phishing actors are continually looking for genuine services that may be misused to advertise their malicious emails, as these services enhance their mailbox delivery and phishing success rates. 

Adobe and Dochub.com have been given full access to Avast's findings, and it is hoped that these two services will discover a means to deter malware operators from abusing their services.

Korean University Disclosed a Potential Covert Channel Attack

The School of Cyber Security at the Korean University in Seoul has developed a novel covert channel attack called CASPER that may leak data from air-gapped computers to a nearby smartphone at a pace of 20 bits per second. 

What is CASPER?

Casper is a 'recognition tool,' built to characterize its targets and decide whether or not to keep tracking them. Prior to introducing more advanced persistent malware into the targeted systems for espionage, the Casper surveillance virus was employed as a starting point.

Data leak

The target needs to first be infected with malware by a rogue employee or a cunning attacker with physical access, which is the case with nearly all personal channel attacks that target network-isolated systems.

Attacks utilizing external speakers have been created in the past by researchers. External speakers are unlikely to be employed in air-gapped, network-isolated systems used in harsh settings like government networks, energy infrastructure, and weapon control systems.

The malicious software has the ability to search the target's filesystem on its own, find files or data formats that match a hardcoded list, and make an exfiltration attempt.

Keylogging is a more realistic option and is better suited for such a slow data transmission rate. The malware will use binary or Morse code to encrypt the information to be stolen from the target and then transmit it through the internal speaker utilizing frequency modulation to create an undetectable ultrasound between 17 kHz and 20 kHz.

The researchers tested the proposed model using a Samsung Galaxy Z Flip 3 as the receiver and an Ubuntu 20.04-based Linux computer as the target. Both were running a simple recorder application with a sampling frequency of up to 20 kHz.

In the Morse code study, the researchers employed 18 kHz for dots and 19 kHz for dashes, with a length per bit of 100 ms. The smartphone, which was 50 cm away, was able to interpret the word 'covert' that was sent. In the binary data study, each bit had a length of 50 ms and was transferred at a frequency of 18 kHz for zeros and 19 kHz for ones. Nonetheless, the overall experiment findings demonstrate that the length per bit impacts the bit error rate, and a max reliable transmitting bit rate of 20 bits/s is possible when the length per bit is 50 ms.

A standard 8-character password could be transmitted by the malware in around 3 seconds at this data transfer rate, while a 2048-bit RSA key could be transmitted in roughly 100 seconds. Even under ideal conditions and with no interruptions, anything larger than that, such as a little 10 KB file, would take longer than an hour to escape the air-gapped system.

"Because sound can only transmit data at a certain speed, our technology cannot transmit data as quickly as other covert channel technologies using optical or electromagnetic methods." – Korea University.

The attack is limited since internal speakers can only emit sound in a single frequency band. Changing the frequency band for several simultaneous transmissions would be a solution to the slow data rate. The simplest method of defense against the CASPER assault was to turn off the internal speakers in mission-critical computers, which was disclosed by the researchers. The defense team could also use a high-pass filter to keep all created frequencies inside the range of audible sound, preventing ultrasonic transmissions. 





Here's all you Need to Know About Snake Keylogger


In this age of ever-evolving technological developments, crime pertaining to the same is also emerging at a higher scale. One of the most talked about and harsh cybercrimes are data breaches. 

In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers. 

Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger. 

What Is Snake Keylogger? 

In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general. 

Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform. 

With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.  

Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.

How Does Snake Keylogger Operate? 

Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment. 

Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers. 

The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web. 

One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited. 

How to Protect Yourself from Snake Keylogger? 

To avoid Snake Keylogger, one can opt for a number of measures: 

  • The first is by installing antivirus software on their devices. While Snake Keylogger can sometimes avoid detection by antivirus software, it is crucial to have a reliable and efficient antivirus provider installed on your devices in order to identify keyloggers and other types of malware. 
  • Additionally, one must always exercise caution when opening any email attachments, particularly those from unknown or dubious senders. The distribution of malware via attachments is fairly prevalent, and Snake Keylogger is only one of many examples. Consider passing an email attachment via an attachment scanner to identify any potential risks if you ever receive one from a sender you do not fully trust. 
  • To avoid fraudulent emails, one should make sure to enable their email provider’s spam filter. This way, the suspicious emails will be sent to a separate folder, rather than the main inbox. 
  • Moreover, one must ensure to frequently update their operating systems as well as the installed apps. Since Snake Keylogger infects devices by exploiting software flaws, frequent updates will iron out these flaws, meaning cybercriminals can no longer be able to abuse the software.  

Qakbot Distributes Malware Through OneNote

 


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.   

How the SYS01 Campaign Uses Multiple Evasion Tactics to Avoid Detection in Cyber Espionage


Multiple Malware Families: The Primary Evasion Tactic of the SYS01 Campaign

In the world of cybersecurity, it is not uncommon for attackers to use multiple tactics to evade detection and carry out their malicious activities. The SYS01 campaign is a prime example of this. This campaign is known for using multiple attack evasion tactics to stay under the radar and avoid detection. In this blog post, we will explore the various tactics used by the SYS01 campaign and how they contribute to the campaign's success.

Firstly, let's understand what the SYS01 campaign is. The SYS01 campaign is a cyber espionage campaign that has been active since at least 2013. The campaign primarily targets government and military organizations in Southeast Asia, specifically in the Philippines, Taiwan, and Vietnam. The attackers behind the campaign are believed to be a Chinese state-sponsored group known as APT10.

One of the primary attack evasion tactics used by the SYS01 campaign is the use of multiple malware families. Rather than relying on a single malware family to carry out their attacks, the attackers use a variety of different malware families. This makes it much more difficult for defenders to detect and block the attacks, as they need to be aware of and able to detect multiple different types of malware.

Unseen and Unheard: The Use of Fileless Malware and Steganography

Another tactic used by the SYS01 campaign is the use of file-less malware. Fileless malware is a type of malware that does not rely on files or executables to carry out its activities. Instead, it operates entirely in memory, making it much more difficult to detect and remove. The attackers behind the SYS01 campaign use file-less malware to avoid leaving a trail of evidence on the victim's system.

The SYS01 campaign also uses steganography to conceal its activities. Steganography is the practice of hiding information within another file, such as an image or document. The attackers use steganography to hide their malware within benign files, making it more difficult for defenders to detect the malware.

In addition to these tactics, the SYS01 campaign also uses advanced obfuscation techniques to make their malware more difficult to analyze. For example, the attackers may use code obfuscation techniques to make it more difficult for analysts to understand the code and how it works. They may also use encryption to protect the malware from the analysis.

The Art of Obfuscation: How the SYS01 Campaign Makes Malware Analysis More Difficult

Another evasion tactic used by the SYS01 campaign is the use of spear-phishing attacks. Spear-phishing is a targeted phishing attack that is designed to trick a specific individual into providing sensitive information or installing malware. The attackers behind the SYS01 campaign use spear-phishing attacks to target specific individuals within their target organizations, making it more difficult for defenders to detect the attacks.

Finally, the attackers behind the SYS01 campaign use command-and-control (C2) servers that are difficult to detect and block. C2 servers are used by attackers to communicate with their malware and control it remotely. The SYS01 campaign uses C2 servers that are located in countries that have lax cybersecurity laws and regulations, making it more difficult for defenders to block the traffic to these servers.

In conclusion, the SYS01 campaign is a prime example of how attackers use multiple tactics to evade detection and carry out their malicious activities. The campaign uses multiple malware families, fileless malware, steganography, obfuscation techniques, spear-phishing attacks, and difficult-to-detect C2 servers to avoid detection and stay under the radar. Defenders need to be aware of these tactics and have the tools and knowledge to detect and block them to protect their organizations from these types of attacks.

Does Antivirus Detect and Remove All Malware?

Antivirus software has become an essential tool in safeguarding our system online and offline. However, the question often arises in our heads is whether these software programs provide us complete protection against all types of malware and viruses or not. 

It is worth investigating if antivirus software works 100% of the time and if it is capable of removing all malicious software from your devices or not. 

Antivirus software, also known as anti-malware software, is a computer program that is designed to prevent, detect, and eliminate malware from the system with the emergence of other types of cybersecurity threats such as worms, trojans, spyware, and adware, antivirus software has evolved to offer protection against a wide range of computer threats. 

Additionally, some antivirus software also provides features that guard against malicious URLs, spam, and phishing attempts to provide more comprehensive protection. Since we know cybercrimes do not have limits, there are thousands of hackers around the world looking to exploit victims, be it for their data or money, or both. 

Antivirus software scans your device regularly for potential threats in your devices and identifies potential threats coming from incoming files and apps such as malware and viruses. Either you can choose to conduct manual scans or have the program run scans automatically. 

The software uses a database of known dangerous code, files, and other content to better identify potential threats and keep your device safe. When an antivirus program identifies a malicious file or program, it isolates it to prevent further harm to the device. The program then checks the file or program for potential risks and removes it from the device if it is deemed harmful. 

However, how effective is this process; is it 100% risk-free? 

According to the data, no antivirus software can provide 100% protection in detecting, isolating, and removing all harmful files. Even top providers like Norton and McAfee may not be able to detect new malware that is not yet on their database. 

As we discussed, antivirus programs use a database of known malicious files and code to identify and delete them from your devices. However, if a kind of malware comes along that is not logged on the antivirus database, it will fail to work. 

Also, some malware and viruses are designed to avoid detection by antivirus programs, for instance, stealth viruses, which use code modification and encryption to bypass standard scans. These types of viruses may require more advanced software to be detected and deleted. 

However, not updating your antivirus programs will increase the chances of malware going undetected and leaving vulnerabilities for cyber actors to compromise. 

Nevertheless, Norton and McAfee have 99% success rates in protecting your system. Antivirus programs also offer additional security features like VPNs, firewalls, and, password managers.

New MOTW Bypass Method Introduced by LockBit

 


Despite being on the winning side of the race, LockBit operators continue to exfiltrate data from high-profile organizations and add the names of those organizations to its leak site. It's well known that the tactics and techniques employed by the gang are one of the significant factors contributing to the murders of innocent individuals. In the context of evasion tradecrafts, researchers have come across one such technique. 

When a .img container is used to deliver an image, the protection mechanism used by the Mark of the Web (MOTW) has been bypassed. As a result, it is possible to bypass traditional signature-based detection by deploying scripts that extract a password-protected executable from a compressed archive that can only be unpacked when a specific password is provided. 

Revolutionary Techniques: What are They? 

In a campaign conducted between December and January of this year, Fortinet researchers observed that LockBit operators were using evasion techniques to conceal their identities.

  • An image file mounted as part of the attack campaign contains malware files, one of which is visible to the user and the others are hidden. Therefore, attackers can evade MOTW's protection mechanism by sending the attack through a .img file container.  
  • It is after the user opens the single visible file that a set of BAT scripts are downloaded. These scripts check whether the targeted system is at the proper privilege level. 
  • The Python embed package of the official Python distribution is also sometimes used to execute Python scripts in some cases. Some scripts are used to change the password and settings of the system without the user being aware of them. 
  • There is also a BAT script in the final payload of LockBit ransomware, which will be executed by the ransomware's password-protected archive. 
The Exploitation Strategy of LockBit 

  • LockBit 3.0, released by the LockBit operators in June 2022, caught the attention of researchers as they added enhanced anti-analysis features and evasion improvements as well. In these regards, it exhibited similarities to BlackMatter ransomware in that it packaged code into byte strings, created function trampolines, and resolved function addresses dynamically, which are techniques that have been used to execute the malware. 
  • There was a slight setback suffered by operators towards the end of September 2022 when disgruntled developers allegedly leaked the source code of LockBit 3.0 to the media. There was, however, no adverse effect on the attackers as LockBit Green was upgraded in February, bringing an upgrade to the threat landscape. 
  • This updated version of ransomware draws on the code that was used in Conti ransomware and uses reverse engineering analysis to develop it. 
  • The LockBit Green variant has recently been released by the LockBit team and is believed to have targeted at least five victims so far. 
A few examples of successful ransomware attacks using LockBit have been reported in the second and third quarters of 2022. LockBit remains one of the most active ransomware families in RaaS and extortion attacks. Depending on the leak sites, LockBit tallied records for 436 victim organizations between April and September based on data gathered from the leak sites. 

Exfiltrator-22 or EX-22 has been developed by a group of former LockBit affiliates and members known as a new framework that aims at defending against post-exploitation attacks. The framework has been created by utilizing the source code from other famous post-exploitation frameworks that have been leaked out. 

The EX-22 ransomware family is designed to spread ransomware across corporate networks, using a framework-as-a-service model for post-exploitation without being detected by the victim. 

There are a variety of industries that have been targeted by LockBit ransomware, such as a variety of critical infrastructure industries, in recent years. The threat actors will continue to use obscure methodologies to avoid detection as long as new variants are released with additional capabilities, experts claim.

Attack on Oakland City attributed to Play Ransomware

 


Oakland recently became the victim of a ransomware attack that disrupted the city's services and caused a state of emergency to be declared by the city. Cyberattacks are a real-world problem with real-world consequences and the recent attack on Oakland is a demonstration of the same. 

As shared on Twitter by cybersecurity analyst Dominic Alvieri, a security researcher, it appears that an attack on a cryptosystem was the work of the Play Ransomware gang. 

The Play Ransomware operation, also known as PlayCrypt, was launched in June 2022 and has been in operation for some time. The software not only adds the .play extension to the encrypted files but also leaves a note explaining how to contact the developers via email. 

As one of the most populous cities in the San Francisco Bay Area, Oakland has a population of over 440,000 people. It is located on the east side of the county. There is a great deal of economic and trade activity happening in this city, which is also the regional commercial center. 

The city’s authorities informed the public that it had been targeted by a ransomware attack on February 10, 2023. It impacted all network systems except 911 dispatch, fire and emergency services, and city financial systems. 

On February 14, 2023, the City of Oakland issued a local state of emergency to expedite restoring the impacted systems. This was done by bringing all its services back online as soon as possible. All business taxation obligations received a 45-day extension, as the city could not facilitate online payments. Parking citation services were also impacted by a lack of calls or payments. 

By February 20, 2023, IT specialists helped restore access to public computers, scanning, printing, library services, and wireless internet connectivity throughout the city’s facilities. However, the city’s non-emergency phone services (OAK311) and business tax licenses remained unavailable, while the online permit center returned to partial service.

The latest update on the City of Oakland website came on February 28, 2023, two weeks after the ransomware attack. The service status remains mostly unchanged. 

Play Claims Responsibility for the Attack 

The Play ransomware gang has now claimed responsibility for the attack on Oakland, listing them as victims on its extortion site on March 1, 2023. This was first spotted by security researcher Dominic Alvieri. 

Threat actors claim to have stolen documents containing private, confidential data, financial and government papers, identity documents, passports, personal employee data, and even information allegedly proving human rights violations. 

These documents were allegedly stolen during hackers' intrusion into Oakland City networks. They are now used as leverage to get the city’s administration to meet their demands and pay the ransom. 

As the name implies, Play Ransomware targets diverse sectors and regions, including economic, manufacturing, technological, real estate, transportation, education, healthcare, government, and a whole lot more. 

There are different rates for ransom demands based on the importance and size of the victim organization. Some victims have recovered their data by paying millions or thousands of dollars depending on the extent of the loss. 

Oakland has had 72 hours to respond to the threat actors' request to extort it, so they have threatened to publish the above documents by the end of tomorrow. No status updates are mentioned on the City of Oakland's portal that mentions data exfiltration, so the city's authorities have not yet confirmed that data has been stolen based on the updates the city has published on the portal.

Several companies, including Antwerp, Belgian City of Antwerp, H-Hotels, Rackspace, Arnold Clark, and A10 Networks, have been hit by this ransomware operation since then.

On the open market, there have been reports that the ransomware gang Play has been suspected of participating in the attack on Oakland. The Play gang is allegedly responsible for the Oakland attack. The website that they use for an extortion attack on March 1, 2023, lists them as one of the victims of the attack. Initially, Dominic Alvieri, a security researcher at the University of Illinois, became aware of this issue, after it was raised by another researcher. 

Threat actors have stolen sensitive personal information from businesses. Documents such as financial records, government documents, identity documents, passports, information concerning personnel, as well as evidence indicating that individuals have committed human rights violations, are some of the types of records that belong to this category. 

According to reports, some of these documents were stolen by cybercriminals during the intrusions into Oakland City's network. Now, those who wish to exploit the city administration for profit are using them to obtain extortion money through extortion to meet their demands and to initiate the payment of the ransom. 

The Play Ransomware ransomware is a powerful piece of malware that targets victims across a variety of sectors and regions, so it is also highly suited to targeting victims from many different sectors, as well as industries and areas, such as manufacturing, transportation, education, healthcare, government, and much more. The amount of ransom that is demanded on behalf of the victim organization depends on the size and importance of the organization.  

There are times when victims will be required to pay thousands or even millions of dollars to recover their lost data, so they may have to pay these fees as well.   The threat actors had given Oakland approximately 72 hours to comply with the extortion attempt, due to the threat that they would publish the above documents tomorrow. 

According to a post on the City of Oakland's portal, no mention has been made of data exfiltration at the time of this writing, nor have there been any updates posted regarding it. There are, therefore, no confirmations that the information has been stolen by the authorities in the city. Several organizations have been victimized by ransomware attacks recently, including H-Hotels, Rackspace, Arnold Clark, and A10 Networks, in addition to the city of Antwerp, Belgium.   

Some Hackers Use Malware-Free Methods

 


As cybercriminals try to become more and more sophisticated, they are turning away from their adversaries. They are turning back on their hacking attacks without even using any malware as part of their hacking campaigns, according to new research.  

This report, published by cybersecurity experts CrowdStrike, reveals that almost three out of four attacks detected in 2022 were malware-free, a significant increase over the 62% figure that was reported just a year ago based on “data from trillions of daily events” from CrowdStrike Falcon platforms and CrowdStrike Falcon OverWatch products. 

This is why researchers have reported a 50% increase in interactive intrusions. These intrusions require the user to tinker with the keyboard, according to the researchers. This illustrates how sophisticated human adversaries are increasingly looking for ways to evade antivirus protection and outwit fully automated defenses. 

Intensification of Sophistication 

As CrowdStrike conducted a deeper exploration of cybercrime, they discovered that to combat cybercriminals, identity credentials, and access credentials remain valuable and in high demand. Comparing 2022 to 2021, this is expected to increase by 112% in comparison to the previous year. In the same timeframe, the number of cases involving threat actors who have adopted a cloud-oriented approach has nearly tripled while cloud awareness has grown by 95%.  

A combination of threats of unprecedented magnitude has come to the forefront of security over the past 12 months. 

Several splintered cybercrime groups emerged with greater sophistication in the past year, relentless threat actors have spied on patched vulnerabilities, and a growing number of Chinese-nexus adversaries have gained traction against the feared Russia-Ukraine conflict by masking the feared threats,” said Adam Meyers, CrowdStrike's head of intelligence.  

It is important to remember that today's threat actors are more sophisticated, more resourceful, and more well-funded than ever before. To remain one step ahead of today's increasingly relentless adversaries, companies are going to need to understand their rapidly evolving tactics, techniques, and objectives and embrace the latest technology nourished by threat intelligence that will allow them to remain on top of today's increasingly persistent adversaries. 

Researchers claim that there are now 33 new adversaries on the scene in 2022, which means that the number of hacking groups is growing at an astonishing rate. As per the paper, this was one of the largest increases seen in just over a year, according to the publication. One of the most well-known threats that are being launched against telecommunications, BPO, and tech companies is SCATTERED SPIDER, a group behind many recent high-profile attacks on companies in these sectors.  

Aside from that, hackers are still using old tools and known vulnerabilities that were discovered years ago. As ProxyNotShell, and Follina, have all continued to be huge liabilities for the IT department, Log4Shell remains a key culprit. 

Hacker Operations and Protection  

Computer threats are the result of human action, not the actions of computers. Computer predator takes advantage of others who are vulnerable to them to benefit themselves. You can imagine the scale of the threat to your security that a predator poses when he gains access to the Internet - and also to your PC. 

An illegal computer hacker is a person who unauthorized enters your computer system with the intent of stealing, changing, or destroying your data, often by installing dangerous malware on your computer without your knowledge or consent. 

Through clever strategies and the use of their expertise, they can access information that you would like to keep private.   

In What Ways Can Hackers Harm? 

Several different types of malware have been installed on your computer by hackers. This malware quietly transmits your personal and financial information without your knowledge or consent, while your computer is connected to the Internet. Then again, the private information you unwittingly divulge on your computer could potentially be gathered by a computer predator. Both scenarios will allow them to be able to perform the following tasks: 

  • Passwords and usernames can be stolen by hackers.
  • Taking advantage of you by stealing your money and opening bank accounts and credit cards on your behalf.
A person could be threatened by a predator when they are stalking him or her while he or she is online. It is always wise to use extreme caution when deciding to meet a person in person that you met online, especially when you are not familiar with them previously.

Fully patched Windows 11 Systems are Susceptible to the BlackLotus Bootkit

 

ESET's analysis of the malware has shown that the BlackLotus bootkit may circumvent security safeguards on fully updated Windows 11 PCs and permanently infect them. 

BlackLotus is a brand-new threat actor that first appeared on darknet forums in October 2022. For $5,000, it gives advanced persistent threat (APT) actors like cybercriminals access to capabilities that were once only available to nation-states. 

The main danger posed by UEFI bootkits is well-known. By controlling the operating system's boot process, they can disable security safeguards and introduce kernel- or user-mode payloads while the machine is booting up, acting covertly and with elevated privileges. 

ESET, which discovered BlackLotus for the first time in late 2022, has so far located six installers, allowing it to thoroughly examine the threat's execution chain and pinpoint the malware's primary capabilities.

BlackLotus has a wide range of evasion capabilities, including anti-debugging, anti-virtualization, and code obfuscation, as evidenced by early reports. It can also disable security measures like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender. 

There is little that can be done to protect systems from attacks, even if the most recent patches have been installed, especially with proof-of-concept (PoC) exploit code being publicly available since August 2022, according to ESET, as the bootkit exploits a year-old vulnerability in Windows (tracked as CVE-2022-21894) to disable secure boot. 

"Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” ESET stated. 

When BlackLotus is run on the machine, it installs a kernel driver to prevent removal, sets up the user-mode component, runs kernel payloads, and removes the bootkit. By safeguarding handles for the bootkit's files on the EFI System Partition and causing a Blue Screen Of Death if these handles are closed, removal is avoided.

Command-and-control (C&C) communication through HTTPS, command execution, and payload delivery are all handled by the user-mode component, an HTTP downloader. Under the context of the winlogon.exe process, the downloader is run by the SYSTEM account. 

BlackLotus installers have been found both offline and online, and a typical attack begins with an installer distributing bootkit files to the ESP, turning off system safeguards, and rebooting the device. 

Following the enrolment of the attackers' Machine Owner Key (MOK) to the MokList variable for persistence, CVE-2022-21894 is exploited to deactivate secure boot. The self-signed UEFI bootkit is used to deliver the kernel driver and user-mode payload on subsequent reboots (the HTTP downloader). 

Additionally, the bootkit was found by ESET to rename the genuine Windows Boot Manager binary before replacing it. When the bootkit is told to remove itself, the renamed binary is used to start the operating system or to bring back the initial boot sequence. 

Although BlackLotus is covert and equipped with a number of anti-removal safeguards, ESET thinks they have uncovered a flaw in the way the HTTP downloader transmits instructions to the kernel driver that would allow users to uninstall the bootkit. 

According to ESET, "in the event that the HTTP downloader wishes to send a command to the kernel driver, it merely creates a named section, writes a command with associated data inside, and waits for the command to be processed by the driver by creating a named event and waiting until the driver triggers (or signals) it." 

The kernel driver can be tricked into completely uninstalling the bootkit by creating the aforementioned named objects and sending the uninstall command. The kernel driver supports install and uninstall commands. The bootkit would still be present on infected devices even though upgrading the UEFI revocation list would lessen the threat posed by BlackLotus. A new Windows installation and the deletion of the attackers' enrolled MOK key would be necessary in order to clear them. 

"The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. But until the revocation of the vulnerable bootloaders that BlackLotus depends on happens, we are concerned that things will change rapidly should this bootkit get into the hands of the well-known crimeware groups,” ESET concluded.

Enterprise Users Still at Risk: RIG Exploit Kit Continues to Infect via Internet Explorer

 

The RIG Exploit Kit, a well-known and long-running exploit kit, is experiencing a significant increase in its success rate. The RIG Exploit Kit is a tool used by bad actors to break into computer systems. 

It is now attempting to breach approximately 2,000 systems daily and succeeding in about 30% of those attempts, the highest rate it has achieved to date. This success rate has increased from 22% after the kit resurfaced with two new exploits. 

The RIG exploit kit is a malicious tool that hackers use to spread malware on vulnerable devices. It takes advantage of vulnerabilities in old versions of Internet Explorer and is being used to spread harmful software like Dridex, SmokeLoader, and RaccoonStealer. 

It works by embedding malicious scripts into compromised or malicious websites, which then infect a user's device when they visit the site. 

Prodaft, a cybersecurity research firm recently published a detailed report revealing that the RIG Exploit Kit continues to pose a significant and widespread threat to both individuals and organizations. The report suggests that despite its age, the kit remains a potent and viable threat, and users should take appropriate measures to protect themselves against it. 

Experts further added that they have looked into the RIG Exploit Kit and found that it is still a major threat to regular people and businesses. According to the data, RIG was first released in 2014 and suffered a setback in 2017 after a coordinated takedown action. It returned in 2019 and became focused on ransomware distribution. 

In 2021, RIG's owner announced the service would shut down, but it returned in 2022 with two brand-new exploits. Despite Internet Explorer being replaced by Microsoft Edge, RIG is still a significant threat to Enterprise devices, said experts. 

According to a heatmap report that was published recently, it shows that the most targeted countries by the exploit kit are Germany, France, Italy, Russia, Turkey, Egypt, Saudi Arabia, Algeria, Mexico, and Brazil. However, the data indicates that victims of the exploit kit can be found all over the world. 

Furthermore, the study shows that out of a group of computer vulnerabilities, the one called CVE-2021-26411 was the most successful, with a 45% success rate. The next most successful was CVE-2016-0189 with a 29% success rate and CVE-2019-0752 with a 10% success rate. 

In March 2021, Microsoft fixed a problem in Internet Explorer called CVE-2021-26411. It could cause a serious problem with the way the computer remembers things, but only if you visited a certain type of website. 

There are two other problems in Internet Explorer, called CVE-2016-0189 and CVE-2019-0752. These problems could let someone control your computer from far away. In February 2022, CISA warned that people were still using CVE-2019-0752 to control computers and that computer administrators should update their security to stop it.

Mobile Banking Trojan Volume Doubles

 


There were nearly 200,000 new telecommunications and banking Trojans developed in 2022, an increase of 100% over the previous year and the biggest spike in mobile malware development seen in the previous six years, confirming the trend of mobile malware development being propelled forward in recent years. 

The information was provided by Kaspersky Lab's report entitled "Mobile Threats in 2022" which can be found here. During the year, the firm also reported that 1.6 million malware installers were detected as part of its telemetry as provided by telemetry. While malware creation surged ahead in 2020, there was a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), despite the surge in attacks in 2021. 

Based on the report released today, cybercriminals are increasingly targeting mobile users. They are also investing a lot of time in creating updated malware to steal financial information, making these increased activities more likely. Similarly, it stated, over the last few years, cybercriminal activity has leveled off, with attack numbers staying steady after slackening in 2021. 

The truth is that cybercriminals continue to improve the functionality of malware as well as how it spreads. 

The banking Trojan is designed to steal mobile banking credentials and e-payment information, but it can quickly be repurposed to steal other kinds of information, including those related to identity theft and the spread of other malware. In the past few years, many malware strains have emerged that have become synonymous with the term "all-purpose malware strains", including popular strains like Emotet and TrickBot, for instance. 

There is a great risk that you might encounter a banking Trojan if you use a non-official app store, but Google Play has been repeatedly flooded with "downloaders of trojans such as Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph disguised as utilities." 

According to Kaspersky's report, unofficial apps pose the greatest risk. Sharkbot is an example of malware masquerading as a legitimate file manager that is malicious (and can evade Google's vetting process) until it has been installed. 

After that, it will begin to request permission to install other packages which will together perform malicious banking Trojan activities that can be considered malicious. In recent years, mobile banking Trojans have been one of the most prevalent and concerning mobile malware threats, used to implement attacks to steal data related to online banking and e-payment systems as well as bank credentials. This is the highest number of mobile banking Trojan installers detected by Kaspersky in the past six years. The number was double what Kaspersky detected in 2021 and represents a fifty percent increase from that year's figure. 

In light of this, cybercriminals are increasingly interested in stealing financial data from smartphone users, and this information is a target of their attacks. It is also clear that they seem to be investing heavily in updating their malware, which may result in severe losses for their targets in the long run. 

The Trojan banker malware is spread by cyber criminals through both official and unofficial app stores, through which they distribute their malware. Several banking Trojan families are still available on Google Play, including Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph, which are disguised as utilities but are downloaders for banking Trojans.  

In Sharkbot's case, they created a fake file manager in which they would distribute downloaders. A Trojan can request permission to be installed on the device of a user, thus putting the user's security at risk. Furthermore, these downloaders can request permission to be installed on the device so that it can operate on the user's device.

Lazarus's Latest Weapons: Wslink Loader and WinorDLL64 Backdoor


Cyberattacks have become increasingly advanced, and one of the most dangerous threats that companies face these days is backdoors. Backdoors are a type of malware that gives unauthorized access to a system to hackers, letting them steal important info, interrupt operations, and impact security. One such backdoor that surfaced recently is WinorDLL64, linked with the North Korean hacking group, Lazarus.

What is Wslink and WinorDLL64?

ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. 

As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus. 

About WinorDLL64?

ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus. 

WinorDLL64 is a backdoor that was first found by cybersecurity experts in 2019. It is a 64-bit variant of the original Winor backdoor, which the Lazarus group used in its previous attacks. WinorDLL64 is built to be highly deceptive, which makes it difficult for experts to identify.

How does WinorDLL64 work?

WinorDLL64 is usually distributed via spear-phishing emails or malicious downloads. Once it compromises a system, it makes a backdoor that lets threat actors remotely gain entry and control the attacked system. It is built to avoid detection by using a number of techniques, this includes encrypting the communication process and concealing its sight on the system.

WeLiveSecurity by ESET reports "active since at least 2009, this infamous North-Korea aligned group is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA."

Risks associated with WinorDLL64?

WinorDLL64 is a highly advanced backdoor that allows threat actors full control over the compromised system. Threat actors can steal important info, add malware, and do various malicious activities while evading detection. The dangers associated with WinorDLL64 are consequential, especially for companies that depend on sensitive data or critical systems.

How to protect yourself against WinorDLL64?

In the case of malware, safety is fundamental when it comes to defending against WinorDLL64. Companies can take various measures to decrease the chance of compromise. This includes:

Familiarizing employees with the dangers of phishing emails and inspiring them to be careful while opening attachments or suspicious links.

Maintaining software and security systems up-to-date to make sure all vulnerabilities are patched. 

Enforcing two-factor authentication and other login controls to reduce the damage from cyberattacks. 

Daily monitoring of network activity and system logs for any hints of malicious behavior.

Using a trusted anti-malware solution that can find and stop WinorDLL64 and various kinds of malware.

In summary, we can say that WinorDLL64 is a highly effective backdoor that is a significant threat to companies. It is believed to be the work of the North Korean hacking group, Lazarus, and is designed to evade detection and provide attackers with complete control over an infected system. Organizations can take various measures to defend against WinorDLL64, this includes educating the workplace, having the latest software, enforcing access controls, checking network activity, and using anti-malware software. With a proactive approach to cybersecurity, companies can lower the threat of a successful cyber attack and safeguard their precious systems and data. 


Dark Web Malware Steals Your Data

 


As the dark web seeks new customers and victims, it appears that updated versions of information-stealing malware have made their way onto it and are now circulating the dark web. 

There have been reports from cybersecurity researchers from SEKOIA that they have found content promoting a new information stealer called Stealc on several underground forums and Telegram channels. 

Unlike some other info stealers, Stealc is not built from the ground up. Instead, it is an enhanced version of others, such as Vidar, Racoon, Mars, and Redline Stealer, which are popular information stealers. In January 2023, a report of the phenomenon was first noticed, but in February 2023, it gained more attention. 

It has been reported that Stealc was developed by a threat actor called Plymouth who is trying to advertise it as an attack against the country. There appears to be a new patch or update added somewhere between once a week and once a month, and it is currently at version 1.3.0.  Several new features have been added to the website, including a randomizer for C2 URLs, and a system that allows logging searches and sorts to be improved. 

There was also a report that the Ukrainian government spared the lives of those affected by Stealc. 

The SEKOIA team was able to analyze a sample of the info stealer in more depth and discovered that it uses legitimate third-party DLLs, is written in C, exploits Windows API functions to achieve its goals, is lightweight (only 80KB), uses RC4 and base64 to obfuscate most of its strings, and automatically exfiltrates stolen files (the threat actor need not do anything to do anything). 

It was also found that Stealc was capable of stealing data from 22 web browsers, 75 plugins, and 25 desktop wallets, which was also confirmed by SEKOIA.  

Plymouth was also busily deploying it to target devices to advertise it on the dark web as well as distributing it. To do so, they create fake YouTube tutorials as well as employ other ways to make it appear like they know how to crack software. The description of the exploit also provides a link that, in place of executing the advertised crack, instead launches the info stealer in place. That's very helpful since it prevents the use of the crack itself. 

The researchers have already discovered more than 40 C2 servers, thus leading them to conclude that Stealc is gaining quite a bit of popularity in the online world. 

They speculate that the popularity of stealer samples may be because crooks that can access the admin panel can easily generate new stealer samples, therefore allowing the range of stealer samples to extend.  SEKOIA believes that Stealc is quite popular since it is suitable for a wide range of hackers, including low-level hackers.   

Threats Increase With Updated "Swiss Army Malware"

 


There seems to be a slow and steady decline in the production of specialized malware. Alongside, there is a growing trend across cyber-space today for variants to be able to perform a whole host of functions and feature as many features as possible, according to recent studies released. 

It was found that “Swiss Army knife malware” was on the rise due to an analysis of more than 550,000 real-world samples by Picus Security. These strains are multipurpose and capable of performing a variety of actions. 

Among the malware analyzed for the report, a third carries more than 20 individual tactics, techniques, and procedures (TTP), according to the report, which suggests that malware in much larger numbers is involved in cyber threats. There are quite a few attacks that leverage more than ten tactics. One in ten attacks has as many as 30 tactics. Most commonly, the use of legitimate software and the movement of files in a lateral way are among the most common features of these attacks. 

Investment in a Great Deal 

Almost a third of malware samples have been observed to contain executables and script interpreters. According to MITRE's ATT&CK adversary behavior framework, these interpreters are the most prevalent ATT&CK techniques.  

This is the first time Remote System Discovery and Remote Services have appeared in the top ten of this research paper, showing that malware can now exploit built-in tools and protocols within operating systems to avoid detection and avoid being detected by security software. 

The majority of the ATT&CK techniques identified have been used to facilitate lateral movement within corporate networks. Around a quarter of the techniques have been developed to safeguard data and facilitate lateral movement. 

Research conducted by Picus found that all of these things were possible thanks to Picus' heavy investment. According to analysts, many syndicates of ransomware are well-funded, and they are happy to invest their funds back into making even more destructive malware in the future. As a result, cybercriminals have evolved their methods of identifying and eliminating malicious behavior in their attempts to infiltrate consumers' premises. They also take advantage of technological advancements to come up with more sophisticated ways to do so.   

According to Suleyman Ozarslan, Picus Security's Co-founder and VP of Picus Labs, "The objective of both ransomware (opens in new tab) and nation-state actor operators is to achieve the goal in as short and efficient a time as possible," said Ozarslan. More malware can move laterally within an IT environment. This means that adversaries of all types will need to adapt to the differences in IT environments to succeed in their attempt to exploit them. 

Security teams must continue to evolve their approaches as they face a growing threat from sophisticated malware that is becoming more sophisticated daily. There is a strong correlation between prioritizing attacks that are commonly carried out and being able to defend critical assets better. This is because organizations prioritize techniques that are commonly used. Furthermore, they will be able to guarantee that their attention and resources are focused on the areas where they can have the greatest impact. They will be able to maintain a consistent focus on those areas.