State-Sponsored Ransomware Operators, APT35, Developed and Deployed a New Backdoor Using PowerShell
APT35, an Iranian state-backed threat group has developed a new backdoor called PowerLess deployed using PowerShell. According to cybersecurity researchers, the threat operators deployed additional modules including info stealers and keyloggers using previously unknown malware. The PowerLess backdoor encrypts command-and-control communication channels allowing the commands to be executed and kill running processes on compromised systems. By running in the context of a .NET application, it avoids detection from security solutions by not launching a new PowerShell instance. Researchers discovered potential connections to Memento ransomware while tracking Iranian threat groups. Memento ransomware has been deployed in attacks against VMware vCenter severs using tactics designed to exploit a critical pre-auth remote code execution flaw patched months before.
A New Ransomware-as-a-Service (RaaS) Operation Called ‘Sugar’ Designed To Target Individual Computers
A threat hunting team at a major corporation dissected a new ransomware-as-a-service operation known as ‘Sugar’. This new RaaS differentiates itself from other similar operations because it is designed to impact individual computers, not large enterprise networks or multinational organizations. According to the threat hunters, Sugar further distinguishes itself with its crypter; it utilizes a variation of the RC4 encryption, and code from the crypter is reused within the deployed ransomware. There are alleged similarities between Sugar ransomware and both Cl0p and REvil, but these are unconfirmed. Sugar is yet another indication of the constantly evolving threat landscape.
Iranian State-Backed Threat Group, Moses Staff, Uses New StrifeWriter RAT in Ransomware Attacks
A previously undocumented remote access trojan (RAT) disguised as the Windows Calculator app was used by a politically motivated threat group in an effort to remain under the radar. A cybersecurity company called the malware “StrifeWater” while tracking the operations of Moses Staff, an Iranian threat actor with connections to espionage and sabotage attacks on Israeli companies. The StrifeWater RAT is used during the initial stage of the attack and can remove itself from the system to cover the threat operators’ tracks. Additional capabilities of the RAT include command execution, screen capturing, and the ability to download additional extensions. Moses Staff emerged in perpetrating a series of attacks targeting Israeli organizations intending to disrupt target’s business operations by encrypting their networks with no possibility of regaining access or negotiating a ransom.
BlackCat Ransomware Group Alleged Culprit Behind Cyberattack Against German Fuel Distributor OilTanking
German investigators are confident that the BlackCat ransomware group (also known as ALPHV) is responsible for the ongoing cyberattack of the systems of OilTanking, a national fuel distributor. Thus far, this ransomware has affected 13 fuel terminals in Germany. The automated system used to fill tanks has been knocked offline. As a result, the distribution of fuel to over 200 service stations is slowing significantly because workers have to complete the job manually. OilTanking’s non-German operations are unaffected by the attack. BlackCat (ALPHV) is a new ransomware operation that is completely command-line driven, human-operated, and highly configurable. This allows the ransomware to use different encryption routines spreading through different computers killing VMs and ESXi VMs and automatically wiping ESXi snapshots preventing data recovery.
Major European Food Producer KP Snacks Attacked by Conti Ransomware Resulting in Delivery Disruptions
German-based producer of popular British foods, Kenyon Produce (KP) Snacks, was recently breached by the Conti ransomware group. The cyberattack impacted the business’ distribution to supermarkets, further impacting the ongoing European supply chain crisis, which is unlikely to be resolved until March. KP Snacks boasts an annual revenue of more than $600 million, making it a prime target for financially motivated threat actors. Conti ransomware operators leaked data on their private site, including a trove of personal identifiable information (PII), including credit card statements, birth certificates, employee contact details, and other confidential documents. This attack is one of many perpetrated by Conti this calendar year.
It’s imperative for companies and individuals to remain vigilant on the current threat landscape and take necessary precautions to prevent potential ransomware threats like APT35, Sugar, Conti, Moses Staff, BlackCat, and other ransomware threats from stealing data. At SpearTip, our advisory services engage with real-world risks and equip companies with the knowledge and resources to effectively defend against threat actors. Our ShadowSpear Platform is an unparalleled resource working tandem with our certified engineers with the capability to identify threats, neutralize malware, and counter adversaries 24/7 at our Security Operations Centers. These ransomware attacks demonstrate the importance of maintaining a mature security posture and ensuring all business-critical data is stored on backup servers disconnected from a company’s primary networks.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
