IT threat evolution Q3 2023

The IT threat landscape in Q3 2023 has seen a variety of significant developments:

• DroxiDat Deployment: A new variant of SystemBC, called DroxiDat, was deployed against critical infrastructure in South Africa. This backdoor, capable of acting as a SOCKS5 bot, suggests the possibility of an APT-related targeted attack, possibly as a precursor to a ransomware attack.
• Exploitation of CVE-2023-23397: Microsoft reported a critical Elevation of Privilege vulnerability in Outlook, CVE-2023-23397, which was exploited in attacks targeting government, military, critical infrastructure, and IT organizations across various countries. This vulnerability can be triggered without any user interaction.
• Attacks by APT31: Investigations into attacks against industrial organizations in Eastern Europe indicated the involvement of APT31 (aka Judgment Panda and Zirconium). These attacks aimed to establish channels for data exfiltration, including from air-gapped systems. Attackers used cloud-based data storage and a stack of implants for data collection.
• Malware Implants and Techniques: Over 15 different implants, categorized into stages, were identified, employing DLL hijacking and memory injection techniques. These implants were designed for remote access, data gathering, and uploading data to C2 servers.
• Infected Telegram Apps: Several infected apps on Google Play masqueraded as versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese. These apps included modules that monitored the messenger and sent extensive user data to the attackers' C2 server.
• Supply-Chain Attack on Linux Machines: A long-running attack involving a Debian package of "Free Download Manager" was discovered. This package contained a script that established persistence and deployed a backdoor for data collection and exfiltration, targeting various sensitive information and credentials.
• Cuba Ransomware Gang: The Cuba ransomware gang, known for cyber extortion, targeted numerous companies globally, using credential access tools and exploiting software vulnerabilities for initial access. The group has accumulated significant funds through ransom payments, using bitcoin mixers for fund transfers.
• Lockbit Ransomware Leak: A builder for Lockbit 3 (Lockbit Black) was leaked, enabling the creation of customized ransomware versions. This led to an increase in incidents involving Lockbit, including an attack variant with a unique ransom demand procedure.
• Emergence of DarkGate Loader: A new loader called DarkGate, featuring advanced capabilities like a hidden VNC and a browser history stealer, was discovered. Its infection chain involves a multi-stage process, ending with the execution of the DarkGate loader.
• LokiBot Phishing Campaign: LokiBot, active since 2016, was used in a phishing campaign targeting cargo shipping companies. This malware is known for stealing credentials from various applications.

These developments underscore the dynamic and sophisticated nature of cyber threats, highlighting the need for continuous vigilance and updated security measures in the face of evolving threats.

REFERENCES

• https://securelist.com/it-threat-evolution-q3-2023/111171/
• https://otx.alienvault.com/pulse/656f325a6ea0fd30be841bf1