Malware developers never rest. To cut through the noise, the Cybernews research team has looked at some recent malicious activity examples and analyzed them.
Our team analyzed an interesting file called “Request for Quotation (RFQ#196).zip.”
The activity involved the execution of a malicious executable file named "Proforma Invoice and Bank swift-REG.PI-0086547654.exe," located in the user's temporary folder. This file spawned several child processes, including "attrib.exe" and "icacls.exe," which were used to modify file attributes and grant full control permissions to everyone.
The task also involved the execution of a batch file, "84191695807421.bat," which, in turn, executed a VBScript file, "m.vbs." Another executable file, "@[email protected]," was also executed, along with a command to start it in the background. The task also involved the modification of a registry key related to internet settings.
The most interesting and unusual events from this activity include the execution of multiple executable files from the user's temporary folder, the modification of file attributes and permissions, and the execution of a batch file and a VBScript file.
These actions indicate a potentially malicious activity, as they involve the manipulation of files and registry keys. The execution of the "@[email protected]" file and the modification of the internet settings registry key suggest that this activity may be related to ransomware or other types of malware.
The image above shows a malicious script process.
- Task contains process dump
- Known threat
- Probably Tor was used
- Process was added to the startup
- Actions similar to stealing personal data
- Process starts the services
- Task contains several apps running
- Integrity level elevation
Summary of indicators of compromise
- Request for Quotation (RFQ#196).zip
Dropped executable files:
- Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Tactics and Techniques used by this malicious file
- System services: Adversaries may abuse system services or daemons to execute commands and programs. Bad actors can execute malicious content by interacting with or creating services either locally or remotely.
- Command and Scripting Interpreter: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems that are a common feature across many different platforms.
- Browser Extensions: Adversaries may abuse Internet browser extensions to establish persistent access to victims' systems. Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system.
- Modify Registry: Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
- Impair Defences: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior.
- File and Directory Permissions Modification: Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
- Hide artefacts: Adversaries may attempt to hide artefacts associated with their behaviors to evade detection. Operating systems may have features to hide various artefacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artefacts such as files, directories, user accounts, or other system activity to evade detection.
- Credentials from Password Stores: Adversaries may search for common password storage locations to obtain user credentials.
- Unsecured Credentials: Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g., Bash History), operating system or application-specific repositories (e.g., Credentials in Registry) or other specialized files/artefacts (e.g., Private Keys).
- Query Registry: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
- Software Discovery: Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.
- Inhibit System Recovery: Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery, this may deny access to available backups and recovery options.
- Data Encrypted for Impact: Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Recent Ransomware Attacks 2023
- CloudNordic and AzeroCloud – the Danish hosting firms specializing in cloud services have experienced significant ransomware attacks, leading to extensive data loss and operational disruptions. Both organizations remain firm in their decision not to meet the hacker’s ransom demands.
- The city of Dallas – it was discovered that an APT group breached Dallas’ digital systems, accessing the sensitive data of at least 26,212 Texas residents.
- ABB – On May 7th, ABB, an important supplier of electrification and automation solutions, was targeted in a ransomware attack by the Black Basta group. The breach impacted the company’s Windows Active Directory and hundreds of devices.
- Harvard Pilgrim Health Care – HPHC has revealed that in April, a ransomware attack impacted 2,550,922 people and stole their sensitive data, including full names, addresses, phone numbers, dates of birth, and Social Security numbers.
- Reddit – Back in February, the social news aggregation platform Reddit suffered a security breach in which attackers obtained unauthorized access to corporate documents, code, and some systems. The BlackCat ransomware gang, also known as ALPHV, claims to have stolen 80GB of data from Reddit during the attack and asks for a $4.5 million ransom.
- Barts Health NHS Trust – The BlackCat ransomware group claims they have breached the organization and stolen seven terabytes of internal documents. On the Dark Web, they call it a “more bigger leak from the health care system in the UK.” [sic] Barts Health NHS Trust oversees multiple hospitals and clinics in London, including St Bartholomew’s, the Royal London, Mile End, Whipps Cross, and Newham. They serve almost 2.5 million people as one of the biggest hospital groups in the UK.
- Dish Network – reported a data breach subsequent to the ransomware attack in February and informed the affected parties. The broadcast company went offline on February 24th, 2023, impacting Dish.com, Dish Anywhere, and many other Dish Network services. They acknowledged that the cause of the outage was a ransomware attack.
- Royal Mail – a LockBit attack targeted the Royal Mail, considered “critical national infrastructure” in the United Kingdom, causing severe disruption to all international deliveries. (we have an open redirect vulnerability finding of Royal Mail)
- San Francisco’s Bay Area Rapid Transit – A ransomware attack on San Francisco’s Bay Area Rapid Transit exposed highly sensitive and personal data. Vice Society claimed responsibility for the attack and allegedly stole information such as employee data, police reports, and crime lab reports, among other susceptible documents.
- Dole Food Company – one of the world’s largest suppliers of fresh fruit and vegetables has disclosed that it has been affected by a ransomware attack that disrupted its operations. The food giant has hired third-party experts to assist with the mitigation and protection of the impacted systems, and the incident has also been reported to law enforcement.
- Yum! Brands – The US-based company that owns KFC, Pizza Hut, and Taco Bell closed almost 300 of its restaurants in the UK due to a ransomware attack launched by an unknown malicious group. As a response, the company took off the impacted systems and enforced enhanced monitoring technology.
- Tallahassee Memorial HealthCare in Florida – After being hit with ransomware, the medical facility remained offline for almost a week. The hospital had to switch to paper documentation and handwritten patient notes during the downtime, as surgeries and procedures were limited. During the downtime, some emergency patients were routed to other hospitals. Due to security, privacy, and law enforcement concerns, information remained limited regarding this incident.
- Technion Institute of Technology in Israel – was impacted by ransomware in February, with the attack being claimed by DarkBit, a new ransomware group that aims to associate its actions with hacktivism. The group asked for 80 Bitcoin ($1.7M), payment in order to release the decryptor. The threat actors also stated they would add a 30% penalty if Technion refused to make the payment within 48 hours.
- The City of Oakland – the City of Oakland was hit by a ransomware attack in February, forcing the city to take all systems offline until the network can be secured and affected services restored.
- The City of Oregon – As a result of a sophisticated ransomware attack, the county suffered significant network disruption. IT staff and third-party specialists restored the network, and data recovery continues. As a result of their investment in backup technology, the city was able to recover from the incident without paying a ransom. Determining whether sensitive or personal information was accessed during the attack remains a top priority.
- Hospital Clinic de Barcelona – one of the main hospitals in the city suffered a ransomware attack that crippled its computer system, causing 3,000 patient checkups and 150 non-urgent operations to be canceled. The incident occurred on Sunday, the 5th of March 2023.
- U.S. Marshals Service – suffered a security breach leading to sensitive information being compromised. A spokesperson declared that the incident occurred in February 2023, when the service discovered a “ransomware and data exfiltration event affecting a stand-alone USMS system.”
This activity involved the execution of a malicious executable file, the modification of file attributes and permissions, the execution of a batch file and a VBScript file, and the modification of a registry key. These actions indicate potentially malicious activity, possibly related to ransomware or other types of malware.
- From 2023-09-01 to 2023-10-01, 589 samples of malicious files and activity containing “Request for Quotation (RFQ#196).zip” were submitted.
- Malicious actors could use phishing campaigns to send malicious files to victims and trick them into opening them as legitimate ones.
- Bad actors are still trying to compromise systems using well-known tactics and malicious software like “WannaDecryptor.”
- Targets could be anyone – from personal accounts to small or large companies.
It’s crucial to exercise caution when encountering files associated with the mentioned processes. Users should be vigilant when opening email attachments or downloading files from untrusted sources. It is advisable to keep antivirus software up to date and regularly scan systems for potential threats. To feel safe:
- Regularly backup your important files and data to an external device or secure cloud storage. Ensure that backups are automated, and periodically test data restoration.
- Turn off unnecessary services and features on your computers and network devices. The fewer entry points available to attackers, the better.
And if you somehow got tricked and opened a malicious file:
- Immediately disconnect the infected computer from the network (unplug the Ethernet cable or disable Wi-Fi) to prevent the ransomware from spreading to other devices on your network.
- Disconnect any external drives or network-attached storage (NAS) devices used for backups to prevent them from being encrypted as well.
- If you have a system image or backup that predates the infection, you may consider restoring your entire system to a clean state.
- Change all your passwords, especially those related to sensitive accounts, as the ransomware may have stolen login credentials.
- If you have regularly backed up your data, you can restore your files from backups once the infected computer is cleaned. Ensure that the backup is not also infected.
We have a tool called “Ransomlooker.” This tool monitors ransomware groups' extortion sites and delivers a consolidated feed of their claims. You can look closer at this tool here:
- From 2023-09-01 to 2023-10-01 (589) samples of malicious files and activity containing “Request for Quotation (RFQ#196).zip” was submitted.
- Request for Quotation (RFQ#196).zip 7 security vendors and 1 sandbox flagged this file as malicious.
- Proforma Invoice and Bank swift-REG.PI-0086547654.exe 67 security vendors flagged this file as malicious.
- taskdl.exe 62 security vendors flagged this file as malicious.
- taskse.exe 62 security vendors flagged this file as malicious.
- u.wnry 66 security vendors flagged this file as malicious.
More from Cybernews:
Subscribe to our newsletter