Blogs by Ashwin

  About SideCopy APT, active since at least 2019, is a Pakistani threat actor group, targeting many South Asian countries especially India and Afghanistan. Reportedly, it has similarities with Transparent Tribe, APT36, and may be a subdivision of this actor. They generally use archive files as lures, that contains some embedded files like, Lnk, Microsoft Publisher or Trojanized Applications. The lures are of two types: Targeted lures- They are specially designed and crafted to target specific victims, such as, government or military officials.  Generic lures- As the name suggests, they are generic like those used in spam campaign to collect emails and credentials that can help the actor performing their targeted attack. These are the ones named as " romantic lures" in a Facebook report.  Attack Method SideCopy uses spear-phishing email as its main attack tactic. They lure their victims to click on a link containing an attached malicious file. This way they can start corruptin

  Overview First discovered in September 2022, Royal ransomware is a group of threat actors that had targeted more than 350 million known victims worldwide, and their ransom demand have exceeded 275 USD till now. Previously, this ransomware was linked to another ransomware family, Zeon, that started in January 2022.  Interestingly, they do not hire affiliates to promote their Ransomware-as-a-Service (RaaS) model. This group is mainly made up of the former members of Conti ransomware group. This fact give them experience and a solid base to carry out their extorting activities across the globe. They threatened certain critical infrastructure sectors like, manufacturing, healthcare, and education industry. Methodology This ransomware group uses following multiple initial access vectors to secure access into vulnerable systems: Callback phishing SEO poisoning  Exposed Remote Desktop Protocol (RDP) accounts Compromised credentials They make use of the unique partial encryption approach all

  About Anonymous Sudan They are a hacker group involved in a variety of distributed denial-of-service (DDOS) attacks against a variety of targets in Sweden, Denmark, America, Australia, etc., in 2023. They claims to be based in Sudan, and attacks the so-called "anti-Muslim activity." However, their actual origin is not clear and according to researchers, they might be linked to Russia. Origin and Motive Some of the attacks of this threat actor are as follows: Anonymous Sudan attacked many websites in Sweden and Denmark in 2023, allegedly because of a Swedish and Danish far-right activist who publicly burned a copy of Quran. They attacked various Israeli websites in 2023 due to the country's military activity in Palestine. This hacker group also attacked a fan-fiction website AO3 in July, 2023, due to religious objections to the content of their website. Anonymous Sudan and Killnet jointly attacked a series of Australian universities, hospitals, and airports.  Trio of Ano

  Introduction Firstly discovered in June, 2021, Hive is affiliate-based ransomware, that targets healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. It has a Ransomware-as-a-service model enabling its affiliates to use Hive as they want.  They generally uses common ransomware techniques, tactics, and procedures to intrude into their victims' devices, exfiltrate sensitive data, and encrypt business files. Also, phishing emails having malicious attachments, leaking VPN credentials, and exploiting external vulnerabilities, are used by the affiliates to compromise a network. Hive sends a plain-text ransom note threatening to leak the data of their victims on their TOR website 'HiveLeaks' if they do not meet their demands.  It is believed that Hive is an Russian organization. According to their website, they have targeted institutes from more than 20 countries since its emergence from far west, the USA, to the far east, Japan. How does i

  About RomCom is an active threat actor group, that was discovered in mid 2022. Since the emerging war between Russia and Ukraine, this group is targeting Ukraine and its aiding Western countries. They deploy a trojanized version of Devolutions Remote Desktop Manager, that encourages the victims to download it after they are guided to a clone website via phishing tactics.  RomCom depends on the specially curated information about its victims. It make use of a malicious technique of typosquatting, in which the actor registers its fake domain as a real one but differs by the suffix. After the successful installation of the malware, it systematically starts collecting essential host and user metadata from the infected system to transfer to its command-and-control server.  Geopolitical Motivations Evidently, RomCom is not motivated financially but following a geopolitical agenda. However, who is behind this group is unclear with no clear link to existing nation-state. They targets sensiti

  About The Play ransomware, also known as Playcrypt, is a fast-growing ransomware group that targeted a variety of organizations across the world. They sat-up a cyberattack campaign distributing ransomware to their downstream customers. They targeted many mid-sized businesses in the finance, legal, software, shipping, law enforcement, and logistics sectors of the US, Australia, UK, Italy, and other countries. Reportedly, they are also targeting state, local, and tribal entities of these countries.  Since 2022, Play has targeted a wide range of victims. By 2023, the FBI became aware of approximately 300 affected entities allegedly exploited by this ransomware.  According this ransomware group's website, it is presumably a closed group, "designed to guarantee the secrecy of deals." They employ a double-extortion model, encrypting systems after exfiltrating data. They do not demand any initial ransom or include any payment instructions, instead, they simply instructs their

  About Predatory Sparrow (in Persian Gonjeshke Darande) is a group of self-proclaimed hacktivists, that carried out numerous attacks against Iranian railway systems and Iranian steel plants. They are suspected to be connected or sponsored by a nation state. They claimed that they carried out all the attacks cautiously, so as not to harm innocent individuals and also warned the emergency services of Iran beforehand. A possible suspect is Israel.  Targeted Attacks Predatory Sparrow have attacked many national and international companies of Iran among other countries like the USA, UAE, etc.: Making Iran's national fuel station payment system offline in October 2021. Hacked Iranian train stations in July 2021. Failed attempt to raise Chlorine levels in Israel's water supply to dangerous levels. Targeting Iran's state-owned companies like Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Compant (HOSCO). No significant damage was reported in HOS

  Introduction This threat actor is also known as COBALT SPIDER, Cobalt Gang, Cobalt Group, G0080, GOLD KINGSWOOD, and Mule Libra. This criminal group is dubbed as Cobalt. It was behind the synchronized ATM heists, in which machines across Europe, CIS countries (including Russia), and Malaysia were simultaneously raided within few hours. Cobalt has been active since 2016 and recently attacked in July and August. Hence, from the above statements, Cobalt Group is a financially motivated threat group that primarily targets financial institutions. It has targeted Eastern Europe, Central Asia, and Southeast Asia. This threat group is known to target organizations in order to use their access to then compromise additional victims. Reportedly, they might have linked with both the malware Carbanak and the group Carbanak, Anunak.  Features Cobalt Strike, a threat emulation program have following capabilities:  Reconnaissance-  To discover client-side software with version info to recognize know

  About Ransomed Ransomed is an emerging ransomware syndicate in the cyber world. Similar to the other ransomwares, this threat group also issues threats of exposing the stolen data of their victims unless a ransom is paid. However, their similarities with the others simply stops here. They make use the data protection laws against their victims for financial gains. They threaten their victims with fines if they do not pay the ransom. They tacitly set the ransom amounts lower than the fine for a data security violation, allowing them to exploit this discrepancy to increase the chance of payment. Unverified Claims Ransomed uses a special ransom variant or extorts victims only via leaked information is yet to be cleared. There is no known evidence as how this group conducts their attack. They might be related to the other data leak forums and websites like BreachForums and Exposed. Prevention General methods to combat a ransomware attack are as follows- Mandatory strong password policies

  About Cuba Ransomware Russia-based Cuba ransomware is one of the world's most profitable ransomware outfits. It mainly targets USA and its organizations.  It was discovered in 2019. According to data, this threat group have compromised 101 entities (65 in the US and 36 elsewhere) till now. They have already demanded a total of $145 million in ransom payments and received around $60 million. It is affiliated with the small but disproportionately high-impact threat actors RomCom and Industrial Spy.  Cuba uses less sophisticated standard commercial software packing techniques confirming it to be a product of a small but talented group of profit-seeking individuals. It is deployed selectively via a big game hunting strategy. It generally targets some high-profile financial services organizations, government sector, healthcare sector, critical infrastructure and IT sector.  Reportedly, Cuba operators delivers decryption packages to decrypt the files of a victims when the said ransom i

  About Evilnum The Evilnum malware mainly targets FinTech companies and it has been operating since 2018. However, very little have been published about the operating group behind this malware and its functioning.  Its toolset and infrastructure have been considerably evolved with time, and now consists of a mixture of customized and homemade malware with combination of the tools purchased from Golden Chickens, which is a Malware-as-a-Service (MaaS) provider having many infamous customers like FIN6 and Cobalt Group.  How does it works? This APT group is using updated tactics, techniques, and procedures to target their victims. Previously, this threat group used Windows Shortcut files (LNK) sent inside malicious files (ZIP) as email attachments in spear phishing emails to the victims. Recently, they have started using MS Office Word documents, leveraging document template injection to deliver the malicious payload in a system.  Several undetected domains associated with Evilnum have be

  What is Shadow? Shadow is known as a new variant of a high-risk ransomware, BTCWare, discovered by Michael Gillespie. It infiltrate the network and encrypts most of the stored files. After that, it appends the filenames with its extensions. Once the encryption happens, Shadow opens a pop-up window with a ransom demand message.  The type of cryptography used by Shadow is unknown. The popped-up ransom message informs the victims about current situation and asks them to a pay a ransom in Bitcoins or Dollars, to restore the encrypted files. They also provide an email address to contact the Shadow's developers.  However, sending money to cybercriminals simply encourage their malicious activities. They often ignore their victims and there is a high chance that files will not be decrypted even after the reception of the said ransom. Unfortunately, files encrypted by Shadow cannot be restored with the present tools as of now. The only way to restore everything is via backup.  Note- The b

  Introduction Careto is a highly sophisticated and professional malware, which was detected by Kaspersky Labs in 2014.  The name Careto is a Spanish slang for "ugly face" or "mask" and is derbied from and ancient Portuguese ritual. The malware was also nicknamed as The Mask.  It is a piece of cyber espionage malware, that has targeted many diplomatic offices and embassies, gas and oil companies, scientific research organizations, and political activists. Kaspersky believes that its creators are Spanish-speaking and hence it is being operated from Spain. Its victims are mainly Spanish speaking and it had heavily targeted Morocco and Gibraltar.  More than 380 infected victims have been discovered worldwide. They were infected by simply clicking on the spear phishing mails that redirects them to the websites containing software, like Adobe Flash Player, that Careto can exploit. However, the player had been already patched and can no longer be exploited by Careto. The

  Introduction Lazarus Group is a group of unknown number of cybercriminals working under the North Korean government. They are also known as Guardians of Peace, Whois Team, Hidden Cobra (named by USA), and Zinc (named by Microsoft). It has always been advantageous for the North Korean government   to conduct cyber operations due to its asymmetric threat especially to South Korea.  Various Attacks Lazarus Group have targeted many organizations and is responsible for chaos in various countries. Some of its reported attacks are as follows: "Operation Troy", which happened between 2009 and 2012, was the earliest known attack of this group. It utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul.  During 2014, the group attacked on Sony Pictures via more sophisticated techniques, indicating their advancing technology. Lazarus Group has also targeted banks of various countries like Vietnam, Taiwan, Ecuador,