LockBit ransomware evolves with advanced encryption tool
- SISA Weekly Threat Watch -
Over the past week, threat actors have been observed employing sophisticated tactics across various fronts, targeting organizations worldwide. These include Mustang Panda intensifying its attacks across Asia, LockBit ransomware signaling its evolving capabilities, UAC-0184 using steganography to deploy Remcos RAT, APT28’s exploitation of Ubiquiti EdgeRouters, and Mexican users facing tax-themed phishing campaigns distributing the TimbreStealer malware. These developments underscore the critical need for organizations to enhance their cybersecurity posture through advanced endpoint security measures, user education, threat detection, and mitigation strategies.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Mustang Panda’s cyber arsenal: Advanced DOPLUGS variant targeting Asia
Mustang Panda, a threat actor associated with China, has intensified its attacks on multiple Asian nations using a customized version of the PlugX backdoor, known as DOPLUGS. This variant primarily functions as a downloader for the PlugX command module and has targeted entities primarily in Taiwan and Vietnam, with secondary focuses on locations like Hong Kong, India, Japan, Malaysia, Mongolia, and China. The attack chain typically begins with spear-phishing campaigns, delivering a payload that sideloads a legitimate executable susceptible to DLL side-loading, which then decrypts and executes the PlugX malware.
Subsequently, PlugX retrieves the Poison Ivy remote access trojan or Cobalt Strike Beacon, establishing a connection with a server under Mustang Panda’s control. Recent observations reveal a novel element in Mustang Panda’s campaign, featuring a malicious DLL written in the Nim programming language, signaling the group’s evolving tactics, and continued high activity. Mitigation strategies include enhancing email security, maintaining up-to-date systems, and deploying endpoint detection and response solutions.
2. LockBit ransomware developing advanced encryption tool prior to takedown
A recent analysis, in collaboration with the UK’s National Crime Agency, of the latest LockBit ransomware iteration, LockBit-NG-Dev, reveals significant updates in development language and packing techniques. Departing from its predecessors, this variant is a work-in-progress written in .NET and compiled with CoreRT, employing MPRESS for obfuscation. LockBit-NG-Dev includes a configuration file in JSON format containing execution parameters, lacking some features of earlier versions but nearing completion with expected functionalities.
Supporting three encryption modes and custom file exclusion capabilities, the malware also incorporates a self-delete mechanism. To stay protected against LockBit ransomware, it is recommended to ensure regular updates for both system and software, conduct thorough employee phishing awareness training, implement strict user permission limitations, maintain offline backups of essential data, establish network segmentation, and deploy effective antivirus software.
3. New IDAT loader attacks using steganography to deploy Remcos RAT
The cyber threat group UAC-0184 has been detected utilizing steganographic image files to deploy the Remcos remote access trojan (RAT) onto the computer systems of a Ukrainian organization operating in Finland, expanding their targeting strategy beyond Ukraine. This tactic, observed since early January 2024, involves concealing malicious code within image pixel data to evade signature-based detection rules. Analysts reported visible distortion in the encoded payload, triggered by recipients opening a phishing email attachment, leading to the execution of an executable file (DockerSystem_Gzv3.exe) and subsequent activation of a modular malware loader named ‘IDAT.’
IDAT employs advanced features like code injection and evasion techniques, culminating in the execution of the Remcos RAT, with potential delivery of other malware strains like Danabot and RedLine Stealer. To mitigate such threats, organizations are advised to implement multi-factor authentication (MFA), regularly update and patch systems, and deploy advanced threat detection solutions for real-time anomaly detection and response.
4. Ubiquiti EdgeRouters attacked by Russia-sponsored APT28: FBI warns
A joint advisory from cybersecurity and intelligence agencies highlights the threat posed by the MooBot botnet, operated by the Russia-linked APT28 group, to users of Ubiquiti EdgeRouter devices. Since 2022, APT28 has exploited default or weak credentials on these routers to conduct covert cyber operations across various sectors and countries, including deploying OpenSSH trojans and exploiting CVE-2023-23397 to steal NT LAN Manager hashes.
The group leverages compromised routers as command-and-control infrastructure for its Python-based backdoor, MASEPIE, enabling arbitrary command execution and unrestricted access to Linux-based systems. Mitigation measures include resetting routers to factory settings, updating firmware, changing default credentials, and configuring firewall rules to limit remote management access.
5. TimbreStealer malware rides on tax-themed phishing campaign
Mexican users are facing targeted tax-themed phishing attacks distributing the newly discovered TimbreStealer malware. Employing sophisticated evasion tactics, TimbreStealer utilizes custom loaders and direct system calls to evade detection and execute 64-bit code within a 32-bit process using Heaven’s Gate.
The malware exhibits geographical precision through geofencing, redirecting non-Mexican users to benign PDF files. It conducts thorough system checks and employs a multifaceted approach to harvest credentials and system data, mirroring tactics seen in previous campaigns like Mispadu. To mitigate such threats, organizations should enhance endpoint security, educate users about phishing risks, implement geofencing controls, and deploy network monitoring with anomaly detection capabilities.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.