Threat Research

Halcyon Threat Insights 003: March 2024

Securonix

The Halcyon Threat Research team highlights a shifting ransomware landscape in March 2024, with multiple novel and evolving threats detected across several industries. Key findings include specific malware families like Monero Coin Miner Trojan and ClipBanker, an Akira threat actor spotlight with espionage and extortion capabilities, and notable exploitation activity including CVE-2023-20269 and ESXi vulnerabilities. #Akira #Monero

Keypoints

  • Information Technology, Education and Manufacturing were the most targeted verticals in March 2024 (IT 32%, Education 12%, Manufacturing 11%).
  • A variety of threats were detected that often precede ransomware payloads, including Monero Coin Miner Trojan and ClipBanker Trojan.
  • Monero Coin Miner Trojan uses dynamic loading to download payloads and inject code into other processes, evading traditional AV detection.
  • ClipBanker Trojan targets cryptocurrency-related data by monitoring the Windows clipboard and masquerading as legitimate crypto apps, while whitelisting itself to avoid defense tools.
  • Hacktool.msil/sharphound collects AD environment data (group memberships, sessions, trust relationships) to aid later attacks with BloodHound.
  • Akira threat actor is active in double extortion, uses a C++ RaaS, and has exploited Cisco VPN/ASA/FTD vulnerabilities and VMware ESXi flaws, with ransom demands ranging from $200k to over $4M.
  • Notable Akira victims include Royal College of Physicians and Surgeons, 4LEAF, and multiple other orgs across education, finance and manufacturing.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – “This Trojan connects to the URL hXXp://185.172.128.11/zima.php?mine=XMR to download and execute additional payloads through a dynamic loading that injects code into other processes, allowing it to evade detection by traditional antivirus products.”
  • [T1055] Process Injection – “This Trojan also injects PE files into other processes, which can be used to execute arbitrary code on the infected system.”
  • [T1027] Obfuscated/Compressed Files and Information – “encrypting its communications and payloads using AES (Advanced Encryption Standard)”
  • [T1036] Masquerading – “masquerading as legitimate cryptocurrency applications or being installed via Trojan droppers.”
  • [T1115] Clipboard Data – “monitors the Windows clipboard for manipulating or stealing data, including currency-related information.”
  • [T1033] Account Discovery – “SharpHound is designed to collect various types of data from an AD environment, such as group memberships, session information, and trust relationships.”
  • [T1069.001] Permission Groups Discovery – “group memberships” in the AD context described by SharpHound.
  • [T1203] Exploitation for Client Execution – “Trojan.installcore … automate the detection and exploitation of command injection vulnerabilities. It is typically leveraged to install other malware variants often employed in click-fraud schemes.”
  • [T1056.001] Keylogging – “Trojan.convagent … recording user keystrokes, collecting information about infected devices, and possibly allowing remote access.”
  • [T1210] Exploitation of Remote Services – “exploiting VMware ESXi vulnerabilities for lateral movement.”
  • [T1110] Brute Force – “exploiting a zero-day in Cisco’s ASA and FTD software (CVE-2023-20269) in brute-force attacks since at least August.”

Indicators of Compromise

  • [IP] 185.172.128.11 – used by Monero Coin Miner Trojan to download additional payloads (network activity context).
  • [URL] hXXp://185.172.128.11/zima.php?mine=XMR – used by Monero Coin Miner Trojan for payload delivery (network activity context).

Read more: https://www.halcyon.ai/blog/halcyon-threat-insights-003-march-2024

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint