To evade detection by security software, malware developers and threat actors increasingly use compromised code-signing certificates to sign their malware.
This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.
As Microsoft signed these drivers, it allowed them to be loaded into Windows and gain the highest level of privileges in the operating system.
These drivers were used as part of a toolkit consisting of STONESTOP (loader) and POORTRY (driver) malware that disabled protected security software processes and Windows services running on the computer.
Coordinated reports from Microsoft, Mandiant, Sophos, and SentinelOne indicated that multiple threat actors used malware signed using these compromised accounts, including the Hive and Cuba ransomware operations.
Microsoft also fixed a Windows Mark of the Web zero-day vulnerability that threat actors actively exploited in malware distribution campaigns, including those for Magniber Ransomware and QBot.
Other research released this week includes:
Finally, there were also quite a few cyberattacks or information about attacks this week, but only a few were confirmed to be ransomware.
The ransomware attacks include a LockBit attack on California’s Department of Finance. the Play ransomware operation claiming the attack on the Belgium city on Antwerp, and BlackCat ransomware attack on EPM, one of the largest energy suppliers in Colombia.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @billtoulas, @FourOctets, @jorntvdw, @BleepinComputer, @DanielGallagher, @demonslay335, @malwrhunterteam, @fwosar, @Seifreed, @serghei, @malwareforme, @Ionut_Ilascu, @LawrenceAbrams, @PolarToffee, @_CPResearch_, @vinopaljiri, @cybereason, @1ZRR4H, @TalosSecurity, @pcrisk, @TrendMicro, @GeeksCyber, and @Digitaleragroup
December 11th 2022
Clop ransomware uses TrueBot malware for access to networks
Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.
December 12th 2022
Play ransomware claims attack on Belgium city of Antwerp
The Play ransomware operation has claimed responsibility for a recent cyberattack on the Belgium city of Antwerp.
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. Before the advent of the modern-day internet, this behavior used to be the royal road for the proliferation of malware; because of this, to this day, it remains the textbook definition of “computer virus” (a fact dearly beloved by industry pedants, and equally resented by everyone else).
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .manw and .maos extensions.
December 13th 2022
LockBit claims attack on California’s Department of Finance
The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang.
Microsoft-signed malicious Windows drivers used in ransomware attacks
Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.
A Deep Dive into BianLian Ransomware
BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.
New STOP ransomware variant
PCrisk found a new STOP ransomware variant that appends the .matu extension.
New Dharma ransomware variant
PCrisk found a new Dharma ransomware variant that appends the .hebem extension and drops a ransom note named info.txt.
New Lucknite ransomware
PCrisk found a new Lucknite ransomware that appends the .lucknite extension and drops a ransom note named README.txt.
New Chaos ransomware variant
PCrisk found a new Chaos ransomware variant that appends the .xllm extension and drops a ransom note named read_it.txt.
December 14th 2022
Microsoft patches Windows zero-day used to drop ransomware
Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads.
Royal Rumble: Analysis of Royal Ransomware
The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.
Masscan Ransomware Threat Analysis – 2022 Cyber Intelligence Report
Numerous cases of ransomware damage were reported by many Korean companies in the second half of 2022. The damage is unique in its aspect, that an attacker infiltrated a database (DB) server with a vulnerable security system, distributed ransomware, encrypted the file, and added a “.masscan” string to the file extension.
New BLOCKY ransomware
PCrisk found a new Blocky ransomware that appends the .Locked extension and drops a ransom note named READ_IT.txt.
New HentaiLocker ransomware
PCrisk found a new ransomware that appends the .HENTAI extension and drops a ransom note named UNLOCKFILES.txt.
December 16th 2022
Colombian energy supplier EPM hit by BlackCat ransomware attack
Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting the company’s operations and taking down online services.
Agenda Ransomware Uses Rust to Target More Vital Industries
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .btnw, .btos, and .bttu extensions.
Agenda Ransomware Uses Rust to Target More Vital Industries
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.