Here is an overview of how malware and ransomware campaigns improvised and innovated to victimize more people last month

For the month of July 2022, Securonix Threat Labs has reported some top cyber threats felt to be of note in the major threat categories of campaigns, malware and ransomware.

Mobile malware active during the month had targeted both Android and iOS users: Revive, an Android malware targeting bank accounts in Spain by imitating a bank’s 2FA application, followed by a smishing campaign by the Roaming Mantis Group that targeted Android and iOS users in France. 

Two different malware campaigns named Autolycos and HiddenAds have impacted more than 4m Android usersA new dropper-as-a-service (DaaS) model, which uses DawDropper, a malicious dropper with variants that dropped four banking Trojans, has also be identified.

In total, 4,005 Indicators Of Compromise, 115 distinct threats, 87 threat detections have been detected.

July threat campaigns

Major threat campaigns active in July 2022
Campaign Description
Luna Moth or TG2729 Luna Moth or TG2729 is a new ransomware group operating since the end of March 2022. The group follows a double extortion attack method. The group has masquerades online training websites to dupe subscribers.
Hagga Threat Actor Hagga operated a backend MySQL database server linked from an Agent Tesla C2 server and hosted on dedicated leased providers. Additionally C2s have been identified hosting the Mana Tool C2 panel.
AiTM A massive phishing campaign that used adversary-in-the-middle phishing sites: hackers stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multi factor-authentication (MFA). The attackers used the stolen credentials and session cookies to access victim mailboxes and perform follow-on business email compromise campaigns against other targets.
Threat actor APT29/Cloaked Ursa Russian APT group APT29 is leveraging trusted online storage services, including DropBox and Google Drive to deliver malware to businesses and government agencies to exfiltrate data and spread malware and dangerous tools. This method makes their attacks extremely difficult or even impossible to identify and prevent.
Red-teaming tools The red-teaming tool Brute Ratel C4 has been abused by cyber actors, mostly targeting large virtual private server hosting providers in several countries and regions. In this campaign, the bad guys are leveraging APT29 techniques, but attribution is not conclusive.
STIFF#BIZON The newly active phishing campaign tracked as STIFF#BIZON, also attributed to North Korean actor APT37, is targeting high-value organizations in the Czech Republic, Poland, and other nations in Europe. The hackers used remote access trojan Konni malware capable of establishing persistence and performing privilege escalation on the host.

Top malware in July

Securonix Threat Labs has continued to monitor top malware activities that are targeting government, education, and telecommunication sectors. The attackers used various backdoors and malware such as BumbleBee Loader, Vsingle Malware, Orbit Malware, and YamaBot malware with different TTPs.

Top malware activities in July 2022
BumbleBee This recently discovered malware loader has been found to be connected to a number of noticeable ransomware groups and has been a key component of many cyberattacks. The tool has links to threat groups such as Conti, Quantum and Mountlocker.
Vsingle In a recent campaign Lazarus group had been using the updated version of Vsingle malware that can retrieve C2 servers information from GitHub. VSingle generally has two versions, one targeting Windows OS and the other targeting Linux OS
Orbit malware This new malware steals data and can affect all processes running on the Linux OS. It has advanced evasive techniques and gains persistence by hooking key functions such as remote access capabilities over SSH, harvesting credentials.
YamaBot malware YamaBot malware The Lazarus group has been quite active in recent months and this month they have chosen to deploy a YamaBot on its target. YamaBot is written in the Golang language, and targets Linux OS and Windows OS or both.
SmokeLoader malware A new version of Amadey Bot was being installed by SmokeLoader malware in a recent campaign. The malware impersonates as software cracking tools and serial-number generation programs. The software targeted are Mikrotik Router Management Program Winbox, Outlook, FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC, and WinSCP.
Lightning Framework malware This new undetected malware targets Linux systems and can be used to backdoor infected devices using SSH and deploy rootkits to cover the attackers’ paths. It has both active and passive capabilities for communication with threat actors. The malware opens SSH on an infected machine and supports mixed adaptable command-and-control configuration.

Top 4 ransomware in July

Ransomware attacks were on the rise and continued to be a disruptive force in the cybersecurity industry.

Campaigns involving major ransomware
Maui The CISA, FBI and Treasury shared information on Maui ransomware, which has been used by North Korea state-sponsored hackers to attack healthcare organizations across the US since May 2021. The ransomware (maui.exe) appears to be designed for manual execution by a remote actor using a command-line interface to identify files to encrypt.
H0lyGh0st /DEV-0530 H0lyGh0st ransomware is an infection that came out last year but has reached a new attack strategy right now. The payload has been used by a North-Korean named “DEV-0530”. DEV-0530 has leveraged H0lyGh0st ransomware under two malware families known as SiennaPurple and SiennaBlue.
Everest This ransomware group has been active for quite a while now. Researchers have analyzed the ransomware’s binary and identified new tactics, techniques, and procedures. Moreover, researchers also attributed the sample to the BlackByte ransomware group.
LockBit LockBit LockBit ransomware was first detected in September 2019 and the group has since released multiple variants. The operators behind the LockBit follow the RaaS model. This month Securonix Threat Labs tracked two new variants: LockBit 2.0 and LockBit 3.0 (LockBit Black).

LockBit 2.0 can spread quickly using its own malware and tools to launch its attacks. The initial infection vector was a misconfigured service, specifically a publicly available RDP port to deliver LockBit 2.0.

Lockbit 3.0 code shows similarities between the new version and samples related to ransomware families like BlackMatter and DarkSide, which suggest possible correlation between these threat groups.

Moreover, the operators of LockBit 3.0 have introduced new management features for affiliates and added Zcash for victim payments in addition to Monero and Bitcoin.