全球情报报告

GLOBAL

TINHTERLLIEGEANCTE

REPORT

DELIVERINGACTIONABLEAND

CONTEXTUALIZEDINTELLIGENCETOINCREASECYBERRESILIENCE

2023

APRIL

EDITION

ReportingPeriod:December2022toFebruary2023

2023GlobalThreatIntelligenceReport

AprilEdition

PAGE

28

CONTENTS

5

TheLast90DaysinNumbers

TotalNumbersofAttacksandUniqueMalwareHashes

GeographyofAttacks

MostTargetedIndustriesbyNumberofAttacks

9

TypesofMalwareUsedinAttacksDuringthisReportingPeriod

Windows

Droppers/DownloadersEmotetPrivateLoaderSmokeLoader

Infostealers

XLoader(akaFormbook)RaccoonStealer

RedLineIcedID

RemoteAccessTrojansandBackdoors

Warzone/AveMariaDarkCrystal/DCRatAgentTeslaAsyncRAT

RansomwareRoyalBlackBastaBlackCat

macOS/OSXTrojans/DownloadersAdware

Cross-PlatformMalware

Linux

CryptoMiners

Industry-SpecificAttacks

15

Healthcare

TopHealthcareThreatsFinancialGovernment/PublicEntitiesManufacturing

TopManufacturingThreats

WiderManufacturingThreatLandscape

Energy

TopEnergyThreats

WiderEnergyThreatLandscape

20

NotableThreatActorsandWeapons

APT28/SofacyTsunami/LinuxBackdoorXORDDoSLinuxMalwarePlugX

MeterpreterRedLine

SEOPoisoning

22

MostSoundAttacks

ESXiArgsRansomwareKnocks

OutUnpatchedVMwareESXiLinuxServersWorldwide

DarkBitRansomwareTargetsIsraelwithCommand-LineOptionsandOptimizedEncryptionRoutines

PreviouslyUnknownThreatActorNewsPenguinTargetsPakistanwithAdvancedEspionageTool

GamaredonTargetsUkrainianOrganizationswithTelegram

BlindEagleTargetsColombia’sJudiciary,Financial,Public,andLawEnforcement

OtherNotableAttacks

BlackCatGangTargetsIrishUniversity

LockBit

AbuseofMicrosoftOneNote

26CommonMITRETechniques

DetectionTechniques

27

SigmaRule:Creationofan

ExecutablebyanExecutable

SigmaRule:Wow6432NodeCurrentVersionAutorunKeysModification

SigmaRule:DisableMicrosoftDefenderFirewallviaRegistry

AdditionalThreatBehaviorsProcess:cmd.exeProcess:cvtres.exeProcess:AutoIt3.exe

31

Forecasts

RevisitingOurForecasts

NewandUpdatedForecasts

ContinuedIncreaseinCyberattacksAgainstUkraine

AbuseofChatGPTbyCyberCriminalsSupplyChainAttacksWill

RemainaThreat

34

33Conclusion

Resources

PublicIndicatorsofCompromise

PublicRules

CommonMITRETechniquesMITRED3FENDCountermeasures

35References

Theinformationcontainedinthisreportisintendedforeducationalpurposesonly.BlackBerrydoesnotguaranteeortakeresponsibilityfortheaccuracy,completenessandreliabilityofanythird-partystatementsorresearchreferencedherein.Theanalysisexpressedinthisreportreflectsthecurrentunderstandingofavailableinformationbyourresearchanalystsandmaybesubjecttochangeasadditionalinformationismadeknowntous.Readersareresponsibleforexercisingtheirownduediligencewhenapplyingthisinformationtotheirprivateandprofessionallives.BlackBerrydoesnotcondoneanymalicioususeormisuseoftheinformationpresentedinthisreport.

INTRODUCTION

AtBlackBerry,werecognizethatintoday’sworld,securityleadersmustexpandtheirfocusbeyondtechnologiesandtheirvulnerabilities.Toeffectivelymanagerisk,securityleadersmustcontinuallyanalyzetheglobalthreatlandscapeandunderstandhowbusinessdecisionscaninfluencetheirorganization’sthreatprofile.Similarly,businessleadersrequireawarenessofhowsecurityposture,riskexposure,andcyberdefensestrategycanaffecttheirbusinessoperations.

ThroughtheBlackBerryGlobalThreatIntelligenceReportandourprofessional

CylanceINTELLIGENCE

™subscriptionservice,modernleaderscanhavetimelyaccesstothisimportantinformation.Basedonthetelemetryobtainedfromourownartificialintelligence(AI)-drivenproductsandanalyticalcapabilities,andcomplementedbyotherpublic

andprivateintelligencesources,ourglobal

BlackBerryThreatResearch

andIntelligence

teamprovidesactionableintelligenceaboutattacks,threatactors,andcampaignssothatyoucanmakewell-informeddecisionsandtakeprompt,effectiveactions.

Keyhighlightsofthisreportinclude:

90daysbythenumbers.FromDecember2022toFebruary2023,weobservedupto12attacksperminute,andthenumberofuniqueattacksusingnewmalwaresamplesskyrocketedby50percent—fromoneperminuteinthepreviousreportto1.5perminuteduringthisreportingperiod.

Toptencountriesexperiencingcyberattacksduringthisperiod.TheU.S.remainsthecountrywiththehighestnumberofstoppedattacks.However,thethreatlandscapehaschangedandBrazilisnowthesecondmost-targetedcountry,followedbyCanadaandJapan.Singaporeenteredthetop10forthefirsttime.

Mosttargetedindustriesbynumberofattacks.AccordingtoBlackBerrytelemetry,customersinthefinancial,healthcareservices,andfoodandstaplesretailingindustriesreceived60percentofallmalware-basedcyberattacks.

Mostcommonweapons.Droppers,downloaders,remoteaccesstools(RATs),andransomwareweremostfrequentlyused.Here’sapreview:Inthisperiod,BlackBerryobservedatargetedattackusingWarzoneRATagainstaTaiwanesesemiconductormanufacturer;cybercriminalgroupsusingAgentTeslaandRedLineinfostealer;andwideneduseofBlackCatransomware.

Industry-specificattacks.Thehealthcareindustryfacedasignificantnumberofcyberattacksduringthisperiod,withCylanceEndpointSecuritypreventinganaverageof59new

malicioussampleseveryday,includinganincreasingnumberofnewEmotetsamples.Inthelast90days,financialinstitutionsworldwideprotectedbyBlackBerrytechnologiesblockedmorethan231,000attacksincludingupto34uniquemalwaresamplesperday.Additionally,thisreportdivesdeepintoattacksagainstgovernmententities,manufacturing,andcriticalinfrastructure,keysectorsthatareoftentargetedbysophisticatedandsometimesstate-sponsoredthreatactorsengagedinespionageandintellectualpropertycampaigns.However,aswerevealinthisreport,crimewareandcommoditymalwarearealsooftenfoundinthesecriticalindustries.

Thereportalsocoversnotablethreatactorsandweapons,mostsoundattacks,and—mostimportantly—actionabledefensivecountermeasuresintheformofMITREATT&CKandMITRED3FENDmappingsdeployedduringthisperiod.Finally,weofferananalysisoftheforecastingaccuracyofourpreviousreportandalistofinsightfulkeytakeawaysbasedontheeventsofthepastmonths.

Wehopethatyouwillvalueallthedetailedandactionabledatapresentedinthisedition.Onceagain,Iwouldliketoexpressmygratitudetotheauthors,thehighlyskilledglobalresearchersontheBlackBerryThreatResearchandIntelligenceteam.Theirongoingeffortstoproducecutting-edgeresearchempowersustocontinuouslyimproveBlackBerry’sdata-andCylanceAI-drivenproductsandservices.

IsmaelValenzuela

VicePresident,ThreatResearch&IntelligenceatBlackBerry

@aboutsecurity

ThedatainthisreportwasproducedbyBlackBerryCybersecuritytelemetryandisthepropertyofBlackBerryLimited.

BlackBerryCybersecurityThreatIntelligenceAuthors:

DmitryBestuzhev

DeanGiven

JacobFaires

GeoffO’Rourke

JoseLuisSanchez

EoinHealy

PratimaLohar

PedroDrimel

AnujSoni

TonyO’Regan

RoryO’Callaghan

HamedAlRajhi

PatrykMatysik

MarksonLeite

THELAST90DAYSINNUMBERS

TOTALNUMBERSOFATTACKSANDUNIQUEMALWAREHASHES

FromDecember2022toFebruary2023,Cylance®EndpointSecuritysolutionsbyBlackBerrystopped1,578,733malware-basedcyberattacks.Onaverage,threatactorsdeployedapproximately17,738malicioussamplesperdayagainstcustomersprotectedbyourtechnologies,foranaverageofapproximately12attackseveryminute.

Thesethreatsincluded200,454newuniquemalwaresamplesthatdifferfrompreviouslyseenthreats.Thistranslatestoanaverageofapproximately2,252novelsamplesperday,orroughly1.5newsamplesperminute.Thisrepresentsa50percentincreasefromthepreviousreportingperiod’saverageofoneuniquesampleperminute.

ThefollowinggraphshowsthedynamicsofcyberattacksthatCylanceEndpointSecuritysolutionspreventedfromDecember2022toFebruary2023.Thedipinweek4—whichwasthelastweekinDecember—islikelyattributabletoend-of-yearholidays,andthesharpriseinweek5correspondswiththedatesthatpeopletypicallyreturntoworkinthenewyear.

DYNAMICSOF

PREVENTEDATTACKS

DECEMBER2022 FEBRUARY2023

250,000

200,000

150,000

100,000

50,000

0

1 2 3 4 5 6 7 8 9 10 11 12 13

WEEKS

AttacksStopped UniqueHashes

Figure1:CyberattackspreventedbyBlackBerryperweekduringthisreportingperiod.

GEOGRAPHYOFATTACKS

Generally,countrieswithgreaterInternetpenetration,economy,andpopulationexperiencethemostthreats.Ourtelemetryshowsthatthreatactorsduringthisperiodhavefocusedmostinthefollowingcountriesaroundtheworld.

COUNTRIESWITHMOST

CYBERATTACKSSTOPPED

USA

WASTHEMOSTTARGETEDDURINGTHISPERIOD.

Figure2:Countrieswiththemostcyberattacksstoppedarerepresentedbyredandblue.

Figure3showsthetencountrieswhereCylanceEndpointSecuritysolutionspreventedthemostcyberattacks.Asinthepreviousreportingperiod,BlackBerrypreventedthegreatestnumberofattacksintheUnitedStates.ChangesincludeBrazil’srisetobecomethesecondmost-targetedcountry,followedbyCanadaandJapan(whichwasthesecondmost-targetedcountryinourpreviousreport)inthirdandfourthpositions.ThisisalsothefirsttimethatSingaporehasplacedinthetoptenmost-targetedcountries.

TOP10COUNTRIESTHATEXPERIENCEDCYBERATTACKS

Figure3:ToptencountrieswhereBlackBerryclientsweretargetedbycyberattacks.

Figure4showsthecountrieswhereBlackBerryclientsweremostfrequentlyattackedwithuniquemalicioussamples.Enteringattenthposition,thisisHongKong’sfirstappearanceonthislist.

TOP10COUNTRIESWHEREUNIQUE

MALWARE

SAMPLESWEREUSED

Figure4:ToptencountrieswhereuniquemalicioussampleswereusedincyberattacksagainstBlackBerry-protecteddevices.

TITLEXXXXXXXXXXXX

MOSTTARGETEDINDUSTRIESBYNUMBEROFATTACKS

ThetopthreeindustriesthatCylanceEndpointSecuritysolutionsprotectedduringthisreportingperiodare:

Financialinstitutions

Healthcareservicesandequipmentincludinghospitals,clinics,andmedicaldevices

Foodandstaplesretailing,whichincludessupermarkets,drugstores,andcompaniesthatsellfoodproductstootherbusinesses

Thosethreeindustriesaccountfor60percentofcyberattacksagainstBlackBerryclients.

MOSTTARGETEDINDUSTRIES

Figure5:Topindustriesattackedduringthisreportingperiod.

MALWAR

E

TYPESOF

USEDINATTACKSDURINGTHISREPORTINGPERIOD

Themostwidespreadandinterestingmalwarefamiliesidentifiedthisreportingperiodareorganizedbyoperatingsystem(OS)below.It’simportanttonotethateventhoughMicrosoft®Windows®isstillthemostattackedOS,itsusersmaybesomewhatbetterpreparedtofacemalwareattacksthanothers,whomayincorrectlybelievethattheiralternativeOSisimmunetocyberattacks.

However,BlackBerrytelemetrydatashowsthatmacOS®,Linux®,andmobileusersarealsofrequentlyattacked:noplatformsareimmunefrominfection.

WINDOWS

Asnotedabove,whilemalwarecanrunonanyOS,Windowsremainsthemostattacked.Reasonsincludeitspopularity,thewiderangeofdocumentationavailablefordevelopers,andmanyyearsofcumulativeexperienceattackingtheOSinthecybercriminalcommunity,wheretipsandtricksarefrequentlysharedinforums.Here

arethetopprevalentWindowsthreatsrecordedbyBlackBerrytelemetry.

Droppers/Downloaders

Downloaderslurevictimstoopenfilesthatdownloadmalware.Thefilesfrequentlyposeaslegitimatedigitaldocumentsorexecutables.

Emotet

EmotetismodularmalwarethatbeganasabankingTrojanin2014.Aftersurvivingseveralself-imposed

EMOTETSERVESASABOTNET-OPERATEDDROPPERANDDELIVERYMECHANISMFORADDITIONALMALWARE.

exilesandalaw-enforcementtakedown,Emotetreemergedattheendof2022andwasfrequentlyusedinattacksduringthisreportingperiod.Emotet’sfunctionalityandusagehaveevolvedovertime,anditnowservesasabotnet-operateddropperanddeliverymechanismforadditionalmalwaresuchas

Cobalt

StrikeBeacon

,

IcedID

,QBot,

Trickbot

,andransomwareincluding

Ryuk

and

BlackCat

.EmotetisprimarilyspreadthroughspamemailandweaponizedMicrosoft®WordandExcel®documents,andcansendacopyofitselftoeveryoneinavictim’scontactlist.

PrivateLoader

PrivateLoaderisarelativelynewdownloaderfirstspottedinthewildin2021.Itismodularinnature,containsanti-analysisfunctionality,andcangatherandsendinformationandmetadataaboutaninfectedhosttoacommand-and-control(C2)server.PrivateLoader’sprimarypurposeistodeliveranddetonateadditionalmalwarepayloads.Italsohasbeenobserveddistributinganarray1ofcommoditymalwareincluding

SmokeLoader

,

RaccoonStealer

,

RedLine

,Vidar,andothers.MultipleinstancesofPrivateLoaderwereobserveddownloadingRedLineinmanycampaignsacrossawiderangeofindustries.

SmokeLoader

SmokeLoader,whichwasfirstdiscoveredin2011,hasundergoneseveraliterationsandremainsaprominentthreatusedtoloadeverythingfromcryptominers,ransomware,Trojans,andevenpoint-of-sale(POS)malwareontoinfectedsystems.EarlierversionsofthismalwareweresoldinundergroundforumsunderthenameSmokeLdr,butsince2014,itisonlybeingsold

toRussian-basedthreatactors.In2018,SmokeLoaderwasthefirstmalwaretousethePROPagatecodeinjection2technique.Themalwarecanbedistributedthroughawiderangeofattackvectors,includingmaliciousdocumentsrelatedtolarge-scalemassphishingcampaigns.InJuly2022,theBlackBerryThreatResearchandIntelligenceteamobserved

SmokeLoader

distributinganewversionofAmadeyBot

.During

thisattack,SmokeLoaderwashiddenin“cracked”software(aka“cracks”)andkey-generationtools(aka“keygens”)forpopularsoftwareapplications.Thethreatactorbehindthecampaignreliedonblack-hatSEOtechniques3(akaSEOpoisoning)toensurethattheirmalwaresitesappearedatornearthetopofrelatedsearchengineresultstoenticepeopleseekingcrackedfilestodownloadandrunthemaliciousexecutable.

Becausesomeantivirussolutionsmayblockcracksandkeygens,somepeopleintentionallydisabletheirsecurityproductsbeforedownloadingthesefilesorignoredetectionalertsandproceedwiththedownload.Asaresult,evenwidelydetectedthreatscaninfectsystemswhenavictimexplicitlyallowsthedownloadandexecutionofmalware.

INJULY2022,SMOKELOADERDISTRIBUTEDANEWVERSIONOFAMADEYBOT.DURINGTHIS

ATTACK

SMOKELOADERWASHIDDENIN“CRACKED”SOFTWAREANDKEY-GENERATIONTOOLSFORPOPULARSOFTWAREAPPLICATIONS.

Infostealers

Infostealersgatherinformationfromavictim’smachineanddeliverittoanattacker.Herearesomeofthemostactiveinfostealersduringthisreportingperiod.

XLoader(akaFormbook)

Formbook

wasinitiallynamedBabushkaCrypter.Afterbeingshutdownin2020byitsapparentauthor,FormBookwasrebrandedasXLoader.StrainsofthemalwarewerethenheavilyabusedascommoditymalwareinQ12023andsoldasmalware-as-a-service(MaaS)inundergroundforums.Themalwarecontainscommonfeaturessuchaskeyloggingandscreencapture.FormbookattemptstoavoiddetectionbyutilizingaRunPEandprocess-hollowingtechniquesimilartoanothernotedcommoditymalwarecalled

LokiBot

.

RaccoonStealer

RaccoonStealer

istypicallydistributedasMaaSandavailableatpricesstartingaround$75USDperweekor$200USDpermonth.RaccoonStealer’s

corefunctionalityistostealpasswords,cookies,andcryptocurrencywalletsfromthevictim’shostsystem.TheRaccoonStealerattackchainoftenbeginsthroughdownloadingaTrojanizedRARarchive.InMarch2022,thethreatactorsbehindRaccoonStealerannouncedthesuspensionofitsdevelopmentbecauseoneof

itsdevelopersallegedlydiedintheRussia-Ukraine

conflict.Afterashorthiatus,anewversion4dubbedRaccoonStealer2.0wasannouncedinhackingforumsinJune2022.RaccoonStealer2.0wasreportedlydevelopedfromscratchandusesanewinfrastructure.

RedLine

RedLineexfiltratesdataincludingpasswordsandcreditcardinformationfrombrowsers,filetransferprotocol(FTP),andinstantmessaging(IM)applications;gathersalistofinstalledapplications(includingsecuritysoftware)thatmaybesentbacktotheattacker;andenablesattackerstoexecuteothercommands,suchasuploadinganddownloadingadditionalfiles.RedLineissoldonundergrounddarkmarketsandhackingforumsforaslittleas$100to$150USDaseitherastandaloneorasubscription-basedmodel.Inthisreportingperiod,bothPrivateLoaderandtheAmadeybotnetwereobserveddroppingRedLine.

IcedID

ThebankingTrojan

IcedID

—alsoknownasBokBot—wasfirstdiscoveredin2017.IcedIDhascapabilitiessimilartothelegacy

Zeus

(akaZbot)and

Dridex

infostealermalware.Thismalwareisofteninitiallydeployedasa

second-stagedropperthatdeploysadditionalcommoditymalwareonthevictim’sdevice.ThethreatactorShatak(TA5515)hasbeenobserved6usingIcedIDasMaaS,

andhasdemonstratedawillingnesstoworkwithothercommoditymalwarecreatorsandthreatactors.

REDLINEISSOLDONUNDERGROUND

DARKMARKETS

ANDHACKINGFORUMSFORASLITTLEAS

$100TO$150USDASEITHERASTANDALONEORASUBSCRIPTION-BASEDMODEL.

RemoteAccessTrojansandBackdoors

ThefollowingremoteaccessTrojans(RATs)wereobservedinthisreportingperiod.

Warzone/AveMaria

Warzone

(akaAveMaria)RATisavailableforsaleonundergroundandabove-groundforums.Warzone’scomprehensivefeaturesincludekeylogging,processmanipulation,commandexecution,passwordscraping,webcamaccess,reverseproxyconfiguration,andsupportfordownloadingandexecutingadditionalfilesormalware.

Warzoneofferstwotiersofpricing:aninitialsubscriptiontothebasicRATbuilderthatbeginsat$22.95USDpermonth,andahigher-pricedpremiumversion.Designedtoappealto

novicethreatactors

,thepremiumversionoffersadvancedfeaturessuchasarootkit,hiddenprocesscapability,premiumdynamicDNS(DDNS),andcustomersupportforapproximately$800USDforathree-monthsubscription.

Thiscommoditymalwarehasnospecifictargetsandisusedbyvariousthreatactorsandcybergroups.Lastquarter,WarzonewasdeployedinacampaignsolelyfocusedonTaiwanesesemiconductormanufacturersanddeliveredviamalicious.RARfileattachments.

DarkCrystal/DCRat

DarkCrystal

(alsoknownasDCRat)wasfirstreleasedin2018andisoneofthecheapest.NETbackdoorsavailable,withpricesrangingfromaround$5USDfora

two-monthlicense,upto$40USDfora“lifetime”license(whichtypicallymeansthelifetimeofthethreatgroup).

Anembeddedconfigurationfiledictateswhichfeaturesareenabledonexecution,whichmayincludebutarenotlimitedtoscreenshots,keylogging,andstealingcookiesandpasswordsfromwebbrowsersandclipboards.TheComputerEmergencyResponseTeamofUkraine(CERT-UA)observed7DarkCrystaltargetingUkraineduringtheRussian-Ukraineconflict.

AgentTesla

This.NETRATwasfirstobservedin2014andisoftensoldinundergroundforumsaspartofMaaSofferings.Themalwarecancapturekeystrokes,takescreenshots,andscrapecredentialsfrommorethan60commonlyusedapplicationsincludingMicrosoft®Outlook®,Firefox®,Chrome™,andOpera®.AgentTeslaistypicallydeliveredthroughmaliciousandweaponizeddocumentsandusesmultipleanti-analysisandanti-detectiontechniques.

TheRATunpacksitselfinseverallayersandusessteganographytohidedatainordinary-lookingfilesormessagesbeforedeployingitsfinalpayload.

AsyncRAT

Thisopen-sourceRATisfreelyavailable8onGitHub,whereanyonecanaccessitssourcecodeandmodifyittomeettheirneeds.AsyncRATreliesonthefreely

availableStealerLibplugintostealpasswordsfromwebbrowsersandapplications.Otherfeaturesincludescreenviewingandrecording,uploadanddownloadcapabilitiesusingSecureFileTransferProtocol(SFTP),keylogging,andmore.AsyncRAT’santi-analysisandanti-detectiontechniquesincludeserverobfuscation.ThethreatgroupTA2541hasweaponizedAsyncRAT9intheirattacksontheaviationindustry.

Ransomware

Royal

Royal

isarelativelynewransomwarestrainthatfirstappearedinthewildinSeptember2022andisthoughttoincludemembersoftheold

Conti

ransomwaregroup.RoyaltargetsWindows,Linux,andVMware®ESXiservers.Themalwarewasinitiallydistributed10viamalvertisingandphishingcallback(aschemeinwhichphishinglurescontainacallbacknumberforusersto

callthatenticesthemtoinstallmalicioussoftware).LastDecember,Royal’soperatorstookresponsibilityforanattack11onEngland’sfamousSilverstoneFormulaOneracetrack.

BlackBasta

BlackBasta

isarelativelynewransomwaregroupoperatingasaransomware-as-a-service(RaaS)thatwasfirstspottedinApril2022.Itemploysadouble-extortiontechnique,demandingransomtodecryptcompanydataandextortingadditionalfeestokeepthedatafrombeingleakedtothepublic.

BlackBastausestoolslike

Qakbot

(akaQbot)andthePrintNightmare(CVE-2021–3452712)exploitinits

attacks,andencryptsvictimdatawithacombinationofChaCha20andRSA-4096.BlackBasta’sinfectionchaindiffersfromtargettotarget,anditencryptsdatafasterthanotherransomwaregroups.SomeofBlackBasta’sbehaviorsaresimilartomalwarepreviouslyproducedbytheContigroup.

BlackCat

BlackCat

ransomware,whichfirstappearedinthewildinNovember2021,wasthefirstmajorransomwarefamilyauthoredintheRustprogramminglanguage.(Asdetailedinthis

report

,Rustdeliversmoreflexibilityforthreatactorstocross-compilebinariesthattargetallmajoroperatingsystems,wideningitsreachofpotentialtargetsandsystems.)ThegrouphasusedtheEmotetbotnettodeliveraransomwarepayload.

Afterafootholdisestablished,aCobaltStrikebeaconisdeployedtoallowthethreatactorstomovedeeperwithinthetargetnetwork.

BlackCathasbeenprolificsinceitsinception,targetingnumeroushigh-profilevictimsandusingdoubleandeventriple-extortionmethods.Accordingtoa2022

FBIadvisory13,BlackCatransomwareaffiliatesarepotentiallylinkedtotwoolderthreatgroups:

DarkSide

and

BlackMatter

.BlackCatmadeheadlinesinFebruary2023afteranattackonMunsterTechnologicalUniversityinIreland.

MACOS/OSX

BecauseApplemacOSisusedlessoftenincorporateenvironmentsthanWindowsorLinux,it’slessfrequently

targetedwithmalware.However,whilemanybelievethatmacOSdevicesare“safer”thantheirWindowsorLinuxcounterparts,

macOSmalware

isagrowingthreatthatmustbemonitored.ThissectiondiscussescategoriesofmacOSmalwareobservedacrossBlackBerrycustomerenvironments.

Trojans/Downloaders

TheUpdateAgentTrojan(alsoknownasWizardUpdate)targetsmacOScomputersandfirstappearedinenterprisenetworksin2020.Thismalwaredownloadsanddeploysadditionalpayloads.Althoughthemostcommonpayloadisadware,theinitialloadercouldbeusedtodownloadandexecutemoremaliciouscode.

UpdateAgentisconcerningbecauseitcancircumventGatekeepercontrols,amacOSsecurityfeaturedesignedtopreventuntrustedappsfromrunning.

Adware

Adwareissometimesviewedasmerelyanuisance,butitcanbefarmoredamaging.Displayingtheunwantedadsreliesonmaliciousbehaviors,includingmonitoringuseractivity,communicatingwithaserver,anddownloadingadditionaldataorcode.Forexample,theUpdateAgentTrojandeploystheaggressiveadwareAdLoad.WepreventednumerousAdLoadinfectionsamongourcustomerswhousemacOSdevicesduringthisreportingperiod.

WealsoidentifiedthecontinueduseofPirritadware.ThismalwaredownloadsandlaunchesscriptsandadditionalMachobjectfileformat(Mach-O)executablesonthecompromisedmachine,whichcouldbeusedtoexecutemoredangerouscode.

Cross-PlatformMalware

Withtheemergenceofcross-platformprogramminglanguageslikeRustandGolang(aka“Go”),threatactorscandevelopmalwareandcompilethesamecodebaseformultipleoperatingsystems,includingmacOS.Thisreducesthemarginalcostoftargetingnon-Windows

operatingsystems.Duringthisreportingperiod,weobservedmalwareaffectingMac®deviceswritteninGolangonlyusedtolaunchadware,butweanticipatecross-platformmalwareforMacwillhavemoreambitiousgoalsinthefuture.

LINUX

Linux’spopularitycontinuestogrow.Upto90percentofpubliccloudservices14runonLinux,andasignificantnumberofbusinessesaremigratingorplanning

amigrationtocloudservices.Inaddition,LinuxiscommonlyusedintheInternetofThings(IoT).BecauseLinuxisnotacommondesktopOSinbusinesses,mostinfectionsrelyontechniquessuchasbrute-forceattacksorexploitingnetworkandservervulnerabilitiesinsteadofencouraginguserstoopenaninfectedattachment.

Forthesereasons,organizationsthatrelyonLinuxinfrastructurerequireacomprehensivevulnerabilitymanagementprogramtoprotecttheirservers.

Duringthisreportingperiod,BlackBerrytelemetryuncoveredmultipleLinuxattacksattemptingtodeploycryptominersthat,inadditiontoconsumingsystemresources,canallowthedeploymentofothermalwaresuchasbackdoorsthatallowcriminalsremotesystemaccess.

Thereportingperiodalsoincludedanincreaseincross-platformransomwarethatcantargetmultipleoperatingsystems.Forexample,thenewRoyalransomwarecantargetLinuxaswellasWindowsandESXisystems.

WEANTICIPATECROSS-PLATFORMMALWAREFORMACWILLHAVEMOREAMBITIOUSGOALSINTHEFUTURE.

CryptoMiners

Cryptominersuseavictim’sLinuxsystemresourcestominedigitalcryptocurrencyforfinancialgain,anactivityknownas

cryptojacking

15.BlackBerryresearcherspreviouslydetectedanattackusingtheDota3malwarefamily16,whichattacksSSHserversthatuseweakpasswordsandinstallstheknowncryptominerXMRig17.TheSysrv18cryptominerbotnet,whichhasbeenactivesinceearly202