版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
GLOBAL
TINHTERLLIEGEANCTE
REPORT
DELIVERINGACTIONABLEAND
CONTEXTUALIZEDINTELLIGENCETOINCREASECYBERRESILIENCE
2023
APRIL
EDITION
ReportingPeriod:December2022toFebruary2023
2023GlobalThreatIntelligenceReport
AprilEdition
PAGE
28
CONTENTS
5
TheLast90DaysinNumbers
TotalNumbersofAttacksandUniqueMalwareHashes
GeographyofAttacks
MostTargetedIndustriesbyNumberofAttacks
9
TypesofMalwareUsedinAttacksDuringthisReportingPeriod
Windows
Droppers/DownloadersEmotetPrivateLoaderSmokeLoader
Infostealers
XLoader(akaFormbook)RaccoonStealer
RedLineIcedID
RemoteAccessTrojansandBackdoors
Warzone/AveMariaDarkCrystal/DCRatAgentTeslaAsyncRAT
RansomwareRoyalBlackBastaBlackCat
macOS/OSXTrojans/DownloadersAdware
Cross-PlatformMalware
Linux
CryptoMiners
Industry-SpecificAttacks
15
Healthcare
TopHealthcareThreatsFinancialGovernment/PublicEntitiesManufacturing
TopManufacturingThreats
WiderManufacturingThreatLandscape
Energy
TopEnergyThreats
WiderEnergyThreatLandscape
20
NotableThreatActorsandWeapons
APT28/SofacyTsunami/LinuxBackdoorXORDDoSLinuxMalwarePlugX
MeterpreterRedLine
SEOPoisoning
22
MostSoundAttacks
ESXiArgsRansomwareKnocks
OutUnpatchedVMwareESXiLinuxServersWorldwide
DarkBitRansomwareTargetsIsraelwithCommand-LineOptionsandOptimizedEncryptionRoutines
PreviouslyUnknownThreatActorNewsPenguinTargetsPakistanwithAdvancedEspionageTool
GamaredonTargetsUkrainianOrganizationswithTelegram
BlindEagleTargetsColombia’sJudiciary,Financial,Public,andLawEnforcement
OtherNotableAttacks
BlackCatGangTargetsIrishUniversity
LockBit
AbuseofMicrosoftOneNote
26CommonMITRETechniques
DetectionTechniques
27
SigmaRule:Creationofan
ExecutablebyanExecutable
SigmaRule:Wow6432NodeCurrentVersionAutorunKeysModification
SigmaRule:DisableMicrosoftDefenderFirewallviaRegistry
AdditionalThreatBehaviorsProcess:cmd.exeProcess:cvtres.exeProcess:AutoIt3.exe
31
Forecasts
RevisitingOurForecasts
NewandUpdatedForecasts
ContinuedIncreaseinCyberattacksAgainstUkraine
AbuseofChatGPTbyCyberCriminalsSupplyChainAttacksWill
RemainaThreat
34
33Conclusion
Resources
PublicIndicatorsofCompromise
PublicRules
CommonMITRETechniquesMITRED3FENDCountermeasures
35References
Theinformationcontainedinthisreportisintendedforeducationalpurposesonly.BlackBerrydoesnotguaranteeortakeresponsibilityfortheaccuracy,completenessandreliabilityofanythird-partystatementsorresearchreferencedherein.Theanalysisexpressedinthisreportreflectsthecurrentunderstandingofavailableinformationbyourresearchanalystsandmaybesubjecttochangeasadditionalinformationismadeknowntous.Readersareresponsibleforexercisingtheirownduediligencewhenapplyingthisinformationtotheirprivateandprofessionallives.BlackBerrydoesnotcondoneanymalicioususeormisuseoftheinformationpresentedinthisreport.
INTRODUCTION
AtBlackBerry,werecognizethatintoday’sworld,securityleadersmustexpandtheirfocusbeyondtechnologiesandtheirvulnerabilities.Toeffectivelymanagerisk,securityleadersmustcontinuallyanalyzetheglobalthreatlandscapeandunderstandhowbusinessdecisionscaninfluencetheirorganization’sthreatprofile.Similarly,businessleadersrequireawarenessofhowsecurityposture,riskexposure,andcyberdefensestrategycanaffecttheirbusinessoperations.
ThroughtheBlackBerryGlobalThreatIntelligenceReportandourprofessional
CylanceINTELLIGENCE
™subscriptionservice,modernleaderscanhavetimelyaccesstothisimportantinformation.Basedonthetelemetryobtainedfromourownartificialintelligence(AI)-drivenproductsandanalyticalcapabilities,andcomplementedbyotherpublic
andprivateintelligencesources,ourglobal
BlackBerryThreatResearch
andIntelligence
teamprovidesactionableintelligenceaboutattacks,threatactors,andcampaignssothatyoucanmakewell-informeddecisionsandtakeprompt,effectiveactions.
Keyhighlightsofthisreportinclude:
90daysbythenumbers.FromDecember2022toFebruary2023,weobservedupto12attacksperminute,andthenumberofuniqueattacksusingnewmalwaresamplesskyrocketedby50percent—fromoneperminuteinthepreviousreportto1.5perminuteduringthisreportingperiod.
Toptencountriesexperiencingcyberattacksduringthisperiod.TheU.S.remainsthecountrywiththehighestnumberofstoppedattacks.However,thethreatlandscapehaschangedandBrazilisnowthesecondmost-targetedcountry,followedbyCanadaandJapan.Singaporeenteredthetop10forthefirsttime.
Mosttargetedindustriesbynumberofattacks.AccordingtoBlackBerrytelemetry,customersinthefinancial,healthcareservices,andfoodandstaplesretailingindustriesreceived60percentofallmalware-basedcyberattacks.
Mostcommonweapons.Droppers,downloaders,remoteaccesstools(RATs),andransomwareweremostfrequentlyused.Here’sapreview:Inthisperiod,BlackBerryobservedatargetedattackusingWarzoneRATagainstaTaiwanesesemiconductormanufacturer;cybercriminalgroupsusingAgentTeslaandRedLineinfostealer;andwideneduseofBlackCatransomware.
Industry-specificattacks.Thehealthcareindustryfacedasignificantnumberofcyberattacksduringthisperiod,withCylanceEndpointSecuritypreventinganaverageof59new
malicioussampleseveryday,includinganincreasingnumberofnewEmotetsamples.Inthelast90days,financialinstitutionsworldwideprotectedbyBlackBerrytechnologiesblockedmorethan231,000attacksincludingupto34uniquemalwaresamplesperday.Additionally,thisreportdivesdeepintoattacksagainstgovernmententities,manufacturing,andcriticalinfrastructure,keysectorsthatareoftentargetedbysophisticatedandsometimesstate-sponsoredthreatactorsengagedinespionageandintellectualpropertycampaigns.However,aswerevealinthisreport,crimewareandcommoditymalwarearealsooftenfoundinthesecriticalindustries.
Thereportalsocoversnotablethreatactorsandweapons,mostsoundattacks,and—mostimportantly—actionabledefensivecountermeasuresintheformofMITREATT&CKandMITRED3FENDmappingsdeployedduringthisperiod.Finally,weofferananalysisoftheforecastingaccuracyofourpreviousreportandalistofinsightfulkeytakeawaysbasedontheeventsofthepastmonths.
Wehopethatyouwillvalueallthedetailedandactionabledatapresentedinthisedition.Onceagain,Iwouldliketoexpressmygratitudetotheauthors,thehighlyskilledglobalresearchersontheBlackBerryThreatResearchandIntelligenceteam.Theirongoingeffortstoproducecutting-edgeresearchempowersustocontinuouslyimproveBlackBerry’sdata-andCylanceAI-drivenproductsandservices.
IsmaelValenzuela
VicePresident,ThreatResearch&IntelligenceatBlackBerry
@aboutsecurity
ThedatainthisreportwasproducedbyBlackBerryCybersecuritytelemetryandisthepropertyofBlackBerryLimited.
BlackBerryCybersecurityThreatIntelligenceAuthors:
DmitryBestuzhev
DeanGiven
JacobFaires
GeoffO’Rourke
JoseLuisSanchez
EoinHealy
PratimaLohar
PedroDrimel
AnujSoni
TonyO’Regan
RoryO’Callaghan
HamedAlRajhi
PatrykMatysik
MarksonLeite
THELAST90DAYSINNUMBERS
TOTALNUMBERSOFATTACKSANDUNIQUEMALWAREHASHES
FromDecember2022toFebruary2023,Cylance®EndpointSecuritysolutionsbyBlackBerrystopped1,578,733malware-basedcyberattacks.Onaverage,threatactorsdeployedapproximately17,738malicioussamplesperdayagainstcustomersprotectedbyourtechnologies,foranaverageofapproximately12attackseveryminute.
Thesethreatsincluded200,454newuniquemalwaresamplesthatdifferfrompreviouslyseenthreats.Thistranslatestoanaverageofapproximately2,252novelsamplesperday,orroughly1.5newsamplesperminute.Thisrepresentsa50percentincreasefromthepreviousreportingperiod’saverageofoneuniquesampleperminute.
ThefollowinggraphshowsthedynamicsofcyberattacksthatCylanceEndpointSecuritysolutionspreventedfromDecember2022toFebruary2023.Thedipinweek4—whichwasthelastweekinDecember—islikelyattributabletoend-of-yearholidays,andthesharpriseinweek5correspondswiththedatesthatpeopletypicallyreturntoworkinthenewyear.
DYNAMICSOF
PREVENTEDATTACKS
DECEMBER2022 FEBRUARY2023
250,000
200,000
150,000
100,000
50,000
0
1 2 3 4 5 6 7 8 9 10 11 12 13
WEEKS
AttacksStopped UniqueHashes
Figure1:CyberattackspreventedbyBlackBerryperweekduringthisreportingperiod.
GEOGRAPHYOFATTACKS
Generally,countrieswithgreaterInternetpenetration,economy,andpopulationexperiencethemostthreats.Ourtelemetryshowsthatthreatactorsduringthisperiodhavefocusedmostinthefollowingcountriesaroundtheworld.
COUNTRIESWITHMOST
CYBERATTACKSSTOPPED
USA
WASTHEMOSTTARGETEDDURINGTHISPERIOD.
Figure2:Countrieswiththemostcyberattacksstoppedarerepresentedbyredandblue.
Figure3showsthetencountrieswhereCylanceEndpointSecuritysolutionspreventedthemostcyberattacks.Asinthepreviousreportingperiod,BlackBerrypreventedthegreatestnumberofattacksintheUnitedStates.ChangesincludeBrazil’srisetobecomethesecondmost-targetedcountry,followedbyCanadaandJapan(whichwasthesecondmost-targetedcountryinourpreviousreport)inthirdandfourthpositions.ThisisalsothefirsttimethatSingaporehasplacedinthetoptenmost-targetedcountries.
TOP10COUNTRIESTHATEXPERIENCEDCYBERATTACKS
Figure3:ToptencountrieswhereBlackBerryclientsweretargetedbycyberattacks.
Figure4showsthecountrieswhereBlackBerryclientsweremostfrequentlyattackedwithuniquemalicioussamples.Enteringattenthposition,thisisHongKong’sfirstappearanceonthislist.
TOP10COUNTRIESWHEREUNIQUE
MALWARE
SAMPLESWEREUSED
Figure4:ToptencountrieswhereuniquemalicioussampleswereusedincyberattacksagainstBlackBerry-protecteddevices.
TITLEXXXXXXXXXXXX
MOSTTARGETEDINDUSTRIESBYNUMBEROFATTACKS
ThetopthreeindustriesthatCylanceEndpointSecuritysolutionsprotectedduringthisreportingperiodare:
Financialinstitutions
Healthcareservicesandequipmentincludinghospitals,clinics,andmedicaldevices
Foodandstaplesretailing,whichincludessupermarkets,drugstores,andcompaniesthatsellfoodproductstootherbusinesses
Thosethreeindustriesaccountfor60percentofcyberattacksagainstBlackBerryclients.
MOSTTARGETEDINDUSTRIES
Figure5:Topindustriesattackedduringthisreportingperiod.
MALWAR
E
TYPESOF
USEDINATTACKSDURINGTHISREPORTINGPERIOD
Themostwidespreadandinterestingmalwarefamiliesidentifiedthisreportingperiodareorganizedbyoperatingsystem(OS)below.It’simportanttonotethateventhoughMicrosoft®Windows®isstillthemostattackedOS,itsusersmaybesomewhatbetterpreparedtofacemalwareattacksthanothers,whomayincorrectlybelievethattheiralternativeOSisimmunetocyberattacks.
However,BlackBerrytelemetrydatashowsthatmacOS®,Linux®,andmobileusersarealsofrequentlyattacked:noplatformsareimmunefrominfection.
WINDOWS
Asnotedabove,whilemalwarecanrunonanyOS,Windowsremainsthemostattacked.Reasonsincludeitspopularity,thewiderangeofdocumentationavailablefordevelopers,andmanyyearsofcumulativeexperienceattackingtheOSinthecybercriminalcommunity,wheretipsandtricksarefrequentlysharedinforums.Here
arethetopprevalentWindowsthreatsrecordedbyBlackBerrytelemetry.
Droppers/Downloaders
Downloaderslurevictimstoopenfilesthatdownloadmalware.Thefilesfrequentlyposeaslegitimatedigitaldocumentsorexecutables.
Emotet
EmotetismodularmalwarethatbeganasabankingTrojanin2014.Aftersurvivingseveralself-imposed
EMOTETSERVESASABOTNET-OPERATEDDROPPERANDDELIVERYMECHANISMFORADDITIONALMALWARE.
exilesandalaw-enforcementtakedown,Emotetreemergedattheendof2022andwasfrequentlyusedinattacksduringthisreportingperiod.Emotet’sfunctionalityandusagehaveevolvedovertime,anditnowservesasabotnet-operateddropperanddeliverymechanismforadditionalmalwaresuchas
Cobalt
StrikeBeacon
,
IcedID
,QBot,
Trickbot
,andransomwareincluding
Ryuk
and
BlackCat
.EmotetisprimarilyspreadthroughspamemailandweaponizedMicrosoft®WordandExcel®documents,andcansendacopyofitselftoeveryoneinavictim’scontactlist.
PrivateLoader
PrivateLoaderisarelativelynewdownloaderfirstspottedinthewildin2021.Itismodularinnature,containsanti-analysisfunctionality,andcangatherandsendinformationandmetadataaboutaninfectedhosttoacommand-and-control(C2)server.PrivateLoader’sprimarypurposeistodeliveranddetonateadditionalmalwarepayloads.Italsohasbeenobserveddistributinganarray1ofcommoditymalwareincluding
SmokeLoader
,
RaccoonStealer
,
RedLine
,Vidar,andothers.MultipleinstancesofPrivateLoaderwereobserveddownloadingRedLineinmanycampaignsacrossawiderangeofindustries.
SmokeLoader
SmokeLoader,whichwasfirstdiscoveredin2011,hasundergoneseveraliterationsandremainsaprominentthreatusedtoloadeverythingfromcryptominers,ransomware,Trojans,andevenpoint-of-sale(POS)malwareontoinfectedsystems.EarlierversionsofthismalwareweresoldinundergroundforumsunderthenameSmokeLdr,butsince2014,itisonlybeingsold
toRussian-basedthreatactors.In2018,SmokeLoaderwasthefirstmalwaretousethePROPagatecodeinjection2technique.Themalwarecanbedistributedthroughawiderangeofattackvectors,includingmaliciousdocumentsrelatedtolarge-scalemassphishingcampaigns.InJuly2022,theBlackBerryThreatResearchandIntelligenceteamobserved
SmokeLoader
distributinganewversionofAmadeyBot
.During
thisattack,SmokeLoaderwashiddenin“cracked”software(aka“cracks”)andkey-generationtools(aka“keygens”)forpopularsoftwareapplications.Thethreatactorbehindthecampaignreliedonblack-hatSEOtechniques3(akaSEOpoisoning)toensurethattheirmalwaresitesappearedatornearthetopofrelatedsearchengineresultstoenticepeopleseekingcrackedfilestodownloadandrunthemaliciousexecutable.
Becausesomeantivirussolutionsmayblockcracksandkeygens,somepeopleintentionallydisabletheirsecurityproductsbeforedownloadingthesefilesorignoredetectionalertsandproceedwiththedownload.Asaresult,evenwidelydetectedthreatscaninfectsystemswhenavictimexplicitlyallowsthedownloadandexecutionofmalware.
INJULY2022,SMOKELOADERDISTRIBUTEDANEWVERSIONOFAMADEYBOT.DURINGTHIS
ATTACK
SMOKELOADERWASHIDDENIN“CRACKED”SOFTWAREANDKEY-GENERATIONTOOLSFORPOPULARSOFTWAREAPPLICATIONS.
Infostealers
Infostealersgatherinformationfromavictim’smachineanddeliverittoanattacker.Herearesomeofthemostactiveinfostealersduringthisreportingperiod.
XLoader(akaFormbook)
Formbook
wasinitiallynamedBabushkaCrypter.Afterbeingshutdownin2020byitsapparentauthor,FormBookwasrebrandedasXLoader.StrainsofthemalwarewerethenheavilyabusedascommoditymalwareinQ12023andsoldasmalware-as-a-service(MaaS)inundergroundforums.Themalwarecontainscommonfeaturessuchaskeyloggingandscreencapture.FormbookattemptstoavoiddetectionbyutilizingaRunPEandprocess-hollowingtechniquesimilartoanothernotedcommoditymalwarecalled
LokiBot
.
RaccoonStealer
RaccoonStealer
istypicallydistributedasMaaSandavailableatpricesstartingaround$75USDperweekor$200USDpermonth.RaccoonStealer’s
corefunctionalityistostealpasswords,cookies,andcryptocurrencywalletsfromthevictim’shostsystem.TheRaccoonStealerattackchainoftenbeginsthroughdownloadingaTrojanizedRARarchive.InMarch2022,thethreatactorsbehindRaccoonStealerannouncedthesuspensionofitsdevelopmentbecauseoneof
itsdevelopersallegedlydiedintheRussia-Ukraine
conflict.Afterashorthiatus,anewversion4dubbedRaccoonStealer2.0wasannouncedinhackingforumsinJune2022.RaccoonStealer2.0wasreportedlydevelopedfromscratchandusesanewinfrastructure.
RedLine
RedLineexfiltratesdataincludingpasswordsandcreditcardinformationfrombrowsers,filetransferprotocol(FTP),andinstantmessaging(IM)applications;gathersalistofinstalledapplications(includingsecuritysoftware)thatmaybesentbacktotheattacker;andenablesattackerstoexecuteothercommands,suchasuploadinganddownloadingadditionalfiles.RedLineissoldonundergrounddarkmarketsandhackingforumsforaslittleas$100to$150USDaseitherastandaloneorasubscription-basedmodel.Inthisreportingperiod,bothPrivateLoaderandtheAmadeybotnetwereobserveddroppingRedLine.
IcedID
ThebankingTrojan
IcedID
—alsoknownasBokBot—wasfirstdiscoveredin2017.IcedIDhascapabilitiessimilartothelegacy
Zeus
(akaZbot)and
Dridex
infostealermalware.Thismalwareisofteninitiallydeployedasa
second-stagedropperthatdeploysadditionalcommoditymalwareonthevictim’sdevice.ThethreatactorShatak(TA5515)hasbeenobserved6usingIcedIDasMaaS,
andhasdemonstratedawillingnesstoworkwithothercommoditymalwarecreatorsandthreatactors.
REDLINEISSOLDONUNDERGROUND
DARKMARKETS
ANDHACKINGFORUMSFORASLITTLEAS
$100TO$150USDASEITHERASTANDALONEORASUBSCRIPTION-BASEDMODEL.
RemoteAccessTrojansandBackdoors
ThefollowingremoteaccessTrojans(RATs)wereobservedinthisreportingperiod.
Warzone/AveMaria
Warzone
(akaAveMaria)RATisavailableforsaleonundergroundandabove-groundforums.Warzone’scomprehensivefeaturesincludekeylogging,processmanipulation,commandexecution,passwordscraping,webcamaccess,reverseproxyconfiguration,andsupportfordownloadingandexecutingadditionalfilesormalware.
Warzoneofferstwotiersofpricing:aninitialsubscriptiontothebasicRATbuilderthatbeginsat$22.95USDpermonth,andahigher-pricedpremiumversion.Designedtoappealto
novicethreatactors
,thepremiumversionoffersadvancedfeaturessuchasarootkit,hiddenprocesscapability,premiumdynamicDNS(DDNS),andcustomersupportforapproximately$800USDforathree-monthsubscription.
Thiscommoditymalwarehasnospecifictargetsandisusedbyvariousthreatactorsandcybergroups.Lastquarter,WarzonewasdeployedinacampaignsolelyfocusedonTaiwanesesemiconductormanufacturersanddeliveredviamalicious.RARfileattachments.
DarkCrystal/DCRat
DarkCrystal
(alsoknownasDCRat)wasfirstreleasedin2018andisoneofthecheapest.NETbackdoorsavailable,withpricesrangingfromaround$5USDfora
two-monthlicense,upto$40USDfora“lifetime”license(whichtypicallymeansthelifetimeofthethreatgroup).
Anembeddedconfigurationfiledictateswhichfeaturesareenabledonexecution,whichmayincludebutarenotlimitedtoscreenshots,keylogging,andstealingcookiesandpasswordsfromwebbrowsersandclipboards.TheComputerEmergencyResponseTeamofUkraine(CERT-UA)observed7DarkCrystaltargetingUkraineduringtheRussian-Ukraineconflict.
AgentTesla
This.NETRATwasfirstobservedin2014andisoftensoldinundergroundforumsaspartofMaaSofferings.Themalwarecancapturekeystrokes,takescreenshots,andscrapecredentialsfrommorethan60commonlyusedapplicationsincludingMicrosoft®Outlook®,Firefox®,Chrome™,andOpera®.AgentTeslaistypicallydeliveredthroughmaliciousandweaponizeddocumentsandusesmultipleanti-analysisandanti-detectiontechniques.
TheRATunpacksitselfinseverallayersandusessteganographytohidedatainordinary-lookingfilesormessagesbeforedeployingitsfinalpayload.
AsyncRAT
Thisopen-sourceRATisfreelyavailable8onGitHub,whereanyonecanaccessitssourcecodeandmodifyittomeettheirneeds.AsyncRATreliesonthefreely
availableStealerLibplugintostealpasswordsfromwebbrowsersandapplications.Otherfeaturesincludescreenviewingandrecording,uploadanddownloadcapabilitiesusingSecureFileTransferProtocol(SFTP),keylogging,andmore.AsyncRAT’santi-analysisandanti-detectiontechniquesincludeserverobfuscation.ThethreatgroupTA2541hasweaponizedAsyncRAT9intheirattacksontheaviationindustry.
Ransomware
Royal
Royal
isarelativelynewransomwarestrainthatfirstappearedinthewildinSeptember2022andisthoughttoincludemembersoftheold
Conti
ransomwaregroup.RoyaltargetsWindows,Linux,andVMware®ESXiservers.Themalwarewasinitiallydistributed10viamalvertisingandphishingcallback(aschemeinwhichphishinglurescontainacallbacknumberforusersto
callthatenticesthemtoinstallmalicioussoftware).LastDecember,Royal’soperatorstookresponsibilityforanattack11onEngland’sfamousSilverstoneFormulaOneracetrack.
BlackBasta
BlackBasta
isarelativelynewransomwaregroupoperatingasaransomware-as-a-service(RaaS)thatwasfirstspottedinApril2022.Itemploysadouble-extortiontechnique,demandingransomtodecryptcompanydataandextortingadditionalfeestokeepthedatafrombeingleakedtothepublic.
BlackBastausestoolslike
Qakbot
(akaQbot)andthePrintNightmare(CVE-2021–3452712)exploitinits
attacks,andencryptsvictimdatawithacombinationofChaCha20andRSA-4096.BlackBasta’sinfectionchaindiffersfromtargettotarget,anditencryptsdatafasterthanotherransomwaregroups.SomeofBlackBasta’sbehaviorsaresimilartomalwarepreviouslyproducedbytheContigroup.
BlackCat
BlackCat
ransomware,whichfirstappearedinthewildinNovember2021,wasthefirstmajorransomwarefamilyauthoredintheRustprogramminglanguage.(Asdetailedinthis
report
,Rustdeliversmoreflexibilityforthreatactorstocross-compilebinariesthattargetallmajoroperatingsystems,wideningitsreachofpotentialtargetsandsystems.)ThegrouphasusedtheEmotetbotnettodeliveraransomwarepayload.
Afterafootholdisestablished,aCobaltStrikebeaconisdeployedtoallowthethreatactorstomovedeeperwithinthetargetnetwork.
BlackCathasbeenprolificsinceitsinception,targetingnumeroushigh-profilevictimsandusingdoubleandeventriple-extortionmethods.Accordingtoa2022
FBIadvisory13,BlackCatransomwareaffiliatesarepotentiallylinkedtotwoolderthreatgroups:
DarkSide
and
BlackMatter
.BlackCatmadeheadlinesinFebruary2023afteranattackonMunsterTechnologicalUniversityinIreland.
MACOS/OSX
BecauseApplemacOSisusedlessoftenincorporateenvironmentsthanWindowsorLinux,it’slessfrequently
targetedwithmalware.However,whilemanybelievethatmacOSdevicesare“safer”thantheirWindowsorLinuxcounterparts,
macOSmalware
isagrowingthreatthatmustbemonitored.ThissectiondiscussescategoriesofmacOSmalwareobservedacrossBlackBerrycustomerenvironments.
Trojans/Downloaders
TheUpdateAgentTrojan(alsoknownasWizardUpdate)targetsmacOScomputersandfirstappearedinenterprisenetworksin2020.Thismalwaredownloadsanddeploysadditionalpayloads.Althoughthemostcommonpayloadisadware,theinitialloadercouldbeusedtodownloadandexecutemoremaliciouscode.
UpdateAgentisconcerningbecauseitcancircumventGatekeepercontrols,amacOSsecurityfeaturedesignedtopreventuntrustedappsfromrunning.
Adware
Adwareissometimesviewedasmerelyanuisance,butitcanbefarmoredamaging.Displayingtheunwantedadsreliesonmaliciousbehaviors,includingmonitoringuseractivity,communicatingwithaserver,anddownloadingadditionaldataorcode.Forexample,theUpdateAgentTrojandeploystheaggressiveadwareAdLoad.WepreventednumerousAdLoadinfectionsamongourcustomerswhousemacOSdevicesduringthisreportingperiod.
WealsoidentifiedthecontinueduseofPirritadware.ThismalwaredownloadsandlaunchesscriptsandadditionalMachobjectfileformat(Mach-O)executablesonthecompromisedmachine,whichcouldbeusedtoexecutemoredangerouscode.
Cross-PlatformMalware
Withtheemergenceofcross-platformprogramminglanguageslikeRustandGolang(aka“Go”),threatactorscandevelopmalwareandcompilethesamecodebaseformultipleoperatingsystems,includingmacOS.Thisreducesthemarginalcostoftargetingnon-Windows
operatingsystems.Duringthisreportingperiod,weobservedmalwareaffectingMac®deviceswritteninGolangonlyusedtolaunchadware,butweanticipatecross-platformmalwareforMacwillhavemoreambitiousgoalsinthefuture.
LINUX
Linux’spopularitycontinuestogrow.Upto90percentofpubliccloudservices14runonLinux,andasignificantnumberofbusinessesaremigratingorplanning
amigrationtocloudservices.Inaddition,LinuxiscommonlyusedintheInternetofThings(IoT).BecauseLinuxisnotacommondesktopOSinbusinesses,mostinfectionsrelyontechniquessuchasbrute-forceattacksorexploitingnetworkandservervulnerabilitiesinsteadofencouraginguserstoopenaninfectedattachment.
Forthesereasons,organizationsthatrelyonLinuxinfrastructurerequireacomprehensivevulnerabilitymanagementprogramtoprotecttheirservers.
Duringthisreportingperiod,BlackBerrytelemetryuncoveredmultipleLinuxattacksattemptingtodeploycryptominersthat,inadditiontoconsumingsystemresources,canallowthedeploymentofothermalwaresuchasbackdoorsthatallowcriminalsremotesystemaccess.
Thereportingperiodalsoincludedanincreaseincross-platformransomwarethatcantargetmultipleoperatingsystems.Forexample,thenewRoyalransomwarecantargetLinuxaswellasWindowsandESXisystems.
WEANTICIPATECROSS-PLATFORMMALWAREFORMACWILLHAVEMOREAMBITIOUSGOALSINTHEFUTURE.
CryptoMiners
Cryptominersuseavictim’sLinuxsystemresourcestominedigitalcryptocurrencyforfinancialgain,anactivityknownas
cryptojacking
15.BlackBerryresearcherspreviouslydetectedanattackusingtheDota3malwarefamily16,whichattacksSSHserversthatuseweakpasswordsandinstallstheknowncryptominerXMRig17.TheSysrv18cryptominerbotnet,whichhasbeenactivesinceearly202
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 社会实践心得体会范文7篇
- 慢性骨髓增殖性肿瘤的个案护理
- 教师教学设计新版
- 《答谢中书书》教学设计
- 六星旺角商品砼合同013
- 批发市场商铺租赁合同
- (正式版)JTT 1041-2024 海运散装有毒液体物质分类方法和运输条件评价程序
- 河南省鹤壁市淇县2021-2022学年七年级下学期期中考试数学试题(含答案解析)
- 河北省沧州市八县联考2023-2024学年高二上学期1月期末日语试题(含答案解析)
- 大屏幕拼接屏的维护与操作
- 模板拆除作业PPT讲义
- 文华财经期货软件指标公式源码至尊波段王指标公式源码
- 森林火灾前线指挥部组成及职责分工
- 医技科室医疗质量督查记录表
- 2023-2023年天原杯全国初中学生化学竞赛复赛试题(含答案)
- (完整版)试验检测工作台账
- 双重预防机制试题库
- 六年级上册数学课件 - 确定起跑线 人教版(19张PPT)
- 混凝土外加剂复配以及应用
- 2022年全国统一高考乙卷理科数学试卷含答案解析(定稿)
- 钢板桩引孔施工方法
评论
0/150
提交评论