Headline
CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub
The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub. “CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved,” ESET researcher Jakub
The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub.
“CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved,” ESET researcher Jakub Souček said in a new analysis published today. “While not being top notch, the threat actor is able to compromise interesting targets.”
Targets of ScRansom attacks span manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government sectors.
CosmicBeetle is best known for a malicious toolset called Spacecolon that was previously identified as used for delivering the Scarab ransomware across victim organizations globally.
Also known as NONAME, the adversary has a track record of experimenting with the leaked LockBit builder in an attempt to pass off as the infamous ransomware gang in its ransom notes and leak site as far back as November 2023.
It’s currently not clear who is behind the attack or where they are from, although an earlier hypothesis implied that they could be of Turkish origin due to the presence of a custom encryption scheme used in another tool named ScHackTool. ESET, however, suspects the attribution to no longer hold water.
“ScHackTool’s encryption scheme is used in the legitimate Disk Monitor Gadget,” Souček pointed out. “It is likely that this algorithm was adapted [from a Stack Overflow thread] by VOVSOFT [the Turkish software firm behind the tool] and, years later, CosmicBeetle stumbled upon it and used it for ScHackTool.”
Attack chains have been observed taking advantage of brute-force attacks and known security flaws (CVE-2017-0144, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, CVE-2022-42475, and CVE-2023-27532) to infiltrate target environments.
The intrusions further involve the use of various tools like Reaper, Darkside, and RealBlindingEDR to terminate security-related processes to sidestep detection prior to deploying the Delphi-based ScRansom ransomware, which comes with support for partial encryption to speed up the process and an “ERASE” mode to render the files unrecoverable by overwriting them with a constant value.
The connection to RansomHub stems from the fact that the Slovak cybersecurity company spotted the deployment of ScRansom and RansomHub payloads on the same machine within a week’s time.
“Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit’s reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims will pay,” Souček said.
Cicada3301 Unleashes Updated Version
The disclosure comes as threat actors linked to the Cicada3301 ransomware (aka Repellent Scorpius) have been observed using an updated version of the encryptor since July 2024.
“Threat authors added a new command-line argument, --no-note,” Palo Alto Networks Unit 42 said in a report shared with The Hacker News. “When this argument is invoked, the encryptor will not write the ransom note to the system.”
Another important modification is the absence of hard-coded usernames or passwords in the binary, although it still retains the capability to execute PsExec using these credentials if they exist, a technique highlighted recently by Morphisec.
In an interesting twist, the cybersecurity vendor said it observed signs that the group has data obtained from older compromise incidents that predate the group’s operation under the Cicada3301 brand.
This has raised the possibility that the threat actor may have operated under a different ransomware brand, or purchased the data from other ransomware groups. That having said, Unit 42 noted it identified some overlaps with another attack carried out by an affiliate that deployed BlackCat ransomware in March 2022.
BURNTCIGAR Becomes an EDR Wiper
The findings also follow an evolution of a kernel-mode signed Windows driver used by multiple ransomware gangs to turn off Endpoint Detection and Response (EDR) software that allows it to act as a wiper for deleting critical components associated with those solutions, as opposed to terminating them.
The malware in question is POORTRY, which is delivered by means of a loader named STONESTOP to orchestrate a Bring Your Own Vulnerable Driver (BYOVD) attack, effectively bypassing Driver Signature Enforcement safeguards. Its ability to “force delete” files on disk was first noted by Trend Micro in May 2023.
POORTRY, detected as far back as in 2021, is also referred to as BURNTCIGAR, and has been used by multiple ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub over the years.
“Both the Stonestop executable and the Poortry driver are heavily packed and obfuscated,” Sophos said in a recent report. “This loader was obfuscated by a closed-source packer named ASMGuard, available on GitHub.”
POORTRY is “focused on disabling EDR products through a series of different techniques, such as removal or modification of kernel notify routines. The EDR killer aims at terminating security-related processes and rendering the EDR agent useless by wiping critical files off disk.”
The use of an improved version of POORTRY by RansomHub bears notice in light of the fact that the ransomware crew has also been observed utilizing another EDR killer tool dubbed EDRKillShifter this year.
“It’s important to recognize that threat actors have been consistently experimenting with different methods to disable EDR products — a trend we’ve been observing since at least 2022,” Sophos told The Hacker News. “This experimentation can involve various tactics, such as exploiting vulnerable drivers or using certificates that have been unintentionally leaked or obtained through illegal means.”
“While it might seem like there’s a significant increase in these activities, it’s more accurate to say that this is part of an ongoing process rather than a sudden rise.”
“The use of different EDR-killer tools, such as EDRKillShifter by groups like RansomHub, likely reflects this ongoing experimentation. It’s also possible that different affiliates are involved, which could explain the use of varied methods, though without specific information, we wouldn’t want to speculate too much on that point.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
With an immature codebase and a "rather chaotic encryption scheme" prone to failure, the group targets small businesses with custom malware.
A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities. Initial access to the target
More on the recent Snowflake breach, MFA bypass techniques and more.
Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.
By Deeba Ahmed Patch Now or Get Hacked: Researchers Confirm Potentially Active Exploitation of One of the FortiOS Flaws in the Wild. This is a post from HackRead.com Read the original post: CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
By Deeba Ahmed Chinese state-backed hackers targeted Dutch military networks by exploiting a vulnerability in a FortiGate device. This is a post from HackRead.com Read the original post: Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
The threat actors behind the Rhysida ransomware engage in opportunistic attacks targeting organizations spanning various industry sectors. The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). "Observed as a ransomware-as-a-service (RaaS)
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's
The notorious APT15 used common malware tools and a third-generation custom "Graphican" backdoor to continue its information gathering exploits, this time against foreign ministries.
The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
By Deeba Ahmed Chinese hackers are exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN by using new malware called BOLDMOVE. This is a post from HackRead.com Read the original post: Backdoor into FortiOS: Chinese Threat Actors Utilize 0-Day
A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were
The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.
A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week. The
Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution. Tracked as CVE-2022-37958 (CVSS score: 8.1), the flaw was previously described as an information disclosure vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. SPNEGO,
The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and
Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said
The threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022. In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies highlighted a "sharp increase in both the number of compromised
Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.
Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.
Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...
A lack of MFA remains one of the biggest impediments to enterprise security.
Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RAT on compromised systems. The new findings come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the constellation-themed moniker
Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack… Continue reading → Domain Escalation – sAMAccountName Spoofing
Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack… Continue reading → Domain Escalation – sAMAccountName Spoofing
Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.
Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.
We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide.
As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release signatures to detect and protect against the malware.