Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

KNOW What Happened Last Week (7th September – 13th September)

KNOW the most trending malware, threat actors, and attack method.

Post by Rajarshi Mitra In Security on Sep 14, 2020

Let’s analyze the state of last week’s global threat landscape. The categories to be studied and analyzed are:

Malware of the week – Maze, BitPaymer, and DoppelPaymer

Netenrich’s KNOW is a news aggregator serving up the latest, hottest-trending security stories of the moment for a bird’s-eye view of the global threat landscape. According to them, the most trending malware-related story of the week was the Newcastle University ransomware attack.

KNOW has collated all the related malware associated with this particular attack. In this case, we have:

  • DoppelPaymer.
  • Maze.
  • BitPaymer

Along with this, it provides enough contextual data for your security team to study so that they have enough context to make informed decisions. So, let’s see what info KNOW has collected for us.

#1 DoppelPaymer

Industries targetted:

  • Aerospace and defense
  • Manufacturing
  • Healthcare

References counted by KNOW:

  • Total: 4,377.
  • Last 60 days: 398.
  • Last 7 days: 220.

Along with it, KNOW also collected the following data regarding DoppelPaymer:

  • Risk rules triggered: 5 out of 48.
  • Vulnerabilities: CVE-2019-1978 and CVE-2019-19781
  • Threat Actors: TA505 and Indrik Spider
  • Historic Sandbox Sighting: AnyRun, Hybrid-Analysis, and CAPE.

#2 BitPaymer

Reference counted by KNOW:

  • Total: 4,464
  • Last 60 days: 140
  • Last 7 days: 32

Along with it, KNOW also collected the following data regarding BitPaymer:

  • Risk rules triggered: 2 out of 48.
  • Threat Actors: TA505, Indrik Spider, Evil Corp.
  • Recent Sandbox Sighting: AnyRun.
  • History Sandbox Sighting: AnyRun and Hybrid-Analysis.

#3 Maze

Context from KNOW:

Industries

  • Finance
  • Healthcare
  • Information technology
  • Computer hardware
  • Consumer electronics
  • Insurance

Reference count

  • Total: 39,583
  • Last 60 days: 2,965
  • Last 7 days: 2,237

Along with it, KNOW also collected the following data regarding Maze

  • Associated IPs: 37
  • Associated Domains: 107
  • Associated Hashes: 160
  • Associated URLs: 878
  • Risk rules triggered: 7 out of 48
  • Vulnerabiities detected: CVE-2018-4878 CVE-2018-8174 CVE-2018-15982 CVE-2019-11510 CVE-2019-19781
    Related Threat Actors: AnonSec APT1 Comment Crew FIN6 Anonymous APT41 TA2101

Threat actor of the week – APT28 Fancy Bear, and Evil Corp

The three threat actors chosen were highly referenced on our KNOW’s threat intel dashboard. Let’s look at each actor in detail and analyze the data we have from KNOW.

#1 APT28 Fancy Bear

APT 28 aka Fancy Bear aka Sofacy is a highly sophisticated threat group, which is sponsored by the Russian government and operational at least from 2004.

Context from KNOW

APT28 Fancy Bear

Industries affected by Fancy Bear

  • Aerospace and defense
  • Media and entertainment
  • Healthcare
  • Energy and natural resources
  • Sports
  • Aviation

Important data captured by KNOW

  • Risk rules triggered – 4 out of 48 rule(s) triggered
  • Recent sandbox sighting – 3 sighting(s)
  • Historically linked to malware – 385 sighting(s)
  • 2 related malware: Lojax, Drovorub.
  • Historically linked to intrusion method – 27 sighting(s) – phishing, obfuscation, phishing campaign, zero day, business email compromise, spam, password stealer, etc.
  • Historic Sandbox Sighting – 190 sighting(s)

#2 Evil Corp

The Evil Corp is a large cybercrime group that is originally known for its use of the Dridex banking Trojan. In recent years, it has demanded ransom payments to the tune of $500,000 to $1 million, according to security researchers. Evil Corp uses compromised credentials to transfer funds from a victim’s bank account to those of accounts controlled by the group.

Context from KNOW

evil corp

Industries affected by Evil Corp

  • Finance
  • Manufacturing
  • Media and entertainment
  • Banking
  • Energy and natural resources
  • Transportation

Important data captured by KNOW

  • Risk rules triggered – 5 out of 48 rule(s) triggered
  • Recent sandbox sighting – 1 sighting(s)
  • Historically linked to malware – 996386 sighting(s)
  • 8 related malware – Dridex, Gozi, Gozi ISFB, BitPaymer, FriedEX, Cobalt Strike, WastedLocker, etc.
  • Historically linked to intrusion method – 13 sighting(s) – obfuscation, phishing, data exfiltration, data breach, social engineering, exfiltrate data, credential dumping, etc.
  • Historically linked to C&C server – 1 sighting(s)

Attack Method of the Week – Phishing

The attack method of the week was phishing.

As per our dashboard, phishing was the:

  • The second most referenced attack method in the last seven days.
  • The third most popular attack method for the last two months.

Exploring phishing attacks with KNOW

phishing

When you click on “phishing,” in the dashboard, you will get redirected to the page above. What you see here are all the articles collated by KNOW in this category. KNOW also gives you an option to follow the “Operation Kitty Phishing” campaign (top right). This campaign’s main goal its target the government and defense sectors, which a special focus on South Korean users.

Upon clicking the top-right story card, you will see all the info collated by KNOW about this particular campaign.

phishing

As you can see, we were able to count 19 references throughout the web on this particular campaign.

What is KNOW?

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now.

One of KNOW’s handiest tools is the trending threats dashboard, which gives you a bird’s eye view of the most potent malware, threat actors, methods, and vulnerabilities in the following time frames:

  • Last 7 days.
  • Last 60 days.

So, want to check out KNOW some more? Why don’t you sign up? Did we mention that it’s completely free?
Or subscribe to get daily threat intel updates.

CONNECT WITH US

About Author

Rajarshi is a creative and accomplished writer who made his mark in the blockchain space before stepping into cybersecurity. When he is not working, he is busy chilling with his wife and cat, catching up on the latest Netflix docu-series.....or watching Harry Potter for the 5781241516th time.