To evade detection by security software, malware developers and threat actors are increasingly using compromised code signing certificates to sign their malware.

This trend was illustrated this week when Microsoft revealed during the December Patch Tuesday this developer accounts have been compromised to sign malicious kernel-mode hardware drivers in the Windows hardware development program.

As Microsoft signed these drivers, this allowed them to be loaded into Windows and granted the highest level of privileges in the operating system.

These drivers were used as part of a toolkit consisting of STONESTOP (loader) and POORTRY (driver) malware that disabled security-protected software processes and Windows services running on the computer.

Coordinated reports from Microsoft, Beggar, Sophosand SentinelOne reported that several threat actors were using malware signed using these compromised accounts, including the Hive and Cuba ransomware operations.

Microsoft also patched a Windows Mark of the Web zero-day vulnerability which threat actors actively exploit in malware distribution campaigns, including those for Magniber Ransomware and QBot.

Other research published this week includes:

Finally, there were also quite a few cyberattacks or reports of attacks this week, but only a few were confirmed to be ransomware.

Ransomware attacks include a LockBit attack on the California Department of Treasury. Operation Play ransomware claiming the Attack on the Belgian city of Antwerpand BlackCat ransomware attack against EPMone of the largest energy suppliers in Colombia.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @billtoulas, @FourBytes, @jorntvdw, @BleepinComputer, @DanielGallagher, @demonslay335, @malwhunterteam, @fwosar, @Seifreed, @serghei, @malwareforme, @Ionut_Ilascu, @LawrenceAbrams, @PolarToffee, @_CPResearch_, @vinopaljiri, @cybereason, @1ZRR4H, @TalosSecurity, @pcrisk, @TrendMicro, @GeeksCyberand @Digitaleragroup

December 11, 2022

Clop ransomware uses TrueBot malware to gain access to networks

Security researchers have noticed an increase in the number of devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.

December 12, 2022

Play ransomware attack on the Belgian city of Antwerp

Operation Play ransomware claimed responsibility for a recent cyberattack on the Belgian city of Antwerp.

Drawing the Curtains on Azov Ransomware: Not a Skidsware but a Polymorph Wiper

One thing that sets Azov apart from your garden variety ransomware is its modification of some 64-bit executables to run its own code. Before the advent of the modern Internet, this behavior was the prime route for the proliferation of malware; for this reason, to this day, it remains the classic definition of “computer virus” (a fact much loved by pedants in the industry and felt by everyone else as well).

New STOP ransomware variants

Risk found new STOP ransomware variants that add the .manw and .maos expansions.

December 13, 2022

LockBit Claims Attack on California Department of Treasury

The California Department of Finance has been the target of a cyberattack now claimed by the LockBit ransomware gang.

Microsoft-signed malicious Windows drivers used in ransomware attacks

Microsoft revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

A Deep Dive into BianLian Ransomware

BianLian ransomware is Golang malware that carried out targeted attacks in multiple industries in 2022. The ransomware used anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all identified drives on the machine and removes itself after the encryption is complete.

New variant of STOP ransomware

PCrisk has found a new STOP ransomware variant that adds the .matu extension.

New variant of Dharma ransomware

PCrisk has found a new variant of Dharma ransomware that adds the .hebem extension and drops a ransom note named info.txt.

New Lucknite ransomware

PCrisk has found a new Lucknite ransomware that adds the .lucknite extension and drops a ransom note named README.txt.

New Variant of Chaos Ransomware

PCrisk has found a new Chaos ransomware variant that adds the .xllm extension and drops a ransom note named read_it.txt.

December 14, 2022

Microsoft fixes Windows zero-day used to remove ransomware

Microsoft has patched a security vulnerability used by threat actors to bypass the Windows SmartScreen security feature and deliver payloads of Magniber ransomware and Qbot malware.

Royal Rumble: Royal Ransomware Analysis

The Royal ransomware group emerged in early 2022 and has been gaining momentum since mid-year. Its ransomware, which the group deploys through various TTPs, has impacted several organizations around the world. The group itself is suspected to be made up of former members of other ransomware groups, based on the similarities researchers have observed between Royal ransomware and other ransomware operators.

Masscan Ransomware Threat Analysis – Cyber ​​Intelligence Report 2022

Numerous cases of ransomware damage were reported by many Korean companies in the second half of 2022. The damage is unique in its aspect, that an attacker infiltrated a database (DB) server with a security system vulnerable, distributed ransomware, encrypted the file, and added a “.masscan” string to the file extension.

New BLOCKY ransomware

PCrisk has found a new Blocky ransomware that adds the .Locked extension and drops a ransom note named READ_IT.txt.

New HentaiLocker ransomware

PCrisk has found new ransomware that adds the .HENTAI extension and drops a ransom note named UNLOCKFILES.txt.

December 16, 2022

Colombian energy supplier EPM hit by BlackCat ransomware attack

Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting company operations and taking down online services.

Agenda Ransomware uses Rust to target more vital industries

This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx developed versions of their ransomware in Rust, a cross-platform language that makes it easier to adapt malware to different operating systems like Windows and Linux. . In this blog entry, we highlight Agenda (also known as Qilin), another ransomware group that has started using this language.

New variants of STOP ransomware

PCrisk has found new STOP ransomware variants that add the .btnw, .btosand .btu expansions.

Agenda Ransomware uses Rust to target more vital industries

This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx developed versions of their ransomware in Rust, a cross-platform language that makes it easier to adapt malware to different operating systems like Windows and Linux. . In this blog entry, we highlight Agenda (also known as Qilin), another ransomware group that has started using this language.

It’s all for this week ! I hope everyone is having a good weekend!