Ankura CTIX FLASH Update – October 2022 – 3 | Ankura

Ransomware/Malware Activity

Prestige Ransomware Emerges, Targets Ukraine and Poland

A new ransomware variant has emerged in the wild, being used in targeted attacks against the logistics and transportation sectors within Ukraine and Poland. The variant has been dubbed ‘Prestige’, named after their initial codename that was displayed in the group’s ransom note as ‘Prestige ranusomeware’. Tactics, techniques, procedures (TTPs), and indicators of compromise from this ransomware variant are being clustered by Microsoft under DEV-0960. Prior to deployment, DEV-0960 executes stage-one malicious scripts via RemoteExec and Impacket followed by open-source collection tools which gain access to system administrator credentials. Once threat actors lay the groundwork for the ransomware attack, Prestige is deployed and is spread throughout the victim’s infrastructure. The Prestige payload can be cloned to remote systems and configured to run scheduled tasks or leverage PowerShell to establish persistence throughout several systems within the network. Prestige can also be copied to the Active Directory Domain Controller and distributed accordingly through Group Policy. Attacks from DEV-0960 actors appear to favor Russia, targeting enemies of the state and the Russia-Ukraine conflict. CTIX analysts will continue to monitor the evolution of ransomware throughout the landscape and provide additional details accordingly.

Threat Actor Activity

Operation CuckooBees Revived, APT41 Targets Organizations in Hong Kong

APT41 threat actors have launched a campaign targeting organizations throughout Hong Kong.  Based on known tactics, techniques, and procedures (TTPs), this is likely a continuation of Operation CuckooBees. The original espionage operation was a massive intellectual property theft campaign which allowed APT41 threat actors to exfiltrate hundreds of gigabytes worth of research documentation, source code, manufacturing data, formulas, and diagrams. The majority of these attacks occurred throughout Eastern Asia, North America, and Western Europe. Recent activity surrounding this operation was uncovered when security analysts from Symantec identified traces of the Spyder Loader…