Tag Archive for: spotlight

Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker

/in


Key Findings

  • Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.
  • Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs.
  • Analysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to the threat actor known as Gaza Cybergang.

Introduction

Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted attacks by a Hamas-related threat actor.

SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar.

As we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant written in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral similarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign was previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests.

In this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker Windows variants and their attribution.

Rust SysJoker…

Source…

Publisher’s Spotlight: The Zero Day Initiative (ZDI): Financially Rewarding InfoSec Researchers

/in


Formed by TrendMicro, the Zero Day Initiative (ZDI) was created to encourage the reporting of 0-day vulnerabilities privately to the affected vendors by financially rewarding researchers. At the time, there was a perception by some in the information security industry that those who find vulnerabilities are malicious hackers looking to do harm. Some still feel that way. While skilled, malicious attackers do exist, they remain a small minority of the total number of people who discover new flaws in software.

Incorporating the global community of independent researchers also augments their internal research organizations with the additional zero-day research and exploit intelligence. This approach coalesced with the formation of the ZDI, launched on July 25, 2005.

Today, the ZDI represents the world’s largest vendor-agnostic bug bounty program. Their approach to the acquisition of vulnerability information is different than other programs. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch.

One of their cool events is Pwn2Own, held in multiple countries – here’s their recent scoreboard from their Vancouver, Canada event:

Publisher’s Spotlight: The Zero Day Initiative (ZDI): Financially Rewarding InfoSec Researchers

Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3:

Publisher’s Spotlight: The Zero Day Initiative (ZDI): Financially Rewarding InfoSec Researchers

They do not resell or redistribute the vulnerabilities that are acquired through the ZDI.  Submitting through the ZDI program also relieves you from the burden of tracking the bug with the vendor.  They make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw, which leaves researchers free to go find other bugs.  They will let you know where things stand with all your own current cases with regards to vendor disclosure. In no cases will an acquired vulnerability be “kept quiet” because a product vendor does not wish to address it.

Interested researchers provide them with exclusive information about previously un-patched vulnerabilities they have discovered.  The ZDI then collects…

Source…

Threat Spotlight: Stealer Logs & Corporate Access

/in


Executive Overview

Over the last three years, infostealer malware variants have become a “popular trend” in the cybercriminal Malware-as-a-Service (MaaS) ecosystem. Doing precisely as their category implies, these malware variants steal information from users’ devices. After infecting the device, the malware employs various techniques to remain undetected while sending data to the malicious actors’ command and control infrastructure. 

To understand the threat infostealer malware poses, we examined more than 19.6 million stealer logs to identify trends like:

  • Number of infections containing corporate credentials
  • Average price of infostealers with banking access
  • Prominent consumer applications appearing in the logs

Read our full report, Stealer Logs & Corporate Access, or continue reading for the highlights. 

The Details

Analyzing more than 19.6 million stealer logs showed trends that indicate malicious actors value access to corporate resources and financial services accounts. Based on the findings, malicious actors appear to use infostealer malware so that they don’t have to purchase a consumer application subscription or so they can steal money by compromising a bank account. 

At a high level, the research found the following about stealer logs:

  • 376,107 (1.91%): access to corporate SaaS applications
  • 48,173:  access to a resource that includes a single sign on credential representing almost certain access to corporate resources
  • 200,000 (1%): access to leading AI provider credentials

(Note, these are from users of the applications being compromised with infostealer malware. We have no reason to believe that these organizations themselves have suffered a security incident or breach) 

Meanwhile, looking at infostealer logs through the eyes of the consumer, the data shows:

  • 46.9% had access to Gmail credentials
  • $112: average cost of financial services-related logs compared to $15 across all log sales

We collected data from four primary sources:

  • Public Telegram “logs” channels: “free samples” of primarily consumer application access logs used to advertise the paid Telegram rooms
  • Private Telegram channels: invitation-only, paid channels with higher-value logs

Source…

Threat Spotlight: Triple Extortion Ransomware

/in


Executive Overview

Threat actors have escalated the single extortion ransomware attack model to double and even triple extortion. 

With the commodification of cybercrime, adversaries have significantly increased the sophistication levels of their operations, and therefore also the potential devastating impacts of a ransomware attack. 

Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie discussed the latest trends in ransomware attacks including: double/triple extortion, different types of ransomware, methods for stealing sensitive data, and more.

Check out our full webinar recording, Triple Extortion Ransomware & Dark Web File Dumps, and/or keep reading for the highlights.

Commodification of Ransomware Groups

Ransomware groups are becoming more like companies, such as with:

  • mission-oriented approaches
  • recruitment practices to seek new hires
  • specialization

The Karakurt group, after operating privately for a year, has recently published a recruitment post to attract new members. They pride themselves on their mission to hold companies accountable for existing vulnerabilities in their cybersecurity and for the negligence of their IT staff. These groups can be driven by both financial and political motives, often influenced by the shifting landscape of geopolitics.

In general, there are two distinct types of specialization within such groups. Similar to a company with various departments, a group can have internal specialization. For instance, within a ransomware group, some members might excel in negotiating the ransom, while others primarily focus on developing malware. Another form of specialization involves individual groups having their own areas of expertise, akin to specialized agencies within a larger company. One group might concentrate on distributing ransomware, collaborating with another group that specializes in extortion.

This organized and specialized collaboration among groups can lead to more intricate and scalable operations compared to individual threat actors.

Changes in Ransomware Groups

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) to optimize their strategy. One alarming trend that we’ve…

Source…