In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. With the conflict between Israel and Hamas dominating the news cycle, we look at how this is currently impacting cybersecurity, and provide updates on ransomware and other cybercrime activity to help security leaders stay abreast of the latest developments in this ever-evolving battleground.

Disinformation, DDoS and Scams

Since October 7th, events in Israel and Gaza have dominated the world’s attention, and predictably the tragic events unfolding in the region have not been overlooked by cybercriminals. To date, the majority of cyber activity surrounding these events has fallen into the realm of hacktivism and DDoS operations, salted with a heavy helping of disinformation.

Dubious claims relating to purported cyber attacks, website defacements and intrusions can be found littered across the usual cybercrime forums and Telegram channels.

Besides hacktivism, the current situation is being leveraged by cybercriminals through social engineering tactics and email-based phishing campaigns. These are designed to deceive recipients with references to topics such as Israel, Palestine, and Gaza in order to perpetrate fraud through schemes such as charity and donation scams.

Much like the situation on the ground, the broader shape of how this conflict will play out in cyberspace is still emerging. We expect to provide further reporting in the near future.

New Ransomware Actors Emerge as Others Fall

Elsewhere in the cybercrime world, some notable ransomware operations have emerged since last month’s update. Among these is LostTrust ransomware, an evolution of the SFile and MindWare ransomware families. From early October, the LostTrust blog was listing 53 victims on its leaks site.

LuckBit ransomware is another operation that emerged in October 2023. Threat actors behind LuckBit request payment in terms of equivalency to the Malaysian Ringgit (MYR). Their campaigns have been observed requesting up to 20 Million MYR in BTC (Bitcoin), approximately US $4.2 million. Victims are instructed to contact the attacker only after making the payment. The ransom note contains the relevant contact details including an email address and a TOR-based web site/victim portal.

October has also seen the fall of prolific ransomware outfit Trigona, which at its peak was posting around 100 victim organizations per month. Trigona’s ransomware operations were first detected in June 2022. Over the course of its existence, Trigona operators have released payloads targeting both Windows and Linux systems. Their initial delivery methods have varied across campaigns, encompassing spear phishing and the exploitation of known vulnerabilities, such as MSSQL.

On October 17, however, a hacktivist group named Ukrainian Cyber Alliance (UCA) announced an attack on Trigona’s primary blog sites, claiming to have disrupted or wiped out accessible infrastructure.

The UCA, formed in 2014, claims to be driven by the goal of disrupting Russian criminal enterprises, both public and private. It describes itself as a community of Ukrainian cyber activists from various backgrounds that emerged from the FalconsFlame, Trinity, RUH8, and CyberHunta groups as a result of Russian aggression in Ukraine.

The UCA followed the attack by defacing Trigona’s TOR-based blog sites, prominently displaying the title “Trigona is Gone” on the blog pages. Additionally, they made several derogatory references to Trigona in their messages, which are still accessible at the time of writing.

Dark Markets and Cybercrime Services

While Cobalt Strike is not the only post exploitation and penetration testing toolkit out there anymore, it is still arguably the most popular, and its adoption by threat actors has been well-documented, as have efforts to curtail its illegitimate and unlicensed use.

This brings us to the recent leak of Cobalt Strike 4.9 (released in September 2023). Copies have been distributed in various forums and markets starting in early October 2023. This was tweeted (X’d) on October 9th, 2023 by @darkcoders_mrx.

Cobalt Strike 4.9 leaked in wild pic.twitter.com/yt2ROqRyb3

— mrx red (@darkcoders_mrx) October 9, 2023

Meanwhile, the AV/EDR bypass market, which we highlighted in our September update, continues to flourish and expand this October. High-dollar cybercrime vendors are updating their services to meet the market’s demands for bypass and evasion tools.

Crypting and obfuscation tools, like Rain Protector, have also seen updates. These tools are used by malware authors in an attempt to evade static detection technologies by way of obfuscation.

Within the Initial Access Broker market, vendors are preparing to take advantage of recent wide-spread exploits in order to bulk-up supply of readily-breached environments. Notable among these are the vulnerabilities in Confluence Data Center & Server (CVE-2023-22505 and CVE-2023-22508) and Bamboo Data Center (CVE-2023-22506).

Wider Trends | Generative AI Services and Offerings for Cybercrime

ChatGPT alternatives are potentially attractive to criminals as they claim to remove restrictions and barriers that the more mainstream LLM models impose in order to inhibit malicious use. Automating attacks though generative AI would provide a serious boost to the productivity of cybercrime operations. Earlier in the year WormGPT generated a lot of headlines, with claims to enable malicious AI capabilities such as:

• Unrestricted creation of malware and phishing/clone page creation
• No logging or storage of operator use
• Remote, bulletproof access

As a result of negative press coverage, the service “officially” closed.

Nevertheless, we have observed a number of generative AI services and tools appearing to meet the demand for jailbroken AI, and we continue to track the development of this trend. To date, many of the available tools either lack a true context mechanism or are little more than novelty interfaces with canned responses for specific prompts.

In response to the development of WormGPT and similar models, numerous specialized tools have surfaced with the aim of bypassing limitations on generative AI. These tools, often hosted on platforms like “FlowGPT,” facilitate unrestricted prompt generation across various Large Language Models (LLMs) and the subsequent sharing of these creations.

Out of this come tools like “DarkGPT” and “CodeGPT”. Some of these are novelty at best, but some do generate valid code examples, and given time could lead someone down a road to bad things (or learning how to do them).

The market for unlocked generative AI services could get interesting in the coming year. More sophisticated fraud and cybercrime operations may see value in incorporating AI to increase the overall mass of their malicious output.

Conclusion

October has and will be dominated by developments around the Israel-Hamas conflict, and we will continue to provide updates as the situation evolves. Additionally, there has been some notable new ransomware operations, as well as the fall of Trigona ransomware. Cybercrime markets continue to thrive with an expansion into more private platforms like Telegram and TOX-only channels. We continue to monitor these developments, along with the emergence of potentially harmful versions of generative AI.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.

Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time. In present day security operations, threat hunting initiatives have become a standard part of mature security programs, but few organizations have managed to establish the expertise and methodology to conduct these types of hunts with internal resources.

In this series, we will take a look at the components that make up well-known threat hunting methodologies, the evolution that reflects the growing need to proactively seek out and mitigate security threats rather than solely relying on reactive, manual measures, and some new adaptive approaches to conducting automated, wide ranging hunt capabilities.

Threat hunting, after all, involves implementing innovative methods of continuous monitoring and analysis of real-world activities to uncover hidden threats, making it an essential aspect of modern cybersecurity that should leverage every aspect of process, technology, and people available to defenders.

Traditional Methodologies

The approach advocated by threat hunting pioneers in the last decade emphasizes proactive cybersecurity practices. It involves the systematic and continuous search for hidden threats and anomalies within an organization’s environment, aiming to detect and mitigate potential breaches before they can cause damage.

In most cybersecurity practices, a robust approach involves utilizing a range of advanced tools. These tools encompass intrusion detection systems (IDS), Security Information and Event Management (SIEM) platforms, Endpoint Protection, Detection, & Response platforms (EPP/EDR), as well as threat intelligence feeds and security service providers. However, the effective application of these tools and services requires the expertise of seasoned cybersecurity professionals and highly tuned, effective tooling.

Experience allows security teams to leverage their knowledge, intuition, and subject matter expertise to interpret data and discern nuanced threats within logs, packets, flows, and trace activities. Some key elements found in traditional methodologies which deliver acceptable results but need to be constantly revisited and enhanced include:

• Structured Methodology: important for identifying anomalies and potential threats in network traffic, endpoint telemetry, and system logs.
• Continuous Monitoring: Real-time monitoring of network and system activities to detect suspicious or unusual behavior (security monitoring).
• Hypothesis-Driven Analysis: Develop hypotheses about potential threats based on known attack patterns, trends, or indicators, then investigate these hypotheses to confirm or refute their suspicions (threat modeling).
• Data Analysis: Scrutinizing large volumes of data, including network traffic logs, system logs, security controls’ logs, and other relevant data sources, to uncover indicators of compromise (analysis at scale).
• Configuration analysis: Hunting for misconfigured devices, including incorrect policies, overreaching access, endpoints without installed security controls, etc. (system hardening).
• Internal hunting: Identifying sensitive data, misconfigurations, plain text passwords, tokens stored or passed inappropriately, unauthorized access to critical systems, and abuse of user identities and service accounts (insider and environmental threats).
• External hunting: Focused on identifying instances of data, credentials leaks  and/or malware/hacking discovery using third party services such as VirusTotal, Shodan, Dark Web searches, and external surface scanning (external threat).

A crucial aspect of being successful in cybersecurity is the team’s adaptability to the ever-evolving threat landscapes. Security teams must consistently refine their methodologies and remain updated on emerging threats and evolving attack techniques.

Equally important is fostering collaboration among various security teams, including network security, incident response, SOC/SOAR, vulnerability management, and threat intelligence teams. By sharing insights and findings, these teams collectively enhance their ability to protect against cyber threats effectively.

On the Hunt | SolarWinds SERV-U Vulnerability

Thanks to our WatchTower threat hunting team we can see an example of valuable threat hunting based on traditional methodologies when we take a look at the timeline and story of how exploiting the SolarWinds SERV-U Vulnerability was proven to be connected to the download, decryption, and execution of Cobalt Strike. This proves that a structured methodology supported with data analysis at scale and focused threat hunting can be successful in identifying exploitation of known vulnerabilities with traditional attack methods.

1. In July 2021, SolarWinds released an advisory on Serv-U version 15.2.3. Microsoft stated that this CVE was used in limited, targeted attacks. After just a few days CISA also released an advisory that this vulnerability may allow a remote attacker to take control of an infected system even though it had not been identified performing such activities in the wild.

   

2. Using Deep Visibility queries and Vigilance MDR analyst investigation, the SentinelOne WatchTower threat hunting team spotted abuse of the Solarwinds Serv-U vulnerability in an educational institution exhibiting anomalous behaviors such as spawning unusual child processes.
   
3. The vulnerable Serv-U secure FTP launched the command prompt and powershell interface to connect to a remote C2 IP of http://179[.]60[.]150[.]32/login. The C2 IP address was live and served the next level of encoded commands as of August 26, to further decrypt and execute Cobalt Strike in memory.
   
4. The SentinelOne Agent successfully blocked and mitigated this attack before it could infect the target machine. Afterwards, it kicked off remediation and patching activities that likely should have been performed before the vulnerability was ever exploited.
5. The idea is that a modern futuristic paradigm to threat hunting should get ahead of these types of threats and show attempts before they are able to get even this far.

Modern Futuristic Paradigm

The vision of a modern and futuristic threat hunting paradigm involves leveraging advanced technologies and methodologies to enhance security operations and stay ahead of cyber threats. In this paradigm, threat hunting becomes a central focus of Security Operations Centers (SOCs) augmented by service providers and threat experts. Internal and external teams continually conduct research on known and emerging threats, vulnerabilities, and attack techniques for attribution and correlation. This research is then operationalized to proactively identify potential threats and vulnerabilities within an organization’s environment.

Automation plays a pivotal role in this vision. Routine and repetitive tasks are automated to free up security analysts’ time for more strategic activities. Automation can include the automatic collection and analysis of threat intelligence, the correlation of security events, extraction of indicators of compromise (IoCs), and the orchestration of incident response workflows.

Adapting to Changing Security Threats

Adaptive threat hunting is a dynamic approach to proactive anomaly discovery that evolves alongside the ever-changing threat landscape. It recognizes that threats can emerge from various sources, and it goes beyond traditional threat hunting by incorporating offensive inputs, novel research, and a range of hunting strategies.

Threat hunting should include new and real time strategies that address emerging threats in the present; Retroactive hunts, which delve into historical data for hidden threats; Artifact-based searches, which examine digital traces left by attackers; and performing Hunts of Hunts, which involves identification of the overarching strategies and tactics employed by adversaries based on chained detections, with a multi-directional approach for threat attribution.

By embracing these adaptable methods, organizations can strengthen their security postures and better protect against a diverse array of threats. Over this series of blogs we will introduce a modern approach and futuristic paradigm to threat hunting that allows us to stay ahead of the adversary and explore previous hunts analyzing the factors that made them successful. Key aspects of this vision include:

• Multi-directional Approach: Variety of techniques, data sources, and methodologies to comprehensively understand an organization’s security posture leveraging diverse telemetry, sweeps and scans, and LFO (Low Frequency of Occurrence) statistical analysis you can identify patterns in seemingly unrelated data.
• Chained Detections: Involves a sequence of automated tasks triggered by an initial detection to triage and enrich telemetry data progressively from disparate data sources. This approach is a proactive and sophisticated way to uncover and respond to complex threats and threat actors.
• AI and Machine Learning: Artificial Intelligence (AI) and Machine Learning (ML) methods and techniques are integrated into threat hunting processes. These technologies can analyze vast amounts of data, identify anomalies, and detect subtle patterns indicative of potential threats. Machine learning can identify potential threats in reams of seemingly innocuous data by autonomously formulating patterns that lead to malicious behavior, based on statistical event mapping.Generative AI threat hunting can also help security teams detect and respond to threats faster and more accurately.
• Threat Intelligence Integration: Threat hunting teams integrate internal and external intelligence feeds into their platforms. Threat intelligence platforms and Information Sharing and Analysis Centers (ISACs) facilitate the exchange of threat data and insights, enabling organizations to benefit from collective knowledge. This includes information on known threats, indicators of compromise (IoCs), and emerging attack tactics.
• Adaptive Continuous Hunting: The security posture is adaptive and responsive. Threat hunting is not a one-time event but an ongoing, adaptive process. Security controls, policies, and threat hunting strategies are continuously adjusted based on evolving threats and the organization’s risk profile.
• Incident Response Orchestration: Automated incident response orchestration and playbooks (such as those configurable in a SOAR or XDR platform) are used to streamline and accelerate response efforts. Security teams can respond to threats more effectively and consistently with predefined workflows.

A Modern Approach to Hunting

In this modern paradigm, the SOC’s role expands beyond reactive incident response to include proactive research, automated processes, and advanced technologies. There have been many attempts to tackle this problem, including Risk Based Alerting, clustering, baselining, allowlisting/denylisting, data normalization, tokenization, and additional data enrichment strategies, but there are more highly effective methods that we will continue to describe over the next few blog posts.

The goal is to create a resilient security posture capable of defending against a constantly evolving threat landscape with minimal impact on internal resources and security operations.

Akira Ransomware Campaign Highlights

Now we will show the results of a more extensive and modern hunt that yielded threat attribution and a higher level of fidelity and accuracy in identifying the risk and threat actors involved in an attack highlighting the Akira Ransomware Campaign. This was identified by our Vigilance DFIR team working closely with our WatchTower threat hunting team.

Akira ransomware operations were first observed in early 2023, with all the features and assets we expect from modern ransomware familles. This included a victim blog site, multi-platform payloads, and even a retro style branding. Once access is achieved, Akira focuses on stealing confidential documents, destroying backups, disabling security settings, and performing other nefarious activities leading to the extortion of the victim for a handsome ransom.

The following steps lay out the effectiveness of a multi-directional approach that is adaptive and leverages different sources of data intelligence to paint a full picture of a threat actor.

1. During an Akira incident we identified the group was downloading RustDesk, a remote access and remote control software available for different platforms. Notably, Akira had previously been associated with AnyDesk for persistence and C2 tasks, not the RustDesk RMM tool. It then proceeds to create services, disable the firewall, and allow remote connections from Akira operators.
   

2. Internal recon leveraged Advanced IP Scanner and NETSCAN.EXE for mapping the network along with winscp for data exfiltration. They proceeded to access and manipulate SQL databases for the purpose of mapping users, data, and environment.
   

3. The threat actor even went so far as to disable LSA (Local Security Authority) settings which help defend Windows users against credential theft by preventing untrusted code from being injected into the LSASS.exe process and disabling protections built into Windows.
   

4. While cross-referencing Akira victim blog data with Shodan data it looked like CISCO VPN gateways that belonged to targeted victim organizations were also listed. This suggests that Akira ransomware operators may be exploiting a vulnerability in Cisco VPN software to gain initial access. There is also evidence that stolen credentials acquired via IABs (Initial Access Brokers).
   

5. Detecting and blocking this ransomware at the endpoint is the last line of defense. Once a detection is made, that should then turn into actionable intelligence that leads to other investigative directions that help us anticipate attackers’ next steps.

In this case, new tactics and techniques were identified and attributed to a threat actor based on adaptive, continuous threat hunting and external threat analysis. Researching, analyzing, understanding, and hunting for this attack chain enabled our hunters to proactively hunt for similar activity and block it before it became a true threat. Subsequent hunts in other organizations allowed us to detect early and prevent many breaches.

Conclusion

The importance of creating business value through threat hunting in today’s complex and rapidly evolving cybersecurity landscape cannot be overstated. With the proliferation of AI, Cloud, SaaS, IoT, containers, growing market share of macOS, and omnipresent mobile devices, along with the challenges posed by regulated markets and remote work environments, organizations are facing a detection world that has become incredibly intricate. In response to these complexities, it makes strategic sense for many organizations to outsource advanced threat hunting and analysis to specialized security vendors to augment their own capabilities.

The reasons for this shift towards outsourcing this function to expert threat hunters as opposed to having a dedicated threat hunting team are compelling. Detection engineering has matured, and organizations are recognizing that a ‘build’ mentality often leads to playing catch-up with emerging threats. By ‘buying’ the expertise of a security vendor, organizations can leverage the vendor’s multidisciplinary team, which is exposed to new threats and tactics on a daily basis, often well ahead of in-house security teams. This proactive approach reduces the organization’s exposure to risks and accelerates threat response capabilities.

Additionally, the total cost of ownership is significantly lower with a managed service compared to maintaining a salaried internal team with limited expertise. Reliable threat hunting partners provide access to a larger pool of specialized skills as well as access to large data sets of rich telemetry across disparate endpoints and malware tactics. Internal staff can be augmented to enhance the organization’s security posture without the overhead of hiring and training more personnel. The risk of not conducting threat hunting is clear, and even with security tools that offer tremendous quantities of telemetry, it’s essential to have experts process this data to maximize its benefits, predicting the attack instead of just preventing it.

Learn More About WatchTower

For enterprises looking for a threat hunting partner to help them implement a robust methodology to stand up to emergent threats, SentinelOne’s WatchTower provides threat hunting experts equipped with the latest threat intelligence and  AI/machine learning algorithms.

Today, customers can use WatchTower to achieve real-time and retroactive detections of anomalous activity across their enterprise to proactively address evolving threats and strengthen their security posture. Learn more about what WatchTower can do for your enterprise here.

Special thanks to the entire WatchTower, Vigilance, and DFIR teams for contributions in findings, analysis, and content.

Last week saw Apple update XProtect to version 2173 with new rules for Atomic Stealer and Adload. As we have noted previously, Apple’s defenses for the Mac have been evolving of late, with increased attention on remediation and some prototype behavioral rules that appear to still be in testing mode.

However, 2023 to date has seen new approaches to compromising Macs that continue to leave macOS users at risk if organizations are not taking additional measures to defend against them.

In this post, we look at some of the major macOS malware discovered recently and detail how threat actors are adapting and evolving to ensure successful compromise when targeting Apple’s desktop platform.

Persistence No Longer a Priority for Mac Infostealers

Perhaps one of the most significant changes we’ve seen in 2023 is the multitude of macOS malware families that eschew persistence. This is especially characteristic of infostealers, which aim to achieve all their objectives in one execution – stealing the user’s admin passwords, browsing data, session cookies and keychain, and then exfiltrating these off to a remote server.

With such a haul, the attackers have no need for persistence, as they now have access to any cloud or SaaS accounts that the user had stored credentials and cookies for on their local device.

~/Library/Cookies/*.binarycookies

Chrome:  ~/Library/Application Support/Google/Chrome/Default/Cookies
Firefox: ~/Library/Application Support/Firefox/Profiles/[Profile Name]/
Slack :  ~/Library/Application Support/Slack/Cookies (file) 
	 ~/Library/Application Support/Slack/storage/*
         ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storage

Other recent malware families abjure traditional persistence mechanisms in favor of trojanizing software that they expect the user to run regularly, in effect making the user’s own behavior the means of persistence. A good example of this, as we’ll discuss further below, was the March 2023 compromise of 3CX.

With no need to schedule execution of the malware through system services, detection becomes problematic for certain kinds of security mechanisms, and Apple’s recent introduction of pushing user notifications to warn when background items are scheduled is rendered irrelevant.

Organizations Compromised Through Targeted Social Engineering

Threat actors have begun using more sophisticated social engineering techniques to compromise Mac users. Although much common malware is distributed through channels such as torrent sharing sites and third-party software download sites, threat actors looking to compromise businesses are developing highly targeted campaigns.

Earlier in 2023 we saw how RustBucket malware targeted organizations with specially crafted applications that victims were persuaded into executing as part of an elaborate social engineering scheme. Threat actors engaged victims with the promise of a business deal and shared ‘confidential’ PDF documents that could not be read by ordinary PDF viewer software.

To view the documents ‘securely’, victims were encouraged to download a ‘proprietary’ application named ‘Internal PDF Viewer’. Convinced that the software was required to maintain the secrecy of the deal, users were persuaded to override Apple’s built-in security mechanisms. The malicious PDF viewer displayed the document the victim was expecting to see but in the background downloaded and executed malware from the attacker’s C2.

Less-sophisticated but still targeted malware has also been spotted this year aiming at small businesses and freelance contractors. The macOS MetaStealer campaign targeted victims with social engineering lures like “Advertising terms of reference” and “Brief_Presentation-Task_Overview”. These files were in fact disk images containing infostealer malware disguised as PDF documents.

As with RustBucket, the aim was to incentivize users to override Apple’s macOS security mechanisms, which unfortunately means little more than convincing them to right-click a file and choose ‘open’ rather than double-clicking it.

Increased Use of Public Offensive Security Tools

Controversy has long swirled around offensive security tools in the Windows world, particularly Cobalt Strike, which has been cracked and leaked so widely that it is now a mainstay of attackers of all stripes. The same trend is now starting to be seen in the macOS malware world, too.

Projects like Geacon wrap Cobalt Strike capabilities in Go-based payloads. These have been seen embedded in fake versions of enterprise level apps like SecureLink beaconing out to C2s in China and using job resumés as decoys.

Highly-regarded open source red teaming tool Mythic and its various payloads, particularly Poseidon, for example, have also been seen in recent macOS malware campaigns.

Poseidon and Mythic function as an implant and C2 administration suite much the same way as Cobalt Strike does. With built in obfuscation and encrypted communications, Poseidon provides attackers with a powerful toolkit.

Offensive security practitioners would argue that the open source nature of the tool makes it possible for security vendors to develop detections for the tool. This is indeed true, and most 3rd party security software should be able to detect Poseidon either statically or behaviorally. However,  Apple does not appear to have taken up that offer as yet; its malware blocking service XProtect does not contain a signature to detect Poseidon payloads.

For defenders, additional security is required. Because of the nature of such tools, it can be difficult to tell when these payloads are spotted in the wild whether they are simply leaked red-teaming tools or genuine malware campaigns, but in either case detection and protection is required.

Living Off the Orchard | Built-in Tools Used for Malicious Acts

LOLBins or ‘Living-Off-the-Land’ techniques have a long history of use in malware and cyber attacks targeting other platforms. On macOS, there is an increasing recognition of such techniques, sometimes described as “living off the orchard”. Resources to help recognize these are becoming increasingly important.

In 2023, perhaps the most commonly used built-in tools are the system_profiler tool for gathering data about the local installation, sw_vers to collect the OS system version and build, and curl both for downloading and exfiltrating data. SentinelLabs has previously documented 20 of the most common macOS LOLBins.

One of the most common malware families seen throughout 2023 and over the last two years or so, Adload uses a combination of LOLBins like chmod, xattr, and ioreg to complete its tasks.

Such tools present difficulties for defenders as it makes malicious behavior more difficult to separate from legitimate behavior, precisely the reason why attackers favor using them to achieve their objectives where possible. Of course, context here is everything. Visibility into execution chains and process trees can help threat hunters understand whether such tools are being abused, while advanced EDR tools can automate detection of malicious processes that include use of LOLBins.

Abusing Open Source Software for Initial Compromise

In July 2023, malware dubbed JokerSpy was reported by several vendors though attribution remains uncertain. JokerSpy contained several components, including two python backdoors, red-teaming tool SwiftBelt and a Swift-based Mach-O that attempts to masquerade as Apple’s own XProtect malware checking service.

Analysis of these components suggests that some attacks began the infection through a trojanized QR code generator, QRLog. The malware is hidden inside a genuine QR code generator written in Java via a malicious file, QRCodeWriter.java, inserted into the legitimate project. This file first determined the host OS, then downloaded an appropriate payload that opened a reverse shell allowing the attacker access to the victim’s device.

Although it is unclear how the threat actors delivered the trojanized software to targets, JokerSpy was found in several enterprise intrusions, including a large cryptocurrency exchange.

Ensuring that Open Source software is scrutinized against a known bill of materials and that any known vulnerabilities are patched is now part of CISA’s recommendations for all federal agencies, and private organizations are following suit. OSS presents a huge attack surface on all platforms, including macOS, and threat actors will continue to find ways to abuse it to compromise valuable targets.

Protecting Payloads with Multi-Stage, Modular Malware

One of this year’s most complex supply chain attacks, the Smooth Operator campaign, which compromised downstream businesses via maliciously tampering with 3CX’s call routing software client, 3CXDesktopApp, still remains something of a mystery.

In March 2023, various initial and intermediate stages of the malware were discovered for the macOS side of the infection chain. The attackers were careful to drop multiple stages that gathered information about the victim’s environment, but the final stage – we might suspect a backdoor or reverse shell – has yet to come to light.

The known stages of the malware were built for stealth. They relied on users launching the trojanized application for persistence, only collected limited data about the host’s 3CX account, and then self-deleted after sending this information to the attacker. The known payloads do not contain any backdoor capabilities and only collect data that would not seem obviously anomalous for the 3CX application.

Clearly, the attackers went to great lengths to ensure that the resources they put into the final stage malware would not be easily burned. For defenders, this is worrying because one reason for such caution would be protecting a high-value zero-day from being exposed.

In a similar vein, the JumpCloud intrusion in July 2023 also used multiple stages for stealth and to protect late stage payloads. Researchers have attributed both campaigns to DPRK-linked threat actors with a focus on supply chain attacks that will haul in sensitive enterprise information to be used in further, more targeted intrusions. At the same time, it is believed the actors behind these campaigns are developing and sharing a variety of toolsets and that further macOS malware campaigns are inevitable.

SentinelOne Customers Protected

SentinelOne customers are protected from the malware discussed in this article. In addition, the Singularity platform provides unparalleled visibility and threat hunting capabilities to enable security teams to fully investigate and remediate threats on macOS devices.

Conclusion

While Apple continues to work on improving its own attempts to detect malware targeting the macOS platform, updates to XProtect’s YARA rules still lag significantly behind detections provided by third party solutions. For example, the Atomic Stealer rules added this week to XProtect v2173 relate to malware that have been detected in the wild by vendors for several months.

Therefore, it is highly recommended that enterprises supplement the protections offered by Apple with a security solution that uses multiple detection engines to stop both commodity malware and advanced threats.

If you would like to learn more about how SentinelOne can help protect your Mac fleet, contact us for more information or request a free demo.

In September 2023, automation and manufacturing company Johnson Controls was targeted in a ransomware attack where threat actors used Dark Angels ransomware to lock the company’s VMWare ESXi servers. SentinelOne has analyzed the binary related to this attack and found that it has considerable overlap with RagnarLocker’s ESXi version.

In this post, we present technical details of the Dark Angels ransomware, offer a comparative analysis of Dark Angels and RagnarLocker samples, and provide recommendations for security teams safeguarding ESXi servers.

Overview

RagnarLocker is a ransomware group that was active throughout 2020 to 2022, drawing attention from the United States Federal Bureau of Investigation (FBI) for targeting entities in the critical manufacturing sector.

Dark Angels is a relative newcomer first reported in 2022 for its Windows version, which was very closely linked to the leaked Babuk Windows source code. Interestingly, our analysis finds the ESXi version of Dark Angels shares no significant overlap with the leaked Babuk ESXi locker source code, which many Linux ransomware families are based on or adapted from.

Technical Details

Dark Angels (06187023d399f3f57ca16a3a8fb9bb1bdb721603) is a 64-bit Executable & Linkable Format (ELF) binary designed for Intel-based Linux systems. On execution, the program logs the encryption progress to the hardcoded log file name, wrkman.log, which is saved to the directory that the Dark Angels binary is run from.

The program requires the operator to specify a root directory for file encryption to start, which will then process any subdirectories. Dark Angels takes optional arguments, which are documented internally as dl:m:s:v.

The -m argument lets the operator specify how many encryption threads to run concurrently, which can be 10, 20, 25, 33, or 50. The -v argument enables verbose logging mode to the command line. The -l argument lets the actor specify a log file name for the progress log.

During analysis, we observed that Dark Angels wrote a ransom note for each file encrypted; normally, ransomware writes one ransom note per directory where files are processed for encryption. The ransom note naming convention is .crypted.README_TO_RESTORE.

Dark Angels uses AES with a 256-bit key to encrypt files. The encryption routine can override a locked file by obtaining the PID of the locking process, then running the kill -9 command against that PID to terminate the process. This code will only execute if the PID value is greater than 10, which prevents the binary from attempting to kill files locked by crucial, kernel-interfacing processes.

Dark Angels vs. RagnarLocker

We identified considerable similarities between the Linux version of Dark Angels and a RagnarLocker binary circa 2021, 5411d7905bef69cb16d44f52fc46aa32fd922c80. From the file metadata perspective, both binaries are roughly 150 KB in size and designed for Intel x86-64 architectures. They also share the same compiler string compilation artifact: GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-44).

Dark Angels and RagnarLocker use the same encryption mechanism (AES-256) and the same file extension, .crypted. This is notable because the Windows version of RagnarLocker uses a bespoke file extension, RGNR_. The Dark Angels Windows version uses the .crypt extension.

Both ransomware families share the same file path exclusion list, which ensures critical system files are not encrypted. Dark Angels’ extension exclusion list also includes the ransom note name, .README_TO_RESTORE, which is not present in RagnarLocker.

RagnarLocker also writes the same log file, wrkman.log. The RagnarLocker binary only takes the threading argument with the same -m flag, as outlined in its usage message.

Usage:%s [-m (10-20-25-33-50) ] Start Path

Other optional arguments seen in Dark Angels are not present in RagnarLocker.

The overlap between the two families is further solidified with analysis of a sample of Dark Angels ransomware observed in September 2022. Sample 7c2e9232127385989ba4d7847de2968595024e83 is highly similar to the 2023 Dark Angels sample 06187023d399f3f57ca16a3a8fb9bb1bdb721603 described above.

At the surface level, we see the same wrkman.log file being used and the same -m parameter supported, but that is the only argument available, other than supplying a starting path.

The .crypted extension is also used along with the previously observed README_TO_RESTORE filename.

However, the 2022 sample directs victims to a different .ONION address, qspjx67hi3heumrubqotn26cwimb6vjegiwgvrnpa6zefae2nqs6xqad[.]onion.

When this payload was first reported that address was inactive and remains so at the time of writing. In contrast, the 2023 variant directs victims to lyoevnzm3ewiq6jeyyuob2wfou7gh47yotuucsrwlf6ju3xrw43wacad[.]onion for live-chat/support and uses p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd[.]onion as the victim leak site. p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd is the historic Dark Angels Team-hosted “Dunghill Leak” site.

Also of note, the 2023 variant changed the hosting method for proof-packs (proof or evidence of leakage), using the victim(s) password-protected ufile[.]io links.

The 2022 variation uses simple, unsecured image links to image sharing service ibb[.]co.

Recommendations

Endpoints running the SentinelOne agent are protected against the Dark Angels and RagnarLocker Linux variants. Organizations can prepare for attacks from groups like Dark Angels by implementing a robust vulnerability & patch management program, as previous reports indicate the group leverages vulnerabilities to achieve initial access before pivoting deeper into the environment.

Given the lack of security software on ESXi hypervisors, consider enhanced network monitoring for unusual access to these systems, including internal system traffic. When possible, focus on large or abnormal data transfers off of the ESXi server as well as other file storage services within the network.

Conclusion

ESXi lockers continue to prove successful for the ransomware groups who use them, yet the overall pool of unique Linux ransomware families remains narrow. We assess with high confidence that these two samples are related and that the Linux version of Dark Angels is a very lightly modified, more recent version of the analyzed RagnarLocker binary.

There is a potential caveat to attributing Dark Angels as the next iteration of RagnarLocker when vendors miscategorize information or fail to thoroughly explain connections made through their analysis. For example, the RagnarLocker binary was classified as RagnarLocker by Fortinet, but listed as a Vice Society file by another vendor, Quorum Cyber.

Based on the volume of VirusTotal community comments for the RagnarLocker binary, our assessment aligns with contributions from earlier researchers.

Indicators of Compromise