Blogs

According to CIO.com, 58% of organizations aren’t adequately measuring the effectiveness of their cybersecurity program. That number is even more shocking when you consider how the average global cost of a data breach reached $4.35 million in 2022.

YoroTrooper is a newly discovered advanced persistent threat (APT) group that has been targeting government and energy organizations across Europe, with a particular focus on CIS countries and embassies. CIS stands for the Commonwealth of Independent States, which is a regional intergovernmental organization made up of former Soviet republics. The CIS was formed in 1991 after the collapse of the Soviet Union and currently consists of Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, and Uzbekistan.

Introduction: What is DarkCloud? 

DarkCloud is an Information Stealer Malware that was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. The builders of DarkCloud state that threat actors will be able to tailor the payload of the stealer based on their needs. DarkCloud Stealer operates through a multi-stage process, with the final payload written in Visual Basic, being loaded into memory during the last stage.

In recent years, cyberattacks targeting research organizations have been on the rise. These attacks are often carried out by sophisticated threat actors, seeking to gain access to valuable intellectual property, research findings, and other sensitive information. One such group that has recently been observed is Clasiopa, a previously unknown threat actor that has been targeting a materials research organization in Asia. 

Previously Unknown Threat Group: Hydrochasma 

Hydrochasma is a newly discovered cyberthreat group that has been targeting medical and shipping organizations in Asia since at least October 2022. State-sponsored cyberattacks have been increasing in recent years, with governments and their intelligence agencies engaging in cyber espionage to gain an edge in political, economic, and military affairs.

Summary  

A group of cyber criminals are advertising a new, fully undetectable, post-exploitation tool, Exfiltrator-22 (EX-22), on underground forums. This framework was designed to spread ransomware through corporate networks while evading detection. It’s marketed via a framework-as-a-service model, offering affiliates the opportunity to purchase per month or lifetime access to the tool.

The rise of custom malware usage by Chinese state-sponsored advanced persistent threat (APT) groups is a growing concern among cybersecurity experts. This article focuses on the newly discovered backdoor called MQsTTang by the Chinese APT group, Mustang Panda. MQsTTang is a single-stage backdoor that uses MQTT for command-and-control (C2) communications, which is an unusual choice for APT groups. The article also highlights the trend of Chinese APT groups using custom malware, and the implications of this trend for organizations.  

Summary  

A trend in malware being developed to specifically target Linux systems is being observed in the wild. Previously, malware targeting Linux was relatively scarce and primitive in comparison to other proprietary operating systems.

What is BlackLotus?

BlackLotus is a stealthy Unified Extensible Firmware Interface (UEFI) bootkit, which is a type of malware that can bypass Secure Boot defenses, making it a potent threat in the cyber landscape. Secure Boot is a security feature in modern computer systems that ensures that only trusted software is loaded during the boot process.

Introduction: What is Havoc? 

Havoc, a new open-source repository command-and-control (C2) framework, is being used by threat actors as an alternative to Cobalt Strike and Brute Ratel (post-exploitation command and control frameworks). C2 frameworks provide threat actors with the ability to drop beacons on breached networks for later movement and delivery of additional malicious payloads.

What is Sharp Panda?

Sharp Panda, also known as APT19, Emissary Panda, or Iron Tiger, is a Chinese Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily targets government organizations, defense contractors, and research institutions in Southeast Asia, Europe, and the United States. 

By: Critical Start Cyber Threat Intelligence (CTI) Team