SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: LockBit 2.0 targets organizations across the globe
Description: The ransomware-as-a-service network behind the LockBit ransomware is launching new attacks using the 2.0 version of its malware. LockBit has recently been spotted targeting organizations in the U.K., Taiwan, Chile and Italy. This new version of LockBit includes new encryption features and an effort to recruit “insiders” at the targeted organizations. Once the malware encrypts the data on the targeted machine, it changes the wallpaper to display an advertisement, telling users that they can become a part of LockBit’s recruitment process, promising payouts in the millions of dollars. LockBit’s been behind several recent high-profile attacks, including one on global consulting firm Accenture.
Snort SIDs: 58024, 58025
Title: Several RATs targeting users in Latin America, stealing high-profile credential
Description: Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT. The campaign targets travel and hospitality organizations in Latin America. Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil. We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators. The threat actor authoring the crypter primarily aims to sell it as a service. We've observed the authors advertise their crypters on Facebook, YouTube and other social media. However, we've also discovered that the crypter's authors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs. The highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely popular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the Aggah group indicating that the crypter author might have sold it to both parties.
Cisco Secure Endpoint orbital search queries: