SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: ModernLoader delivers multiple stealers, cryptominers and RATs
Description: Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary. The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Because of the use of off-the-shelf tools, the group improves its operational security and there are no obvious signs of who the actor behind the attacks is, except that they likely speak Russian.
Snort SIDs: 60437 - 60440
Title: LockBit ransomware group looking to add DDoS attacks to its arsenal
Description: The LockBit ransomware group is hoping to double down on its triple extortion efforts after a recent distributed denial-of-service attack against its leaks website. The group’s public leader posted on a popular forum that it was improving its DDoS defenses after a recent hacking-back attempt from a security firm, and was also looking to add DDoS experts to its team to start triple extortion attacks. This means LockBit would steal victim’s data, threaten to leak it online, and if the target doesn’t pay the extortion payment, LockBit would target it with DDoS attacks. The group also claims to have 300GB of data stolen from software make Entrust.
Snort SIDs: 54910 – 54917, 58023