Infostealers, Cactus Ransomware, the MOVEit vulnerability, and malware that dispenses money out of ATMs. Our threat intelligence team highlights new malware and some of the most popular vulnerabilities exploited by cybercriminals over the past year.
malware and vulnerabilities in 2023
A lot can happen in a year in cybersecurity, and 2023 was no exception. This series of blogs is a retrospective of some of the top trends, changes and continuities observed by Searchlight Cyber’s Threat Intelligence team, covering areas such as cybercriminal forums and marketplaces, threat actor motivations, malware, ransomware, initial access brokers, vulnerabilities, and social engineering techniques. The platforms, tools, actors, and insights featured in this series are based on intelligence gathered from Searchlight’s extensive deep and dark web dataset.
You can find the previous two blogs in the series here:
In this blog we look at some of the malware and vulnerabilities cybercriminals used to conduct their attacks in 2023. In particular, new strains of malware that rose to prominence last year – including infostealers for sale on dark web marketplaces, spyware targeted at mobile devices, and even malware that prints cash out of ATMs. On the vulnerability side, we focus on the likes of MOVEit and CitrixBleed – critical vulnerabilities that were quickly exploited by ransomware groups and other threat actors to impact hundreds of organizations.
At some point in the Cyber Kill Chain hackers usually need to use malware, and there is an increasingly endless supply of variants for them to choose from depending on their objectives, the malware features they need, and the knowledge and capability they have to operate it. Malware that we commonly observe being advertised on hacking forums includes ransomware, information stealers, remote access trojans (RATs), loaders and droppers, botnets, and keyloggers.
Some of the most popular malware has been on the market for years now – for example, infostealers like Raccoon Stealer, Redline Stealer, Vidar, AZORult, and Gozi were heavily put to use in 2023. However, these strains are already well documented by the information security community. Therefore, in this section we have focused on emerging malware strains that became popular and caused a great deal of damage over the past year.
RisePro is an infostealer malware that we first observed in December 2022 but gained significant traction over the course of 2023. The actor RiseHub first advertised RisePro on the WWH-Club cybercrime forum, but has since posted it to Exploit as well, where a forum deposit of 0.033906 bitcoins (about US $1,250) was made. Forum deposits are made by sellers as a “guarantee” to make themselves appear more credible. If the seller scams, they lose the deposit, so it is an indicator the actor means business.
Besides the common functionalities of infostealer malware, the seller boasted that one of RisePro’s key features is the ability for users to host the infostealer’s panel on their own server, which is desirable for those who are looking to keep their logs private with no chance of anyone else accessing them. This comes in the context of the theft of data from several other infostealers that used the developer’s infrastructure for log storage.
RiseHub claims that the infostealer shares code with Vidar and RedLine, two prolific infostealers that have gained notoriety over the years. RisePro was developed using the C++ programming language, is fully automated, and doesn’t require installation on the operator’s device – everything being controlled from the panel. According to open sources, the infostealer was also associated with the PrivateLoader pay-per-install downloader. With newer versions, RisePro came with a built-in loader feature and, according to the Telegram channel operated by the stealer’s developers, a hidden virtual network computing (HVNC) component was added.
At the time of writing, our data sets captured at least 32,000 logs captured using RisePro and offered for sale on the notorious marketplace RussianMarket. The large number of logs indicates that threat actors are happily paying the US $300 monthly fee to operate the infostealer.
Stealc is yet another example of an infostealer malware that we observed taking off in the past 12 months. In January 2023, the actor plymouth, a member of the XSS cybercrime forum, advertised the stealc infostealer, which was allegedly developed using code from Vidar, Raccoon, Mars and RedLine stealers. Usually developers who reuse code are looking to make a quick profit and move on but – like RisePro – stealc seems to have been well received by the underground community. The actor plymouth appeared to be reliable and continuously supported the malware and – to prove their credibility – made a forum deposit of 0.110461 bitcoins (about US $4,000) on Exploit and another of 0.021 bitcoins (about US $800) on XSS. This proves that the actor is ready to lose the money if they are found to be scamming or get banned.
The infostealer was developed with the C programming language using WinAPI and can capture data from browsers, web plugins, cryptocurrency wallets, messengers, email clients, and more. One noteworthy feature of the infostealer is the capability to send each collected file to a remote server without first bundling multiple sets into one archive on the infected computer. The actor claims that using this method, even in the event of triggering the anti-virus, partial data would still be delivered, without losing the whole pack.
Similar to other respectable infostealers, stealc comes with an easy-to-install administration panel and Telegram-based delivery of logs. The actor monetized the stealer using the Malware-as-a-Service (MaaS) business model, with a monthly subscription costing about US $200 and discounted pricing available for longer subscriptions.
PikaBot – first observed in the wild in 2023 – serves as a modular malware behaving like a trojan. It is written using the C and C++ programming languages and made out of two components: a core component and a loader. The specifications and traffic patterns generated by the malware allows us to associate it with Matanbuchus, a well-known loader that has been used since 2022. Furthermore, based on delivery methods and spamming campaigns observed, it appears that PikaBot is operated by a threat actor known as “TA577”. The same threat actor operated QakBot until its infrastructure was taken down by law enforcement. At the time of writing, we have not observed any attempts of actors selling PikaBot on underground forums or marketplaces.
When deployed, the malware runs a series of anti-debugging, anti-analysis and anti-VM checks, while also checking for the system language. If the system is set to a Commonwealth of Independent States (CIS) language, the malware does no harm, a sign that the operators are likely Russia-based. After passing all the aforementioned checks, the core module is decrypted, starts sending system information to the command and control server, and awaits instructions on further commands to be executed, including downloading additional malware. Some of the campaigns observed using PikaBot go further to infecting the system with Cobalt Strike.
While malware targeting computers usually gets everyone’s attention, mobile malware often misses the spotlight, even though its impact can be just as profound. The emerging Android malware known as SpinOk has allegedly infected 30 million devices, having managed to bypass Google Play’s strict policies. The spyware connects to a remote server controlled by the threat actor where the victim’s information is sent, including clipboard contents and files. This means that sensitive data such as personally identifiable information, payment card data, credentials, as well as photos and documents are at risk of ending up in the wrong hands. The malicious Android module is used by developers as a marketing software development kit (SDK), therefore it is unclear whether the infected apps were compromised knowingly or the developers just used the module for the legitimate purpose, to include a gamification component into their apps.
A new malware strain that was first observed in the wild at the beginning of 2023 allowed attackers with physical access to an ATM to conduct “jackpotting” attacks. The malware appears to work on any ATM running on the Windows operating system. The FiXS malware works by sending the ATM an instruction to dispense cash 30 minutes after a reboot, possibly requiring a two person crew to conduct a successful attack. One attacker would infect the ATM, while the other, a mule, would come to collect the cash. Interaction with the ATM is done by using an external keyboard, similar to other ATM malware, such as Ploutus. The malware wreaked havoc in the LATAM region, however its developers appear to be from Russia.
A discussion about malware would not be complete without mentioning ransomware. Last year saw the creation of multiple new strains, but one of the more interesting ones is a ransomware that encrypts itself during the deployment phase in order to avoid triggering endpoint detection and response and anti-virus solutions. This ransomware was dubbed “Cactus” based on the file extensions it used. More interestingly, the file extensions changed depending on the processing state, for example, while a file is being prepared for encryption it receives the .cts0 extension, then, after encryption, the .cts1 extension is used. The Cactus ransomware operators exploit vulnerabilities in VPN solutions for initial access and target enterprises worldwide.
Some sources estimate that 40 million people were impacted through the exploitation of just one vulnerability last year. Here’s our roundup of some of the most impactful vulnerabilities of 2023:
CVE-2023-34362 (MOVEit Vulnerability)
The file transfer solution MOVEit was found to be vulnerable to SQL injection attacks, allowing attackers to gain access to sensitive data. The Cl0p ransomware gang exploited the vulnerability to the fullest extent, targeting over 500 entities worldwide, including large banks, big four accounting firms, airlines and more. After a successful attack, the gang would attempt to extort the victim by threatening to release the data via their blog. The developers of MOVEit have released a security update patching the vulnerability, but it is unclear how many systems remain unpatched.
CVE-2023-27350 (PaperCut Vulnerability)
Another improper access control allowed threat actors to target users of the PaperCut print management software, bypass authentication, and exfiltrate data. An update was quickly released fixing the vulnerability, but multiple threat actors – including the ransomware operators Cl0p, Bl00dy, and LockBit – had already exploited it. As with most attacks of this type, exfiltrated data ended up on the attackers’ dark web leak sites, after being used as leverage in double-extortion attempts.
A vulnerability that allows remote code execution has been exploited by a Russia-based hacking group by the means of a phishing campaign. The emails – targeting government institutions – contained attachments with specially crafted and malicious Word documents that could exploit the vulnerability affecting Windows Search, bypassing the Mark-of-the-Web (MotW) security feature. The documents were designed to capture the recipient’s attention by discussing the possibility of Ukraine joining the NATO alliance.
CVE-2023-4966 (CitrixBleed Vulnerability)
A recently discovered vulnerability in Citrix NetScaler ADC and Gateway products enabled threat actors to wreak havoc in the winter months of 2023. Dubbed CitrixBleed, the vulnerability allows attackers to hijack legitimate user sessions and circumvent safeguards such as password requirements and multiple factor authentication (MFA), before pivoting to privilege escalation, lateral movement or accessing data in order to achieve their aims. The US Cybersecurity and Infrastructure Security Agency (CISA) believes this bug has been exploited by both nation-state and criminal actors, with one of the most prominent examples being ransomware crew LockBit’s targeting of aerospace giant Boeing.