CTI Roundup: Attacks Spike in 2023, Ransomware Payments Skyrocket

In this week’s roundup, CTI investigates a Mandiant report revealing a surge in attacks delivering malware via USB drives during the first half of 2023 — including two new campaigns. Next up, CTI looks at a report predicting that ransomware activity is on track to break previous records this year, with researchers observing an overall rise in the number of successful ransom payments. Finally, CTI investigates a ransomware strain known as Big Head.

1. USB drive malware attacks spike in first half of 2023

According to Mandiant, there was a threefold increase in the number of attacks delivering malware via USB drives in the first half of 2023.

Mandiant’s report also highlights two new USB-delivered malware campaigns that contributed to the spike, including SOGU malware and SNOWYDRIVE.

SOGU spreads via USB

Mandiant first discovered this campaign while searching for suspicious file-write events in directories that threat actors commonly use for storing malware, tools, and utilities.

The researchers note that the SOGU campaign is “the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals.”

This campaign uses USBs to load SOGU malware and steal information from the victim device. Mandiant attributes this campaign to TEMP.hex, which is a China-linked espionage actor — and believes the campaign was carried out to gather information in support of Chinese national security/interests.

According to Mandiant’s research, these attacks pose a risk to a vast range of industries across Europe, Asia, and the U.S.

• Initial infection: The initial infection vector is an infected USB drive. This flash drive contains several malicious software that are designed to load a malicious payload in memory through DLL hijacking.
• Established foothold: The infection chain typically consists of three files including a legitimate executable, a malicious DLL loader, and an encrypted payload.

When the legitimate executable runs it will side-load a malicious DLL file, which is known as KORPLUG. The KORPLUG malware then loads a decrypted shellcode and executes it in memory. This shellcode is a backdoor written in C and is called SOGU.

• Reconnaissance and data staging: A batch file is dropped in the recycle.bin file bath that will run host reconnaissance commands and outputs the results to a file named c3lzLmluZm8.

The malware will search the C drive for files with certain extensions and will encrypt a copy of each file, encoding the original before dropping the encrypted files into the following directories:

C:\Users\\AppData\Roaming\Intel\\

:\RECYCLER.BIN\\

• Persistence: The malware creates a directory masquerading as a legitimate program and sets the directory’s attribute to hidden. It will then copy its main components to this newly created directory.

In addition, the malware will create a Run registry key with the same name as the directory it created earlier. In some SOGU variants, an additional scheduled task was created to run the malware every 10 minutes for persistence.

• Exfiltration: The malware will exfiltrate any data that has been staged during the last stage of the attack. The malware may include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its command and control (C2) server.

It also supports a wide range of commands including file transfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging. Finally, this malware is also capable of copying itself onto new removable devices plugged into an infected device, allowing it to potentially collect data from air-gapped systems.

SNOWYDRIVE malware infection via USB targets oil and gas organizations in Asia

This campaign also uses USBs to deliver the SNOWYDRIVE malware. After the malware is loaded, it creates a backdoor on the system and gives the threat actor access to remotely issue system commands.

It can also spread to other USBs and propagates through the network. Mandiant has attributed this campaign to UNC4698, which is a threat actor that has previously targeted Asia’s oil and gas industry.

This threat actor will execute payloads via the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.

• Initial infection: Again, the initial infection vector for this campaign is an infected USB device. In this case, the malware lures the victim into clicking on a malicious file masquerading as a legitimate executable. When the victim clicks this file, it triggers a chain of malicious extensions.
• Establishing a foothold: The infection starts with an executable that serves as a dropper. This dropper is responsible for writing malicious files to disk and then launching them.

The encrypted files contain executables and DLLs that are extracted and written in the C[:]\Users\Public\SymantecsThorvices\Bin directory. The files can be broken down into four key components that each consist of a legitimate executable and a malicious DLL.

• Command and control: The shellcode-based backdoor, SNOWYDRIVE, will generate a unique identifier based on the system name, username, and volume serial number. This serves as a unique ID when communicating to its C2 server, which is usually found hardcoded in the shellcode.
• Persistence: The campaign uses the following registry value for persistence:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba

• Lateral movement: The malware then copies itself to removable drives that are subsequently plugged into the infected device. It will create the folder “\Kaspersky\Usb Drive\3.0” on the removable drive and copy the encrypted files that contain the malicious components.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The recent spike in USB-delivered malware reminds us that although these attacks require physical access to the device, they clearly have advantages that keep them relevant in today’s landscape.”

“Mandiant’s research into these campaigns revealed that local print shops and hotels appear to serve as hotspots for USB malware infections — indicating that these attacks are still rather opportunistic in nature.”

2. Ransomware payments surge in 2023

According to a recent report from blockchain analysis firm Chainalysis, ransomware activity is on track to break previous records, with researchers observing an overall rise in the number of successful ransom payments both big and small.

Ransomware stands out

The report reveals that ransomware is the only cryptocurrency crime category seeing a rise this year, with all others recording a steep decline — including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue.

From a BleepingComputer article on the subject:

“Ransomware is the one form of cryptocurrency-based crime on the rise so far in 2023,” reads the Chainalysis report. “In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June.”

What’s more, the cumulative yearly ransomware revenue for 2023 reached 90% of the 2022 total figure in the first half of the year.

Outlook

The report claims that if the current revenue growth pace continues, ransomware actors will make just short of $900 million from victims in 2023, just below 2021’s record figure of $940 million.

Chainalysis’ researchers assert that the driving force behind this steep revenue climb is “big game hunting,” with extortionist gangs and ransomware families actively targeting large, high-value organizations that can pay record-breaking sums of money.

Leaders of the pack

According to Chainalysis, BlackBasta, LockBit, ALPHV/Blackcat, and Cl0p top the list of the primary recipients of big-sum payments, with Cl0p boasting an average payment size of $1.7 million and a median payment figure of $1.9 million.

Notably, Cl0p is responsible for two massive waves of attacks exploiting two zero-day vulnerabilities discovered in file-transfer tools: Fortra’s GoAnywhere in the first quarter of the year, and Progress’s MOVEit Transfer in the second.

From BleepingComputer:

In fact, Clop’s GoAnywhere campaign, which involved 129 attacks, made March 2023 a record-breaking month, as reported by the NCC Group at the time. The MOVEit attack wave is already larger, counting 296 victims so far, with more disclosed on Clop’s extortion site every week.

Furthermore, as Chainalysis explains, “the growth trend for H1 2023 can also observed on the other end of the spectrum, with small ransomware payments being made to opportunistic, ‘spray-and-pray’ ransomware-as-a-service (RaaS) operations such as Dharma, Phobos, and STOP/DJVU, who blackmail victims for a few hundred USD.”

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It is likely that the yearly decrease in the number of organizations willing to give in to extortion has become a contributing factor in cybercriminals returning to big game hunting, as well as threat actors increasing their ransom demands.”

“The latter is probably a strategic attempt on the part of extortionist groups and ransomware families to compensate for rising monetary losses from companies that refuse to pay.”

3. Big Head ransomware displays fake Windows update alert

Trend Micro recently dissected a ransomware strain known as Big Head. The ransomware is reportedly spreading via malvertising that promotes fake Windows updates and Microsoft Word installers.

The first sample

The first sample of Big Head featured a .NET compiled binary file. The binary checks for the mutex name “8bikfjjD4JpkkAqrz” using CreateMutex, and will terminate itself if found.

The sample also had a list of configurations containing details related to its installation process. It specified various actions including the creation of a registry key, checking for the existence of certain files and overwriting them if necessary, setting system file attributes, and creating an autorun registry entry.

Researchers noted the existence of three resources including 1.exe, archive.exe, and Xarch.exe. 1.exe will drop a copy of itself for propagation. Archive.exe will drop a Telegram bot that is responsible for establishing communication with the threat actor’s chatbot ID. And Xarch.exe will drop a piece of ransomware that will encrypt files and will display a fake Windows update to the victim.

Binaries

• 1.exe: This file will hide the console window and create an autorun registry key so that it will execute automatically at startup. It will also make a copy of itself, which it will save as discord.exe in the <%localappdata%> folder.

The Big Head ransomware will then check for the victim’s ID. If it exists it will read the content, if not, it will create a randomly generated 40-character string and write it to a file as a type of infection marker to identify its victims.

Researchers also observed the ransomware deleting its shadow copies and backups before dropping the ransom note to the desktop, subdirectories, and %appdata% folder. The Big Head ransomware will also change the wallpaper of the machine. Lastly, the ransomware will execute a command to open a browser and access the malware developer’s Telegram.

• Teleratserver.exe: This is a 64-bit Python-compiled binary that serves as a communication channel between the threat actor and victim via Telegram. It can accept the commands “start,” “help,” “screenshot,” and “message”.
• BXluSsB.exe: This malware displays the fake Windows Update UI to trick the victim into believing the activity is part of a legitimate software update process.

The malware will terminate itself if the user’s system language matches the Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek country codes. It will also disable the Task Manager to prevent the victim from terminating the process. The malware then drops a copy of itself in a hidden folder that it creates and sets up an entry in the RunOnce registry key.

The malware will avoid encrypting files in directories that contain a specified list of substrings and will only encrypt files with certain extensions. The malware will also terminate a specified list of processes.

Sample Two

The second sample of Big Head exhibits both ransomware and stealer behaviors. The main file drops and executes three files: runyes.crypter.bat, azz1.exe, and server.exe.

The ransomware activities are carried out by runyes.cryper.batt and azz1.exe, while server.exe is responsible for collecting information for stealing. Like the first sample, this sample will change the victim’s desktop wallpaper.

Sample Three

This sample includes a file infector that Trend Micro identified as Neshta in its chain. Neshta is designed to infect and insert its malicious code into executable files.

Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final ransomware payload, and potentially divert analysts from detecting the true threat which is ransomware.

About the threat actor

The ransom note indicates that the malware developer uses email and Telegram to communicate with victims.

After diving into the Telegram username, researchers were able to find an associated YouTube account. The account is relatively new, having joined in April of this year, and has a total of 12 published videos. The videos showcase demonstrations of the piece of malware Trend Micro observed.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While Big Head is not a very sophisticated ransomware strain, the multiple variants in the wild indicate that its creators are actively working to develop and refine it.”

“Trend Micro looked at the associated Bitcoin wallet history and found transactions dating back to 2022. There are currently no further details as to what these transactions are or what the associated attacks may be. This does, however, imply that this threat actor may have some previous experience.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.