CTI Roundup: FBI and CISA Issue Royal Ransomware Warning

This week, CTI explores a March 2, 2023, joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) focused on the growing threat to various sectors posed by the most recent Royal ransomware variant. Next, we dive into Check Point’s latest research, which focuses on the Sharp Panda cyberespionage group and how it’s leveraging a new version of its Soul backdoor/malware framework in its latest campaign. Finally, we look at the newly discovered variant of IceFire, a strain of big-game-hunting ransomware previously known only to be deployed against Windows environments, but which has recently emerged with a Linux-specific variant.

1. FBI and CISA Release #StopRansomware: Royal Ransomware joint cybersecurity advisory

A joint cybersecurity advisory issued by CISA and the FBI warns that cybercriminals are compromising U.S. and international organizations with a Royal ransomware variant that uses its own custom-made file encryption program; a version which has evolved from earlier iterations that used “Zeon” as a loader. This has been going on since approximately September 2022.

Here are the key takeaways:

• After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting targeted systems.
• Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin.
• Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a ‘.onion’ URL which is reachable only through the Tor browser.
• Royal ransomware actors have targeted numerous critical infrastructure sectors, including manufacturing, communications, healthcare and public healthcare (HPH), and education.

How Royal actors gain access to networks

According to the reporting agencies, Royal actors gain initial access to victim networks in several ways, including:

Phishing: In 66.7% of incidents, Royal actors are able to gain initial access to victim networks via successful phishing emails. Victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents and advertising.

Remote Desktop Protocol (RDP): Over 13% of incidents involve RDP compromise, making it the second most common vector for Royal actors.

Public-facing applications: The FBI has also observed Royal actors gaining initial access by exploiting public-facing applications.

Brokers: Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Many ransomware gangs and other financially motivated cybercrime syndicates have begun moving away from an encryption-based extortion model, in favor of straight-up extortion attacks.”

“There are various factors that have contributed to this shift in methodology. For example, ransomware is noisy, detectable, and complex, while negotiations can be long, drawn-out affairs that, in many cases, result in no payment or a significantly reduced one. This has been exacerbated by federal regulations and changing cyber insurer policies.”

“That said, this joint advisory warning of Royal ransomware activity serves as a reminder that there are plenty of traditional ransomware threats in existence, though more and more are adopting new methodologies and TTPs like living-off-the-land (LotL) tactics, using legitimate tools to avoid detection, and adopting new C2 frameworks. They are also leveraging partnerships with highly successful malware families such as QBot for purposes ranging from help with initial access to the use of ready-made communications (C2) infrastructure. Royal makes use of virtually all of these techniques and thus should be considered a significant threat.”

2. Sharp Panda APT using new malware variant with radio silence feature

According to Check Point, the Sharp Panda cyberespionage group is using a new version of its Soul malware framework in its latest campaign.

The Soul backdoor contains a radio silence feature, allowing the threat actor to specify the hours in a week when the backdoor is not allowed to communicate with the command-and-control server.

Who is Sharp Panda?

At the beginning of 2021, Check Point uncovered a surveillance operation by a group they refer to as Sharp Panda. This campaign targeted Southeast Asian government entities and leveraged spear-phishing emails to gain initial access to its targets. These spear phishing emails contained an attached Word document with government-themed lures. The campaign leveraged a remote template to download and run a malicious RTF document containing the infamous RoyalRoad kit.

After gaining access to the network, the malware started a chain of in-memory loaders, including a custom DLL downloader and a second-stage loader to deliver the final backdoor. The final payload in this campaign was VictoryDLL – a custom malware that enables remote access and data collection.

Sharp Panda’s latest campaign

Further investigation into Sharp Panda uncovered several campaigns using the same infection chain as outlined above. However, Sharp Panda’s latest campaign leverages a new version of SoulSearcher loader, which is capable of downloading, decrypting, and loading in memory other modules of the Soul modular backdoor.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It has not been confirmed if the Soul framework is being leveraged by a single threat actor, though early attempts at attribution appear to link the framework with a threat actor with some kind of ties to China. The sharing of custom tools and TTPs among Chinese APTs is extremely common, making attribution – and the actual work of tying these types of campaigns to a single threat actor – particularly difficult. It’s also worth noting that the Soul framework has been used for several years now and is constantly being updated and refined, making it that much harder for researchers to keep up with.”

3. IceFire ransomware exploits IBM Aspera Faspex to attack Linux-powered enterprise networks

A new report from SentinelLabs claims that its researchers have observed novel Linux versions of a known ransomware strain called IceFire being deployed against media and entertainment companies in places not traditionally described as popular targets for ransomware gangs, including Turkey, Iran, Pakistan, and the U.A.E.

Prior to the release of SentinelLabs’ report, IceFire had only been associated with Windows-centric attacks. IceFire was reportedly first noted by MalwareHunterTeam in March of 2022. However, it wasn’t until August 2022 that victims were publicized via its dark web leak site.

SentinelLabs describes IceFire’s tactics as consistent with ransomware gangs that practice big-game-hunting (BGH) methodology. In other words, tactics involve double extortion, targeting large enterprises, leveraging multiple persistence mechanisms, and placing emphasis on defense/analysis evasion by way of log file deletion.

While previous reports attribute IceFire with attacks on the technology sector, the ransomware’s most recent Linux-focused activity has so far been largely contained to the entertainment and media verticals.

IceFire Windows variant

IceFire’s Windows variant is delivered via phishing messages. Threat actors also engage in pivoting using post-exploitation frameworks.

Characterized by researchers as a multi-pronged extortion threat, IceFire’s operators exfiltrate all data of interest from the target environment prior to encrypting devices. Once this has been accomplished, victims are then extorted and pressured into paying ransom demands to prevent data leakage and hopefully obtain decryption keys.

About the IceFire Linux variant

According to SentinelLabs, researchers first observed the novel Linux variant of IceFire being deployed in mid-February 2023. The intrusions exploit a recently disclosed (and patched) deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8).

From TheHackerNews:

“The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that’s installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software.”

The Linux variant is also capable of avoiding encrypting the paths victim machines require to be intact for them to remain operational.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“IceFire is the latest in a growing number of ransomware families to diversify their arsenal and develop variants tailored for multiple operating systems. Ransomware targeting of Linux in general has accelerated greatly over the past few years and will continue to do so into 2023 and beyond.”

From SentinelLabs:

While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal, including the likes of  BlackBasta, Hive, Qilin, Vice Society aka HelloKitty, and others.

“As many Linux systems are servers, typical infection vectors such as phishing or drive-by-downloads are rendered less effective. Therefore, to overcome this predicament, threat actors have turned to the exploitation of vulnerabilities found in applications to deploy their payloads — in this case, the IBM Aspera vulnerability.”

---

For further reading, catch up on our recent cyber threat intelligence roundups.