CTI Roundup: Ransomware Spikes in September, Updates on Octo Tempest & Quasar RAT

In this week’s roundup CTI sheds light on Octo Tempest, a financially motivated threat actor that uses social engineering to compromise global organizations. Next CTI investigates a report indicating that ransomware activity in September reached its highest level for 2023. Also included is an overview of how the open-source Quasar RAT is leveraging DLL sideloading to steal data from compromised Windows hosts.

1. Octo Tempest threatens global organizations

Microsoft is tracking activity related to the financially motivated threat actor Octo Tempest, which has a reputation for launching attacks featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities.

According to Microsoft, the group is quickly evolving and leveraging a diverse array of threats, tactics, and procedures (TTPs) to navigate complex hybrid environments. Octo Tempest also has some overlap with other threat groups including 0ktapus, Scattered Spider, and UNC3944.

Octo Tempest’s timeline

2022: The group was originally observed targeting mobile telecommunications and business process outsourcing organizations to initiate SIM swaps. It began to monetize attacks by selling SIM swaps to other cybercriminals and performing account takeovers to steal cryptocurrency.

Late 2022 and early 2023: Octo Tempest began expanding its scope to target cable telecommunications, email, and technology organizations. The group started monetizing intrusion by extorting their victims for stolen data and, in some cases, resorting to physical threats.

Mid-2023: Octo Tempest became an affiliate of the BlackCat RaaS group. This is notable as Octo Tempest is an English-speaking group that many ransomware groups refuse to do business with.

June 2023: Octo Tempest began deploying BlackCat ransomware payloads, focusing on ESXi servers. The group again broadened its targeting to natural resources, gaming, hospitality, consumer products, retail, MSPs, manufacturing, law, technology, and financial services.

Initial access

Octo Tempest commonly uses social engineering attacks to target technical administrators with high permissions. The threat actor conducts research to identify individuals and impersonates them to make phone calls and gather what they need to trick individuals into performing password resets and MFA methods.

The group commonly uses one of the following methods for initial access:

• Calling an employee and tricking them into installing RMMs or navigating to a site using an AiTM toolkit.
• Calling an organization’s help desk to reset a password.
• Purchasing an employee’s credentials on the dark web.
• Performing SMS phishing.
• Initiating a SIM swap.

In one example, Octo Tempest resorted to physically threatening victims into sharing credentials for corporate access.

Reconnaissance and discovery

Octo Tempest performs enumeration and information-gathering actions to gain advanced access. The actor will perform an initial bulk export of users, groups, and device information before enumerating data and resources available to that user profile.

The actor frequently carries out searches to identify documents related to network architecture, onboarding, remote access methods, password policies, and credential vaults. They will then explore multi-cloud environments, enumerating databases, and storage containers.

Privilege escalation and credential access

Octo Tempest will elevate privileges by initiating a SIM swap or setting up call forwarding on an employee’s phone number so that they can initiate a self-service password reset of their account. They have also been observed directly calling an organization’s help desk, using social engineering to get the help desk to reset an admin password or change/add an MFA token.

These privilege escalation tactics rely on building trust. In some cases, the threat actor will use a compromised manager’s account to approve password reset requests. They use open-source tooling to automate the identification of plaintext keys, secrets, and credentials across code repos for future use.

Defense evasion

The threat actor will compromise the accounts of security personnel to turn off security products and features, attempting to evade detection. These compromised accounts then leverage EDR and device management technology to allow malicious tooling, deploy RMM software, make changes to security products, steal sensitive files, and deploy payloads. Taking it one step further, Octo Tempest will modify the mailbox rules of compromised security staff to automatically delete emails from vendors that could raise suspicion.

Persistence

Octo Tempest attacks use publicly available tools to establish persistence. For example, they sometimes use tools like AADInternals to federate existing domains or will spoof legitimate domains and add/federate the new domain. The actor will install several RMM tools and make network modifications to enable access. Reverse shell usage is seen in many Octo Tempest intrusions for both Windows and Linux endpoints.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

Octo Tempest is a sophisticated actor that has built up a rather large arsenal of TTPs in a short timeframe. Its wide targeting of numerous sectors seems rather opportunistic, but determined, nonetheless. The threat actor is leveraging a broad range of sophisticated social engineering tactics for initial access that makes them, as Microsoft notes ‘one of the most dangerous financial criminal groups.’ Their complex social engineering tactics, coupled with them being an affiliate of BlackCat, makes Octo Tempest a threat actor to keep a close eye on.

Microsoft’s extensive report covers many other Octo Tempest TTPs, making it worth reading.

2. Ransomware activity spikes in September

NCC Group has released its intelligence report for September 2023, detailing some of the latest advances in the threat landscape — particularly the ransomware space. Their data indicates that ransomware activity in September reached its highest level for 2023 following a relative lull in August.

NCC Group has been tracking ransomware groups engaging in the double extortion tactic by monitoring the leak sites used by each group and scraping victim details as they are added. According to their collected data, there were 514 attacks in September 2023 which is up 32% from the previous month.

Even though August 2023 saw a 22% decline in ransomware attacks, September’s ransomware activity has returned to July heights. According to NCC Group and their collected data, this marks the highest number of double extortion attacks. There was also a 153% increase from September 2022 to September 2023, highlighting a significant year-over-year increase.

Top ransomware sectors

Targeted sectors in September 2023 did not deviate from the norm. NCC Group found the industrial sector to be most targeted, with 169 attacks, or 33% of the total. This is, however, only a 2% increase from the month prior. The technology sector experienced about 10% of the ransomware attacks this past month, which is a slight increase from the prior month.

New ransomware threat actors

For the month of September, the top 10 threat actors collectively accounted for 70% of all ransomware attacks for the month. Like every other month, September also brought several new ransomware actors.

Newcomer LostTrust was responsible for 10% of attacks and RansomedVC accounted for 9%. NCC Group also saw some increased activity from two other relatively new groups – Cactus and Trigona. Cactus is up to 51 cases for September, compared to 13 in July.

Top regions for ransomware

The top targeted regions remained static in September, with North America, Europe, and Asia generating the most activity. North America topped the list accounting for 50% of the attacks, which is an increase of 3% from the previous month.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

It’s interesting to note that Cl0p has had essentially no activity in September, and not a lot of activity overall since the MOVEit attacks. This is quite a low profile for this ransomware operation.

NCC Group finds this to be characteristic of Cl0p. Because of this, NCC Group expects a more targeted campaign to be imminent. Only time will tell if Cl0p decides to return to the ransomware scene or not, but given their proven success and track record, it would not be surprising.

3. Quasar RAT evades detection with DLL sideloading

The open-source Quasar RAT was recently observed leveraging DLL sideloading to steal data from compromised Windows hosts. It uses two commonly trusted Microsoft files — ctfmon.exe and calc.exe — to carry out dual DLL sideloading and stealthily introduce, deploy, and run malicious payloads.

Quasar RAT sideloading execution

Uptycs provides a step-by-step breakdown of the Quasar RAT DLL sideloading technique.

• The attack begins with the threat actor harnessing ctfmon.exe — an authentic Microsoft file — to load a malicious DLL. The threat actor then executes the ctfmon.exe binary and acquires a stage 1 payload which is responsible for releasing the legitimate calc.exe file and malicious DLL into the system.
• In the second phase of the attack, the threat actor executes calc.exe which triggers the malicious DLL. At this point, the Quasar RAT lives in the computer’s memory. The payload uses the process hollowing technique to embed itself into a legitimate system process, making detection more difficult.

Technical analysis

Uptycs obtained several of the files in the Quasar RAT execution flow for analysis.

When the binary file ebill-997358806.exe runs, it initiates the loading of a file called MsCtfMonitor.dll, which conceals malicious code. Within this file, there is a resource section containing encrypted data which is accessed via a sequence of APIs. After performing decryption, this data is decrypted and gives a PE file which is stage 1, FileDownloader.exe. The PE file is then injected into Regasm.exe via an API sequence.

• Stage 1 – FileDownloader.exe: This stage 1 payload is a 64-bit MSIL binary file and includes a resource section containing three binaries within an archive. This payload can unzip this archive and deposit the files into the Public Pictures folder. Three files are placed into this folder: Calc.exe (a legitimate Windows file), Secure32.dll (a malicious DLL), and Winsecu32.dll (another legitimate Windows file).
• Stage 2 – calc.exe: Calc.exe then runs and loads a malicious DLL titled Secure32.dll. This DLL contains an encrypted resource section. The resource data is again accessed via a sequence of APIs and then decrypted, giving a PE file. This PE file is injected into memory space Regasm.exe via process hollowing.
• Final payload: The PE file is an MSIL executable that is obfuscated by Smart assembly. It is seemingly inspired by the open-source Quasar RAT as it is copyrighted with “Copyright © MaxXor 2020.” Deobfuscation revealed command executed in the function names including keylogging, file transfer, shell execute, and more. It will also drop a .bat script to create the restart batch file. The RAT creates a socket connection to its C2 where it will send the victim’s information.

The RAT queries for the AntiVirusProduct and Firewall WMI class and also looks for BIOS infrastructure, GPU details, hostname, and more.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

Quasar RAT seems to be jumping on the DLL sideloading bandwagon that has been increasing in popularity over the last several months.

The threat actor behind this activity is unknown at this time and will likely remain unknown given that Quasar RAT is open source, enabling less sophisticated actors to carry out attacks.

Researchers were unable to confirm the initial access vector for this attack. But because the execution flow begins with an ISO file, it could very likely have stemmed from a phishing email.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.