CTI Roundup – top 2023 stories: The latest on Chae$ 4, 3AM ransomware, DarkGate, and Andariel

In this week’s roundup, Tanium’s Cyber Threat Intelligence (CTI) team looks at some of the top cybersecurity developments from 2023 that continue to pose threats in the new year.

First up, CTI covers Chae$ 4 — the latest variant of Chaes malware. Next, CTI investigates the new 3AM group, which is now targeting global companies. CTI also provides updates on DarkGate malware and North Korea’s Andariel APT group.

1. Chae$ 4 threatens the finance and logistics sectors

Financial and logistics companies are now at risk from Chae$ 4, a new Chaes malware variant that uses a custom Chrome DevTools protocol to access browser functions and steal data. To date, Chae$ 4 has targeted the customers of banks and platforms like Mercado Libre, WhatsApp Web, Mercado Pago, Itau Bank, MetaMask, and Caixa Bank. It has also attacked content management services like WordPress, Magento, Drupal, and Joomla.

Chae$ 4 features several enhancements different from the original Chaes malware threat, including refined code architecture, improved modularity, extra encryption, and stealth capabilities. The variant has also shifted to Python and uses WebSockets to facilitate communication between the C2 server and its modules.

How does Chae$ 4 work?

According to Morphisec, a Chae$ 4 infection starts with the execution of a malicious MSI installer that disguises itself as a JAVA JDE or anti-virus installer. Activating the malicious installer enables the malware to deploy and download its files to a dedicated, hard-coded folder within %Appdata%/. Within the folder are Python libraries, executables, and Python scripts. The malware also unpacks a core module called ChaesCore. After initialization, ChaesCore continues to communicate with the C2 address to access and load external modules into its target system.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Chaes malware has been around since at least November 2020. This latest variant contains numerous enhancements, along with deceptive MSI installers that allow the malware to execute multi-step infections.

The Python-based Chae$ 4 variant poses a significant threat to logistics and banking companies, due to its ability to bypass traditional defense mechanisms. Businesses in these sectors should remain on high alert.

2. 3AM ransomware continues to spread

Back in September, CTI warned about a new malware family called 3AM — a 64-bit Rust executable that can disrupt services, encrypt files, and delete Volume Shadow copies. The threat actors behind 3AM appear to be using the new ransomware selectively, which is why there have only been a handful of observed attacks.

Two recent 3AM ransomware examples include attacks against Woodruff Enterprises and Share & Harris LLC. According to PrivacyAffairs, the attacks resulted in the encryption and cloning of important internal data. After securing the assets, the 3AM group demanded ransom payments and threatened to leak information to the public. The 3AM group also targeted DS Granit, a France-based company that supplies and installs granite, quartz, and ceramic surfaces.

Who is the 3AM ransomware group?

Symantec discovered 3AM ransomware in 2023 after an incident where an affiliate deployed the ransomware following an unsuccessful attempt to deploy LockBit. The name 3AM is based on references in the group’s ransom note and because the attack appends the extension “.threeamtime” onto encrypted files.

At this point, there is still limited data about 3AM and its operators. As PrivacyAffairs also reports, 3AM seems to be a backup plan for failed LockBit attacks. However, further research is necessary to reach a conclusion.

Analyst comments from Tanium’s Cyber Threat Intelligence team

CTI’s initial report on 3AM ransomware predicted that there would likely be more 3AM attacks on the horizon. Fast forward a few months, and sure enough more cases of 3AM malware are starting to surface. CTI will continue to keep a close eye on this evolving ransomware trend in the months ahead.

3. BattleRoyal deploys DarkGate and NetSupport

Researchers at Proofpoint are tracking a new DarkGate malware operator dubbed BattleRoyal. According to Proofpoint, BattleRoyal deployed DarkGate malware in at least 20 email campaigns between September and November 2023. The group sent tens of thousands of emails and targeted dozens of industries throughout the U.S. and Canada.

Toward the end of November, BattleRoyal pivoted to NetSupport, which is a remote access tool, to establish persistence on endpoints. BattleRoyal is now using a mix of emails, compromised websites, and fake update lures to entice victims to download malware.

As Proofpoint explains, the reasons for the switch from DarkGate to NetSupport remain unclear. However, the pivot could be due to the increase in DarkGate’s popularity, which is drawing more attention from threat researchers and security professionals.

BattleRoyal exploits a SmartScreen vulnerability

Proofpoint discovered that BattleRoyal was heavily abusing a vulnerability tracked as CVE-2023-36025 to deliver malware before Microsoft patched the issue in November.

The flaw can be found in Windows SmartScreen, which is a security feature that stops users from visiting harmful websites. The vulnerability allows an attacker to bypass SmartScreen defenses by convincing a user to click on a custom .URL file or a hyperlink leading to a .URL file.

DarkGate Teams campaign targets companies

DarkGate is one of the most popular remote access trojans (RATs) on the market, with threat actors increasingly using it to target organizations.

In one high-profile example, threat actors were separately observed targeting Microsoft Teams with DarkGate Loader. The actors sent compromised chat messages to external Office 365 accounts. They also used social engineering tactics to lure victims into downloading and opening malicious files.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The key takeaway here is that BattleRoyal is relying on both DarkGate and NetSupport to target victims. BattleRoyal uses NetSupport to control hosts, install malware, and move laterally through compromised environments and uses DarkGate to download malware payloads and steal information.

Security researchers expect DarkGate and NetSupport deployments to accelerate in the months ahead, making this an important threat to keep on your radar. Further, the recent shift from DarkGate to NetSupport means there is potential for this actor to shift to yet another payload in the future.

4. Andariel steals South Korean defense secrets

According to a new report, the Andariel North Korea APT group has stolen roughly 1.2 terabytes of data by compromising dozens of South Korean defense companies. The Andariel APT group has also transferred around $360,000 in Bitcoin ransoms to North Korea.

The Seoul Metropolitan Policy Agency claims that between December 2022 and March 2023, Andariel accessed South Korean companies 83 times from Pyongyang’s Ryugyong-dong area via hosting services that rent servers to unidentified clients. South Korea’s security investigation bureau is now investigating the issue along with the U.S. Federal Bureau of Investigation (FBI).

According to The Korea Times, North Korea is currently diversifying its cybercrime tactics due to the dropping value of cryptocurrencies and U.S. interest rate hikes. North Korea is also depending on Russian exchanges to liquidate its cryptocurrencies.

The Andariel group: A formidable APT

Andariel — a subset of North Korea’s Lazarus Group — is becoming increasingly sophisticated and is targeting a range of sectors including foreign government organizations, financial services, and defense agencies, among others.

The group uses a variety of tools to launch attacks against its targets. For example, Andariel was recently observed using a previously unknown remote access trojan called EarlyRAT. In 2022, Andariel deployed EarlyRAT during a series of cyberattacks that exploited the Log4j Log4Shell vulnerability.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Mandiant explains in a post, North Korea’s regime is determined to continue evolving its offensive program and using cyber intrusions to conduct espionage and financial crimes. The groups’ ability to engage in cyberespionage operations while simultaneously conducting financially-motivated cybercrime campaigns makes them a more complicated and nuanced threat.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.