Qilin.B Ransomware Variant Gets a Major Upgrade

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Qilin.B: Advanced Ransomware Variant Enhances Encryption and Evasion Tactics?

Cybersecurity researchers have identified a more advanced variant of the Qilin ransomware, called Qilin.B. This variant employs AES-256-CTR encryption for systems with AESNI and secures encryption keys using RSA-4096, making decryption virtually impossible without the attacker’s private key. Qilin.B disrupts security, backup, and virtualization processes, targeting services like Veeam, SQL, and SAP while deleting volume shadow copies and clearing Windows Event Logs to hinder recovery and evade detection.

The Embargo ransomware campaign also poses a significant threat, using Rust programming language and loaders like MDeployer to disable endpoint detection solutions via the “Bring Your Own Vulnerable Driver” (BYOVD) technique.

To defend against these threats, ensure systems are patched, use advanced threat detection, and implement robust offline backups. Secure credentials outside of browsers, actively monitor access to sensitive data, and prepare incident response plans that can isolate infected endpoints. Security policies should also block the use of vulnerable drivers to prevent exploitation.

2. ScarCruft Utilizes Toast Notifications to Exploit Internet Explorer Zero-Day

The North Korean APT group ScarCruft (also known as APT37 or RedEyes) launched a large-scale cyber-espionage campaign, exploiting a zero-day Internet Explorer vulnerability (CVE-2024-38178) to deploy the RokRAT malware. Named “Code on Toast,” this campaign leveraged malicious toast notifications in free software commonly used in South Korea. ScarCruft targeted South Korean, European entities, and North Korean defectors, using the vulnerability to execute remote code and inject malware into system processes, thereby evading detection.

RokRAT is a long-standing espionage tool used by ScarCruft, capable of exfiltrating files to Yandex cloud storage, performing keylogging, and capturing screenshots. Despite Microsoft releasing a patch for the exploited vulnerability, the persistent use of outdated Internet Explorer components leaves some systems vulnerable.

To mitigate risks, organizations should apply the latest security patches, replace legacy software relying on Internet Explorer, and use advanced endpoint protection to detect malicious behavior. Users should be educated about phishing and the dangers of outdated software to reduce the risk of such attacks.

3. Unmasking SingleCamper RAT and RomCom’s Weapon in Ukrainian Cyber Espionage

The RomCom threat actor, also known as UAT-5647, has launched a new cyberattack campaign targeting Ukrainian government agencies and some Polish entities. Using a new variant of their Remote Access Trojan (RAT) named SingleCamper, they aim to establish long-term persistence to exfiltrate data. Active since 2022, UAT-5647 is known for espionage, ransomware, and credential-gathering. Recently, the group has intensified its activity using advanced tools and techniques to further its espionage and ransomware-focused objectives.

SingleCamper RAT, also known as RomCom 5.0, loads directly into memory from the Windows registry, avoiding detection by traditional antivirus solutions. It allows attackers to perform reconnaissance, establish covert tunnels using PuTTY’s Plink tool, and exfiltrate data. RomCom also employs a diverse malware toolkit developed in multiple programming languages like C++, Rust, and Go, enabling attacks across various systems and platforms.

To mitigate these threats, organizations should ensure security patches are up to date, enhance email security to prevent phishing, implement memory-based threat detection, and review remote access tools. Proper incident response planning is also essential to handle data exfiltration and potential ransomware scenarios effectively.

4. Emerging Threat Group ‘Crypt Ghouls’ Deploys LockBit 3.0 in Russian Cyber Attacks

Crypt Ghouls, a new cybercriminal group, is conducting ransomware attacks targeting Russian businesses and government agencies. Their goal is to disrupt operations and extort money. They employ tools like Mimikatz, XenAllPasswordPro, PingCastle, and ransomware payloads such as LockBit 3.0 and Babuk to encrypt victims’ data. The attacks typically involve breaching contractor networks via VPN connections, using compromised credentials, and exploiting unpatched vulnerabilities.

The Crypt Ghouls utilize a sophisticated toolset for reconnaissance, credential theft, remote access, and ransomware deployment. Their toolkit includes credential dumpers, network reconnaissance tools, and remote access software like AnyDesk. They also use various malware such as ShadyHammock and CobInt for persistence and communication.

The attack chain starts with network breaches through compromised VPNs, followed by credential harvesting, network reconnaissance, and finally deploying ransomware. The attackers leave ransom notes with communication links, indicating a well-coordinated operation.

To defend against Crypt Ghouls, organizations should enforce strong password policies, apply patches promptly, implement network segmentation, and monitor for suspicious VPN and credential dumping activities. An incident response plan with tested backups is crucial for minimizing damage from ransomware attacks.

5. Fortinet Releases FortiManager Security Updates Amid Exploitation by Threat Actors

Fortinet has released critical security updates for its FortiManager platform in response to a vulnerability actively exploited by Chinese threat actors. Although no CVE has been officially disclosed, the vulnerability is being mitigated through updates and temporary measures provided privately to select customers. These measures include configuring FortiManager to block devices with unknown serial numbers, suggesting the vulnerability may be linked to the “Fortigate to FortiManager” (fgfm) communication feature.

Fortinet’s private disclosure approach has led some users to seek details through unofficial channels. There is speculation that this vulnerability might be related to a previous flaw (CVE-2024-23113) in the fgfm daemon.

Organizations using FortiManager are advised to block connections from devices with unknown serial numbers, limit access to FortiManager installations, and apply the latest patches from Fortinet’s support portal promptly to mitigate potential risks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories