Sandworm Targets Ukraine Orgs using RansomBoggs, New DuckLogs Malware as a Service, Redis Servers Attacked by New Redigo Malware

Russian Sandworm Hackers Attack Ukrainian Organizations using RansomBoggs Malware

The threat group Sandworm, responsible for the KillDisk wiper attacks, is targeting Ukrainian organizations with its new RansomBoggs malware. The ransomware uses the POWERGAP PowerShell script to distribute the .NET ransomware and using AES-256 encryption in CBC mode to encrypt files via a random key hardcoded in the malware. The ransomware also appends a .chsch extension to all encrypted files and drops a ransom note. Sandworm is also known for developing the NotPetya wiper, which caused billions of dollars of damage in June 2017. Read more

New DuckLogs Malware as a Service in the hands of Thousands of Novice Attackers

A new malware-as-a-service - 'DuckLogs' is giving low-skilled attackers access to multiple modules to carry out their schemes. DuckLogs primarily includes an information stealer and a remote access trojan (RAT) but has more than 100 individual modules that target specific applications. The RAT can fetch files from the command and control (C2) server, run them on the host, display a crash screen, shut down, restart, log out, and lock the device or open URLs in the browser. The malware also supports Telegram notifications, encrypted logs and communication, code obfuscation, process hollowing to launch payloads in memory, a persistence mechanism, and a bypass for the Windows User Account Control. Read more

New Redigo Malware Drops Stealthy Backdoor on Redis Servers

A new malware Redigo has been targeting vulnerable Redis servers to plant a stealthy backdoor and exploit the critical vulnerability CVE-2022-0543 in Redis software. The malware scans on port 6379 to locate Redis servers and run several commands to determine server vulnerability, create copies of the attacking server, download shared libraries, load modules to execute arbitrary commands, collect hardware info about the host, and then download Redigo. The malware is then executed with escalated privileges, evading detection by simulating normal Redis communication. Read more

Dolphin Malware Works with BLUELIGHT for Reconnaissance and Scans Victims’ Devices to Steal Data

Researchers have found that the APT 37 threat group has been using the Dolphin backdoor to steal files and upload them to Google Drive. Dolphin is now used in conjunction with BLUELIGHT, which is a reconnaissance and Python loader tool. The Python loader contains a script and a shell code that launches a multi-step XOR decryption and executes the Dolphin payload. Dolphin scans local and removable drives and uses Google Drive as a command and control (C2) server to store the stolen files. The backdoor sends current configurations, version number, and time to the C2, with keylogging and file exfiltration instructions along with credentials and encryption keys, and maintains persistence by altering the Windows Registry. Read more

What is Automated Backup and Why Should You Use it

An IBM study has revealed that the average total cost of a ransomware breach is $4.62 million, which is why it is important to back up critical data to restore systems in the event of ransomware or other similar cyber-attacks. Unfortunately, manual backup and restore is a complex and time-consuming process. Automated backup simplifies backup procedures for faster recovery. Here is a blog on how your organizations can back up files, folders, and systems without human intervention using automated backups. Read more

Cuba Ransomware Raked in Over $60 Million from Over 100 Victims.

The joint government advisory by the FBI and CISA has revealed that the Cuba ransomware gang has extorted over $60 million in ransom from over 100 victims. According to the advisory, threat actors are targeting U.S. financial services, government facilities, healthcare, manufacturing, and I.T. The ransomware gang has expanded their tactics, techniques, and procedures and is associated with the RomCom RAT and Industrial Spy ransomware. The payload includes a ‘Hancitor’ downloader that downloads RATs on infected systems and is delivered through phishing emails, Microsoft Exchange exploits, stolen credentials, or RDP tools. Threat actors use legitimate Windows services like PowerShell and PsExec to launch the remote payloads and encrypt all data. Read more

48TB SSO NAS appliance with Free Shipping & Support $6,995

48TB StoneFly XS Series ready to ship Enterprise SSO NAS appliance with Air-Gap and Immutable Snapshots option for ransomware protection and Support for Unlimited NAS Clients with built-in S3 cloud connect for $6,995.

Gen 10, 4-bay 1U Rackmount appliance with 3x16TB Enterprise 12GB SAS drives, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 500W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

Price includes 1 Year Warranty, 9x5 Tech Support Free Shipping & Insurance.

For appliance demos, specifications, and details, fill out the form on StoneFly website.?