In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered/analyzed ransomware and malware variants, including BlackLotus malware, HardBit ransomware amongst others. SafeBreach customers can select and run these attacks from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.

BlackLotus Malware

BlackLotus has been identified as the first ever malware to exploit a vulnerability in the Secure Boot process on Windows systems (including fully patched systems). The BlackLotus bootkit bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot. The BlackLotus bootkit has been sold on underground forums since October 2022.  Researchers studying the malware do not currently attribute it to a particular gang or nation-state group but highlight that the BlackLotus installers won’t proceed if the compromised computer is in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

BlackLotus exploits a more than one-year-old vulnerability, CVE-2022-21894, to bypass the secure boot process and establish persistence. While Microsoft patched the vulnerability, threat actors can still exploit it because the affected signed binaries have not been added to the UEFI revocation list. BlackLotus can disable several OS security tools including BitLocker, Hypervisor-protected Code Integrity (HVCI) and Windows Defender, and bypass User Account Control (UAC).

Once BlackLotus exploits CVE-2022-21894 and turns off the system’s security tools, it deploys a kernel driver and an HTTP downloader. The kernel driver, among other things, protects the bootkit files from removal, while the HTTP downloader communicates with the command-and-control server and executes payloads.

SafeBreach Coverage of BlackLotus Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against BlackLotus Malware.

• #8673 – Email BlackLotus (7ecf) rootkit as a ZIP attachment (INFILTRATION)
• #8672 – Email BlackLotus (7ecf) rootkit as a ZIP attachment (LATERAL_MOVEMENT)
• #8671 – Transfer of BlackLotus (7ecf) rootkit over HTTP/S (INFILTRATION)
• #8670 – Transfer of BlackLotus (7ecf) rootkit over HTTP/S (LATERAL_MOVEMENT)
• #8669 – Pre-execution phase of BlackLotus (7ecf) rootkit (Windows) (HOST_LEVEL)
• #8668 – Write BlackLotus (7ecf) rootkit to disk (HOST_LEVEL)
• #8685 – Email BlackLotus (9025) rootkit as a ZIP attachment (INFILTRATION)
• #8684 – Email BlackLotus (9025) rootkit as a ZIP attachment (LATERAL_MOVEMENT)
• #8683 – Transfer of BlackLotus (9025) rootkit over HTTP/S (INFILTRATION)
• #8682 – Transfer of BlackLotus (9025) rootkit over HTTP/S (LATERAL_MOVEMENT)
• #8681 – Pre-execution phase of BlackLotus (9025) rootkit (Windows) (HOST_LEVEL)
• #8680 – Write BlackLotus (9025) rootkit to disk (HOST_LEVEL)
• #8679 – Email BlackLotus (699b) rootkit as a ZIP attachment (INFILTRATION)
• #8678 – Email BlackLotus (699b) rootkit as a ZIP attachment (LATERAL_MOVEMENT)
• #8677 – Transfer of BlackLotus (699b) rootkit over HTTP/S (INFILTRATION)
• #8676 – Transfer of BlackLotus (699b) rootkit over HTTP/S (LATERAL_MOVEMENT)
• #8675 – Pre-execution phase of BlackLotus (699b) rootkit (Windows) (HOST_LEVEL)
• #8674 – Write BlackLotus (699b) rootkit to disk (HOST_LEVEL)
• #8685 – Email BlackLotus (9025) rootkit as a ZIP attachment (INFILTRATION)
• #8684 – Email BlackLotus (9025) rootkit as a ZIP attachment (LATERAL_MOVEMENT)
• #8683 – Transfer of BlackLotus (9025) rootkit over HTTP/S (INFILTRATION)
• #8682 – Transfer of BlackLotus (9025) rootkit over HTTP/S (LATERAL_MOVEMENT)
• #8681 – Pre-execution phase of BlackLotus (9025) rootkit (Windows) (HOST_LEVEL)
• #8680 – Write BlackLotus (9025) rootkit to disk (HOST_LEVEL)
• #8679 – Email BlackLotus (699b) rootkit as a ZIP attachment (INFILTRATION)
• #8678 – Email BlackLotus (699b) rootkit as a ZIP attachment (LATERAL_MOVEMENT)
• #8677 – Transfer of BlackLotus (699b) rootkit over HTTP/S (INFILTRATION)
• #8676 – Transfer of BlackLotus (699b) rootkit over HTTP/S (LATERAL_MOVEMENT)
• #8675 – Pre-execution phase of BlackLotus (699b) rootkit (Windows) (HOST_LEVEL)
• #8674 – Write BlackLotus (699b) rootkit to disk (HOST_LEVEL)

MQsTTang Backdoor Malware

Researchers from ESET have analyzed a new custom backdoor that they have associated to the Chinese APT group – Mustang Panda. These threat actors have been observed targeting several entities in Australia, Bulgaria, and Taiwan. ESET researchers also believe that the same threat actors are targeting government and political organizations across Europe and Asia. This ongoing campaign has picked up steam since Russia’s invasion of Ukraine.

According to the researchers, the new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with Mustang Panda’s other malware families. This backdoor allows the attacker to execute arbitrary commands on a victim’s machine and capture the output. The malware uses the MQTT protocol for Command-and-Control communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families.  MQsTTang is distributed in RAR archives that only contain a single executable. These executables usually have filenames related to diplomacy and passports.

SafeBreach Coverage of MQsTTang Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant.

• #8695 – Email MQsTTang backdoor as a ZIP attachment (INFILTRATION)
• #8694 – Email MQsTTang backdoor as a ZIP attachment (LATERAL_MOVEMENT)
• #8693 – Transfer of MQsTTang backdoor over HTTP/S (INFILTRATION)
• #8692 – Transfer of MQsTTang backdoor over HTTP/S (LATERAL_MOVEMENT
• #8691 – Write MQsTTang backdoor to disk (HOST_LEVEL) – Automation

KamiKakaBot Information Stealer Malware

According to researchers from the threat intelligence firm EclecticIQ, multiple strains of the KamiKakaBot malware were responsible for attacks targeting government entities in the group of ASEAN (Association of Southeast Asian Nations) countries in January and February 2023. Their research revealed that the February attacks sported better obfuscation techniques as compared to the January attacks. Researchers have attributed these attacks to the Dark Pink APT group. Dark Pink is an Advanced Persistent Threat (APT) group active in the ASEAN region. Dark Pink is thought to have started operations as early as mid-2021 with increasing activity in 2022.

Researchers observed KamiKakaBot being delivered via phishing emails that contain a malicious ISO file as an attachment. The malicious ISO file contains a WinWord.exe which is legitimately signed by Microsoft and is exploited for DLL side-loading technique. When a user clicks on WinWord.exe, the KamiKakaBot loader (MSVCR100.dll), located in the same folder as the WinWord file, automatically loads and is executed into the memory of WinWord.exe.

KamiKakaBot is intended to extract sensitive information from browsers including – Chrome, MS Edge, and Firefox. The stolen browser data is then sent to the attackers’ Telegram bot channel in a compressed ZIP format. Upon initial infection, the attacker can upgrade the malware or perform remote code execution on the targeted device, enabling them to carry out further post-exploitation activities. All of the command-and-control communication takes place via a Telegram bot controlled by the threat actor.

SafeBreach Coverage of KamiKakaBot Information Stealer Malware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the information stealer:

• #8701 – Email KamiKakaBot info stealer as a ZIP attachment (INFILTRATION)
• #8700 – Email KamiKakaBot info stealer as a ZIP attachment (LATERAL_MOVEMENT)
• #8699 – Transfer of KamiKakaBot info stealer over HTTP/S (INFILTRATION)
• #8698 – Transfer of KamiKakaBot info stealer over HTTP/S (LATERAL_MOVEMENT)

#8697 – Write KamiKakaBot info stealer to disk (HOST_LEVEL)

HardBit Ransomware

HardBit is a ransomware variant that targets organizations to demand cryptocurrency payments in exchange of their data being decrypted. Threat researchers at Varonis highlighted that HardBit 2.0 was introduced towards the end of November 2022 and like modern ransomware variants, steals sensitive data from victims, before launching their payload to encrypt the data. However, unlike several of their peers, HardBit does not appear to have a leak site at this time and is not currently using the double extortion tactic, in which victims are “named and shamed” and threatened with public exposure of their stolen data.

Using a predefined ransom note contained within the ransomware threat, HardBit encourages victims to contact them by email or via the Tox instant messaging platform. Rather than specifying an amount of bitcoin requested within this ransom note, the group seeks to negotiate with victims to reach a settlement. Notably, as part of these negotiations, victims with cyber insurance policies are also encouraged to share details with HardBit so that their demands can be adjusted to fall within the policy.

HardBit threat actors seem to be leveraging tried and tested techniques to gain initial access to victim networks, including the delivery of malicious payloads to unsuspecting employees, using compromised credentials such as those exposed in third-party data breaches, and — in more advanced incidents — the exploitation of vulnerabilities in exposed hosts.

SafeBreach Coverage of HardBit Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware:

• #8706 – Email HardBit ransomware as a ZIP attachment (INFILTRATION)
• #8705 – Email HardBit ransomware as a ZIP attachment (LATERAL_MOVEMENT)
• #8704 – Transfer of HardBit ransomware over HTTP/S (INFILTRATION)
• #8703 – Transfer of HardBit ransomware over HTTP/S (LATERAL_MOVEMENT
• #8702 – Write HardBit ransomware to disk (HOST_LEVEL)

Newly Added Behavioral Attacks

While IOCs are good for retrospective analysis, these indicators have a very short lifespan and SOC analysts want to rely on something more than just the evidence of previous attacks which expire soon after its detection.  Behavioral attacks can signify a kind of signature of the attack or an attacker. These behavioral attacks map to the MITRE ATT&CK framework. SafeBreach platform not only includes coverage for IOC-based attacks but also Behavior-based attacks. Recent additions include:

• #8307 Install Root CA (Windows)
  • Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary-controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.
• #8308 Install Root CA using add-trusted-cert (MacOS)
  • Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary-controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.
• #8324 Port Knocking (Linux)
  • Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control.
• #8328 Rename System Utilities (Linux)
  • Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.
• #8332 Data Asset Exfiltration Using Email Body
  • Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command-and-control communications.
• #8333 Data Asset Exfiltration Using Email Body (subject validation)
  • Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command-and-control communications.
• #8334 Data Asset Exfiltration Using Email Attachment (subject validation)
  • Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command-and-control communications.
• #8331 Data Asset Exfiltration Using Email Subject
  • Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command-and-control communications.
• #8022 Application Shimming
  • Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. 
• #8329 Manipulate clipboard data (Windows)
  • Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision-making.

Interested In Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
• Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report – Receive a custom-built report that includes simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.