Katana ! Mirai Botnet

A greatly enhanced variant of the powerful Mirai botnet is already infecting IoT devices even though it’s operating in a test environment.

Researchers discovered samples of the variant, dubbed “Katana,” that have Layer 7 distributed denial-of-service capability, separate encryption keys for each source, fast self-replication and secure connection to its command-and-control servers,

Katana is infecting hundreds of IoT devices each day, Avira researchers say. The top three devices targeted by the botnet include D-Link’s DSL-7740C router, the DOCSIS 3.1 wireless gateway and Dell’s PowerConnect 6224 switch.

Attack Methods

Researchers discovered the new Katana botnet when the company’s honeypots captured a wave of unknown malware binaries. They found the botnet, like Mirai, uses remote code execution and command injection to exploit security vulnerabilities in older Linksys and GPON routers as well as attack IoT devices, according to the report.

It includes classic Mirai functions, such as running a single instance, random process name and manipulating the watchdog to prevent the device from restarting. It binds different ports, such as 53168, 57913, 59690, 62471 and 63749.

Avira’s researchers found a page on GitHub saying “Katana HTTP Botnet coming soon.”

Defender ATP triggered false positives

Microsoft rushed to take action on Wednesday after Defender Advanced Threat Protection (ATP) users reported getting Cobalt Strike and Mimikatz alerts that turned out to be false positives.

Cobalt Strike is a commercial penetration testing tool. However, it has often been abused by malicious actors for its advanced capabilities, including in Ryuk, Sodinokibi and other ransomware attacks.

Mimikatz is a post-exploitation tool designed for harvesting passwords from compromised systems. It too has been used by many profit-driven and state-sponsored threat groups.

It’s not surprising that some Microsoft Defender ATP users had a small heart attack on Wednesday when they saw multiple high-severity alerts for Cobalt Strike. Others reported seeing Mimikatz alerts. In both cases they turned out to be false positives.

Cobalt Strike false positive in Defender ATP - Credits: @ffforward

I too unfazed with the alert bombarded mails.. in my inbox… Scratched head and felt like what I need to do further 🙄

The issue was likely caused by a bad rule pushed to Defender ATP and Microsoft addressed the issue within hours. Not to ignore the alert , might me something phishy remains inside

Maze shutting down finally 💫

The Maze cybercrime gang is shutting down its operations that began its operation in may 2019 after rising to become one of the most prominent players performing ransomware attacks.

A double-extortion tactic introduced by Maze to exfilterates the data before encryption

Once encrypted, they demand ransom . If victim fails to pay they publish those data in maze site which started to be in limelight

This double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop, DoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic used by almost all ransomware operations.

Maze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to share information and tactics.

During their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.

Maze started to shut down six weeks ago
In a similar manner as GandCrab did in 2019.lastly Barnes and Noble ransomware attack.

This threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain credentials. The compromised networks are then passed to affiliates who deploy the ransomware.

Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two victims and those who previously and had all of their data published.The cleaning up of the data leak site indicates that the ransomware operation’s shutdown is imminent.

It is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation, as was done with Crysis, TeslaCrypt, and Shade.

Maze affiliates have switched over to a new ransomware operation called Egregor which began operating in the middle of September, just as Maze started shutting down their encryption operation.

This is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.

This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.when a ransomware operation shuts down, it does not mean the threat actors involved retire as well. They just move to the next ransomware operation.

Buer ☠️ Malware as a service

A new malware-as-a-service offering has been discovered by cybersecurity firm Sophos, providing an alternative to other well-known malware loaders like Emotet and BazarLoader. Buer, as the new malware has been dubbed, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.

“Buer was first advertised in August 2019 under the title “Modular Buer Loader”, described by its developers as ‘a new modular bot…written in pure C’ with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers).

Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bit, the country where the exploit is taking place and what specific tasks are required.

Sophos discovered Buer as the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.

Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.

Nevertheless, there are ways for individuals to protect themselves. Remaining cautious against phishing attacks is essential, as is ensuring that the latest av soln is present and up-to-date.