Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Torisma 🌀

A sophisticated cyber espionage campaign aimed at aerospace and defense sectors in Australia, Israel, Russia, and defense contractors based in Russia and India , whic will install data gathering implants on victims’ machines for purposes of surveillance and data exfilteration spyware known to be Torisma

Tracked as code name operation north star has the TTP related to Hidden Cobra a state sponsered group

The development continues the trend of North Korea, a heavily sanctioned country, leveraging its arsenal of threat actors to support and fund its nuclear weapons program by perpetrating malicious attacks on US defense and aerospace contractors.

Operation North Star

While the initial analysis suggested the implants were intended to gather basic victim information so as to assess their value, the latest investigation into Operation North Star exhibits a “degree of technical innovation” designed to remain hidden on compromised systems.

Not only did the campaign use legitimate job recruitment content from popular US defense contractor websites to lure targeted victims into opening malicious spear-phishing email attachments, the attackers compromised and used genuine websites in the US and Italy to host their command-and-control (C2) capabilities.

The first-stage implant embedded in the Word documents would go on to evaluate the victim system data by cross-checking with a predetermined list of target IP addresses to install a second implant called Torisma, all the while minimizing the risk of detection and discovery afterwards will install shell code by which the victim gets infiltrated