Akira ransomware strikes with devastating data extortion tactics

SISA Weekly Threat Watch - 31 July 2023

Over the past week, multiple cyberattacks have showcased the ingenuity and sophistication of cybercriminals, who continue to exploit various techniques and tactics to compromise systems and steal sensitive information. Security researchers have noticed an increase in the incidence of new malware strains, sophisticated ransomware exploits, targeted supply chain attacks, and novel cryptojacking techniques. As these diverse and complex cyber threats continue to evolve, the importance of robust cybersecurity practices cannot be overstated.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New variant of AsyncRAT malware ‘HotRat’ spreading via free, pirated software

Free, pirated versions of well-known applications and utilities, including video games, picture and sound editing software, and Microsoft Office, are being used to spread the new variation of AsyncRAT called HotRat malware. HotRat gives attackers access to a wide range of tools, including the ability to steal login passwords, cryptocurrency wallets, screenshots, keyloggers, install further malware, and view or modify clipboard data.

To launch the HotRat payload using a Visual Basic Script loader, the malicious AutoHotkey (AHK) script is bundled with cracked software that is made available online via torrent sites. This infection chain is intended to disable antivirus software on the compromised host. With over 20 instructions that each run a .NET module gets downloaded from a remote server, the so-called complete RAT malware known as HotRat enables the threat actors behind the campaign to add new functionality as and when needed. To prevent such attacks, it is recommended to avoid downloading dubious software from unverified sources, especially those demanding the deactivation of antivirus programs.

2. Akira ransomware: Sophisticated threats to organizations

Akira ransomware has emerged as a highly sophisticated and novel threat, with a recent surge in targeting various organizations worldwide. Akira is a malicious ransomware variant designed with the primary purpose of encrypting data on compromised systems. It accomplishes this by appending the “.akira” extension to the file names of affected data and delivering a ransom note labeled “akira_readme.txt” to the victims. To further hinder data recovery, the ransomware takes the additional step of deleting Windows Shadow Volume Copies, adding complexity to the restoration process. The distribution of Akira ransomware is carried out through various channels, including infected email attachments with macros, malicious ads, torrents websites, and pirated software.

Following a successful infection, Akira ransomware displays a ransom note to the victim, asserting that the company’s internal infrastructure is now partially or completely dysfunctional due to the malware’s actions. Furthermore, the attackers claim to have accessed a substantial amount of sensitive corporate data prior to encrypting it. To make matters worse, the ransom note states that all backups have been removed, leaving the victim with limited options for recovery. As is typical with ransomware schemes, the attackers insist on receiving payments in cryptocurrency, which provides them with a higher level of anonymity. Prompt action and robust cybersecurity measures like proactive patch management, regular security audits, network segmentation, and secure backup solutions are essential to defend against this malicious malware and its extortion attempts.

3. Banking sector targeted in open-source software supply chain attacks

The banking sector faced a serious threat with two separate Open-Source Software (OSS) supply chain attacks. These incidents involved targeting specific components within the web assets of a targeted bank, by embedding malicious functionalities into them. In the initial attack, the threat actor posed as a bank employee, uploading malicious packages onto the NPM registry, and creating a fake LinkedIn page to avoid detection. After activation, the script assessed the victim’s operating system and downloaded second-stage malware from a remote server, utilizing a subdomain on Azure to evade suspicion.

The attacker then employed the Havoc framework to bypass defensive measures and maintain an undetected presence on the compromised system. In the second attack, harmful code was inserted into an NPM package and activated to intercept login data covertly, transmitting sensitive information to the attacker’s infrastructure while remaining undetected. With financial assets and sensitive data at stake, adopting best practices in threat assessment and real-time risk identification is imperative for banks and financial services organizations to effectively counter cyber intruders and protect their valuable assets.

4. Azure AD token forging technique in Microsoft attack extends beyond Outlook

It is claimed that the recent Storm-0558 attack by a Chinese nation-state actor against Microsoft’s email infrastructure has a wider extent than first believed. Microsoft said that the only programmes known to have been impacted by the token forging approach were Outlook.com and Exchange Online. The compromised signing key, however, turned out to be more potent than it first appeared to be and wasn’t simply restricted to those two services. The adversary may have been able to create access tokens for various Azure Active Directory applications using the inactive Microsoft account (MSA) consumer signing key that was used to create Azure Active Directory (Azure AD or AAD) tokens to gain unauthorized access to Outlook Web Access (OWA) and Outlook.com.

One of the keys that were intended for signing and confirming AAD access tokens seemed to have been accessed by Storm-0558. Any OpenID v2.0 access token for personal accounts and mixed-audience (multi-tenant or personal account) AAD apps, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, might be believed to be signed by the compromised key. To identify whether a compromised key was used in your environment, identify all potentially affected applications in your environment, search for forged tokens usage and leverage the Indicators of Compromise (IoCs) published by Microsoft to look for any activity that originates from the provided IP addresses.

5. Realst: A Rust-based infostealer targeting macOS user’s crypto wallets

Realst has emerged as a highly sophisticated and stealthy malware, posing a severe risk to macOS users. Its capability to empty crypto wallets and pilfer sensitive data, including passwords and browser information, has put both individual users and organizations at great peril. To propagate itself, Realst adopts a cunning approach, disguising itself as fake blockchain games hosted on websites. Games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, and SaintLegend have been exploited as vehicles to distribute the malicious payload.

Realst’s distribution is aided by PKG installers containing a Mach-O and three related scripts, providing an avenue for further infections. Realst exhibits a total of 16 distinct variants, which, although quite similar to each other, employ different API call sets to carry out their malicious activities. These variants have a broad range of targets, encompassing popular browsers such as Firefox, Chrome, Opera, Brave, Vivaldi, as well as the Telegram app. Employing robust cybersecurity practices, keeping software and applications up to date, and being cautious of suspicious links and downloads are essential measures to mitigate the risk posed by Realst and similar sophisticated malware.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider