Threat Advisories

I. Targeted Entities

This campaign does not target any specific industry and has been observed attacking a wide variety of individuals and organizations. However, the malware utilized by this campaign (njRAT) was found to have originated in the Middle East and is primarily used to target Arabic-speaking countries [1][7].

II. Introduction

Part of the Microsoft Azure official toolkit and used by developers to test apps and sync local testing environments securely over the internet, the ‘dev tunnels’ service has made a surprising appearance in a recent threat campaign leveraging a new variant of the popular njRAT Remote Access Trojan [9]. A blog post published on the SANS Internet Storm Center by security researcher Xavier Mertens (@xme) announced the discovery of the malware, highlighting its creative use of Microsoft’s dev tunnels for communication between infected devices and identified command-and-control (C2) servers [8].

Mertens says he spotted this strain of njRAT sending continuous status updates to C2 servers via dev tunnel URLs. A deeper analysis of captured samples revealed hardcoded server listening ports, the suspected botnet name, client version and capabilities of the malware [8].

JSON extraction of recent njRAT sample (Source: SANS Internet Storm Center)

Reconstructed code showing USB propagation ability (Source: SANS Internet Storm Center)

In his findings, he also discusses the ability of this malware to detect and propagate to external hard drives via USB. Shown in the code snippet below, if the ‘OK.usb’ variable is set to True, the malware will attempt to copy itself to any mounted USB devices [8].

Reconstructed code showing USB propagation ability (Source: SANS Internet Storm Center)

III. Background

First observed in 2012, njRAT has become one of the most widely accessible Remote Access Trojan (RATs) on the market. It features an abundance of educational information with many tutorials available online [1]. This, combined with its open-source nature, has ranked it among the most popular RATs in the world. According to ANY.RUN, a prominent online malware analysis service, the njRAT malware family currently holds the #2 spot for all time total submission count [3]. Though historically used for browser cookie and credential theft, njRAT boasts a wide range of capabilities including keylogging, webcam/screen recording, cryptocurrency theft and wallet enumeration, registry modifications, file uploads, and USB drive propagation [7].

The use of legitimate services to mask command and control communication and data exfiltration, often called ‘C2 tunneling’, is hardly a novel concept. Cloudflare Tunnel (cloudflared), ngrok, and the DNS protocol, have and continue to be exploited by bad actors to conceal this malicious network activity [6]. Interestingly, previous njRAT campaigns have also abused services like Pastebin for C2 tunneling, only this time, there is the added certificate authority trust inherited by routing traffic through Microsoft’s Azure infrastructure [5]. However, the use of dev tunnels for stealth data exfiltration has existed as a proof of concept as early as 2023, when the tool was first released alongside Visual Studio 2022 v17.6 [4][10].

The setup of dev tunnels for C2 redirection is a relatively straightforward process. The threat actor needs only a valid GitHub or Microsoft account and the free executable available on Windows, MacOS, and Linux [11]. With that, they would need to authenticate via the tool with one of the following commands:

After verification, a secure, persistent channel can be deployed by issuing the following:

With the dev tunnel active, all the attacker has to do is bind the channel to their C2 listener port on the same host machine [4]. Now, the control server and infected devices will direct all C2 traffic through a trusted proxy hosted within Microsoft’s Azure cloud infrastructure.

It is worth noting that regardless of the actual traffic direction or protocol being used, the tunnel always presents itself to the victim’s network as outbound TLS traffic. This means that even when an adversary is actively connecting inbound to a victim’s system, the connection appears in network logs and monitoring tools as a standard outbound HTTPS connection originating from the victim’s network [11].

V. MITRE ATT&CK

• S0385 – njRAT
  This campaign utilizes a variant of the njRAT Remote Access Trojan.

• TA0011 – Command and Control (C2)
  Following system infection, njRAT will contact a control server awaiting instructions from an attacker. It can be configured to choose from a list of attacker-owned servers.

• T1572 – Protocol Tunneling
  Using the Microsoft dev tunnel service, infected system outreach, data exfiltration, and malicious commands from the control server occur over disposable, encrypted channels, making it harder for traditional security systems to spot and implement effective preventions.

• T1547.001 – Registry Run Keys / Startup Folder
  On infected Windows systems, this variation of njRAT creates a registry value entry under the ‘Software\Microsoft\Windows\CurrentVersion\Run\’ key path. To achieve persistence across reboots, the malicious program references itself using this “run key”, executing each time a user logs in.

• T1082 – System Information Discovery
  The malware performs enumeration of the infected host. It checks the OS version, supported languages, hostname, registry GUID, and other information that is then sent to the control server [2].

• T1091 – Replication Through Removable Media
  njRAT will attempt to detect any removable drives connected to the system. If found, the malware will create a standalone copy of itself to that drive.

V. Indicators of Compromise (IOCs)

VII. Recommendations

Monitor DNS Traffic for Dev Tunnel URLs – Organizations not using dev tunnels should keep an eye on DNS logs for any unexpected dev tunnel URLs (typically ending in “.devtunnels.ms”) that may indicate potential C2 communication [5]. IDS/IPS rules should be applied to automatically alert or block this traffic.

Beware of USB Devices – This variant, as well as previous versions of njRAT, has the ability to detect and spread to external hard drives connected via USB. Users should exercise caution when interacting with unknown USB devices. For critical systems, it may also be advised to locally disable the use of external storage hardware.

Use EDR/Host-Based IDS – The malware’s use of dev tunnels can blend its traffic with normal activity, rendering network intrusion detection efforts less effective. Configuring endpoint protection solutions to detect and flag the use of Microsoft-signed binaries (e.g., devtunnel.exe) by anomalous parent processes or modifications to the auto-run registry can offer another layer of defense to address this gap [5].

Network Segmentation – Botnet malware like njRAT spreads primarily via ‘spray and pray’ orchestration, typically infecting internet-facing devices that lack proper security controls. IoT devices, poorly configured web servers, and routers with deprecated firmware make up a sizable portion of modern botnet infrastructure. If security patches or hardening cannot be applied to such systems, isolating them from the main home or enterprise network is imperative to prevent lateral movement to critical systems.

Stay Informed on the Latest TTPs – As threat actors become more innovative in their detection evasion and exfiltration techniques, security analysts must remain up to speed with the ongoing changes of an evolving threat landscape.

VIII. References

[1] ANY.RUN. (March 9, 2025). NJRAT. https://any.run/malware-trends/njrat

[2] ANY.RUN. (February 27, 2025). dsadasfjamsdf.exe Sandbox Analysis. https://app.any.run/tasks/c01ea110-ecbf-483a-8b0f-d777e255ad9c

[3] ANY.RUN. (March 9, 2025). Malware Trends Tracker. https://any.run/malware-trends/

[4] Au, C. (August 9, 2023). Microsoft Dev Tunnels as C2 Channel. https://www.netero1010-securitylab.com/red-team/microsoft-dev-tunnels-as-c2-channel

[5] Baran, G. (February 28, 2025). Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications. https://cybersecuritynews.com/njrat-attacking-abusing-microsoft-dev/

[6] BlueteamOps. (Oct 23, 2023). Detecting ‘Dev Tunnels.’ https://detect.fyi/detecting-dev-tunnels-16f0994dc3e2

[7] Check Point. (August 15, 2023). What is NJRat Malware? https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/

[8] Mertens, X. (February 27, 2025). Njrat Campaign Using Microsoft Dev Tunnels. https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724

[9] Microsoft. (November 17, 2023). What are dev tunnels? https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview

[10] Montemagno, J. (February 5, 2024) Dev Tunnels: A Game Changer for Mobile Developers. https://devblogs.microsoft.com/dotnet/dev-tunnels-a-game-changer-for-mobile-developers/

[11] Rossouw, F. (December 5, 2024). Malware of the Day – Tunneling Havoc C2 with Microsoft Dev Tunnels. https://www.activecountermeasures.com/malware-of-the-day-tunneling-havoc-c2-with-microsoft-dev-tunnels/

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analyst(s): Isaac Ward

I. Targeted Entities

• Industries: Any (Opportunistic)
• Operating Systems: Windows, macOS, and Linux

II. Introduction

Written primarily in Golang, SparkRAT is a feature-rich, multi-platform Remote Administration Tool (RAT) that allows for the granular control of infected devices via web interface [11]. It was first published on GitHub in March of 2022 by elusive, Chinese-speaking developer XZB-1248. However, the project went largely unnoticed until gaining steady popularity in early 2023. Since then, the tool has been observed in numerous threat campaigns, including those carried out by cybercriminal groups Winnti and DragonSpark, as well as its involvement in the Hello Kitty and TellYouThePass ransomware attacks [6].

Like most Remote Access Toolkits, SparkRAT has been widely leveraged by threat actors for post-exploitation operations, typically being installed after the payload delivery and initial compromise. Most notably, the tool has been used in conjunction with several critical vulnerability exploits: CVE-2023-46604, CVE-2024-27198, and CVE-2024-43451 [1][3][4]. After a period of dormancy, SparkRAT resurfaced in January, with security researchers at Hunt.io detecting new C2 servers and hints of a possible DPRK campaign targeting macOS users [7].

III. SparkRAT Observed in DPRK Campaign

In a Twitter post by threat intelligence expert, Germán Fernández (@1ZRR4H) back in November 2024, a cyber espionage campaign attributed to the North Korean government was revealed, targeting macOS users and government organizations [5]. The threat actors behind this operation were reportedly distributing SparkRAT agents via fake online meeting platforms. Upon further investigation, researchers at Hunt.io and Cato Networks have recently identified additional C2 servers in South Korea and Singapore [2]. The findings suggest that this campaign is still active, although with a slight change in strategy and payload delivery method.

Interestingly, these uncovered C2 server domains were found to have open directories containing SparkRAT implants and bash scripts. Below are screenshots of an exposed directory and the content of its hosted scripts.

Screenshot of hxxps://gmcomamz[.]site/dev (Source: Hunt.io)

Curl results from hxxps://gmcomamz[.]site/dev/dev.sh

The bash script above downloads the Mach-O binary file (client.bin) from the hosting domain (updatetiker[.]site), saves it as “pull.bin” to the /Users/shared directory, changes its permissions to allow reading, writing, and execution by all system users, and runs the file as a background process. This is typical behavior of malware hosting servers.

The behavior of the test.sh script is similar, however, it points to another domain which has also been found to host SparkRAT agents (clients):

Curl results from hxxps://gmcomamz[.]site/dev/test.sh

IV. SparkRAT Analysis

SparkRAT Web Interface

Accessed through a browser, the SparkRAT Web UI provides an overview of active remote sessions along with system information of each connected machine. In addition to the basic operations listed below, the tool’s interface comes with several additional capabilities such as viewing a live instance of the victim’s screen, taking screenshots, and remote shutdown.

Client Creation

Generate Client creates an executable file that, when executed on a target machine, will create a backdoor connection with the associated C2 system. Clients can be customized to point to different hosts, connect over a specified port, and run on different operating systems (Windows, macOS/Darwin, and Linux).

Remote Terminal Window

As one would expect, the Terminal feature allows for attackers to execute commands on a target machine via a web-based PowerShell GUI. If used in combination with remote privilege escalation, attackers can carry out system-level operations like disabling the firewall, modifying registry keys, and disabling antivirus software.

Process Manager

The Process feature lists all running processes as well as the ability to stop them. This can be used to terminate security/monitoring software.

File Manager Tool

Explorer allows attackers to enumerate, create, and delete files/directories on the target system. It also allows files/directories to be downloaded to the attacker’s local machine or uploaded to the target machine.

Wireshark capture showing initial client-C2 communication

In this exchange, captured shortly after the execution of a SparkRAT agent, the target system sends a request to upgrade its connection to use the WebSocket protocol. A WebSocket handshake over port 8000 is a key characteristic of SparkRAT command-and-control (C2) traffic.

Client POST Request to update SparkRAT version

Following the WebSocket handshake, the target system sends a POST request with the commit query parameter storing the current version of the tool. This enables the RAT to automatically upgrade itself to the latest version available on the C2 server [10]. It is also worth noting the unusual User-Agent string as well as the JSON return value indicating that this client is using the latest SparkRAT version that the server can offer.

V. MITRE ATT&CK

• T1059 – Command and Scripting Interpreter
  Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.

• T1571 – Non-Standard Port
  Adversaries may communicate using a protocol and port pairing that are typically not associated.

• T1005 – Data from Local System
  Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

• T1071.001 – Application Layer Protocol: Web Protocols (C2)
  Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments.

• T1105 – Ingress Tool Transfer (C2)
  Adversaries may transfer tools or other files from an external system into a compromised environment.

• T1573.001 – Symmetric Cryptography (C2)
  Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

• T1082 – System Information Discovery
  An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

• T1083 – File and Directory Discovery
  Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

• T1106 – Native API
  Adversaries may interact with the native OS application programming interface (API) to execute behaviors.

VI. Indicators of Compromise (IOCs)

As is the case with most open-source malware toolkits, the list of IOCs associated with SparkRAT activity is extensive. Currently, the project’s GitHub repository has over 500 forks and 16,000 latest-release downloads, indicating that the tool is likely adapted for use in the development of custom malware (all of which would have their own IOCs). Below are the most recent and most frequently observed SparkRAT IOCs.

VII. Recommendations

Exercise Good Cyber Hygiene – The easiest, most effective way to prevent system compromise via Remote Access Trojans like SparkRAT is to simply practice good cyber hygiene. This includes not opening unknown files, being suspicious of email attachments from untrusted sources, avoiding downloading software from unofficial websites, and regularly updating operating systems.

Isolated Virus Scans – Performing a malware detection scan (via crowdsourced tools like VirusTotal or antivirus software like Microsoft Defender’s custom scan option) on an untrusted file before executing it can be an easy way to verify its legitimacy. Fortunately, most AV solutions are privy to common SparkRAT indicators and will prevent infected files from executing. However, custom malware leveraging the tool may go undetected. If further analysis is required, it is advised to run any suspected file within a sandbox environment to examine its behavior.

Update Virus Signatures – Ensuring that endpoint solutions and antivirus software are up to date with the latest virus signatures is crucial for detecting and quarantining known variations of SparkRAT malware. Signature databases used by AV software are typically populated with new signatures when applying the latest security patches. For this reason, it is recommended to frequently update (daily) or configure automatic system/application updates.

Active Network Monitoring – A system infected with SparkRAT malware establishes a connection to its C2 server via WebSocket, a web-based application protocol that enables full-duplex communication between client and server [8]. Though sometimes used by legitimate software, such as instant messengers and multiplayer games, the use of this protocol over port 8000 (the default port for SparkRAT agents) could be a strong indicator of SparkRAT activity. To detect this traffic, network monitoring and deep packet inspection tools can be deployed to look for abnormal connections over port 8000, WebSocket handshakes by unknown applications, and JSON error messages indicative of SparkRAT C2.

Stay Informed – As SparkRAT gains traction, it is likely to be featured in future malware campaigns. Thankfully, threat hunters and intelligence agencies are vigilantly discovering and sharing IOCs linked to the tool. Engaging with threat intel networks and staying aware of new SparkRAT trends will allow for better preparation of systems and aid in detection efforts of emerging threats.

VIII. References

[1] Arctic Wolf. (November 3, 2023). Exploitation of CVE-2023-46604 in Apache ActiveMQ Leads to TellYouThePass Ransomware. https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/

[2] Bittner, D. (Jan 29, 2025). Cats and RATS are all the rage. https://thecyberwire.com/podcasts/daily-podcast/2234/transcript

[3] Broadcom (January 31, 2025). SparkRAT – a cross-platform modular malware. https://www.broadcom.com/support/security-center/protection-bulletin/sparkrat-a-cross-platform-modular-malware

[4] ClearSky (November 13, 2024). CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild. https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/

[5] Fernández, G. (Nov 27, 2024). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://x.com/1ZRR4H/status/1861667506328334589/

[6] Fortinet. (February 13, 2024). Threat Coverage: How FortiEDR protects against SparkRAT activity. https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-SparkRAT-activity/ta-p/299271

[7] Hunt.io. (Jan 28, 2025). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections

[8] IETF. (Dec 2011). The WebSocket Protocol. https://datatracker.ietf.org/doc/html/rfc6455

[9] Mishra, A. (Jan 29, 2025). Hackers Attacking Windows, macOS, and Linux systems With SparkRAT. https://gbhackers.com/hackers-attacking-windows-macos-and-linux-systems/

[10] SentinelLabs. (Jan 24, 2023) DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation. https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

[11] XZB-1248. (Mar 16, 2022). SparkRAT GitHub Repository. https://github.com/XZB-1248/Spark

Additional Resources

[12] Open Threat Exchange. “SparkRAT”. https://otx.alienvault.com/browse/global/pulses?q=SparkRAT&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=SparkRAT

[13] Malpedia. “SparkRAT”. https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat

[14] ThreatFox. SparkRAT IOCs. https://threatfox.abuse.ch/browse/malware/win.spark_rat/

[15] Hybrid Analysis. client.bin Sandbox Report. https://www.hybrid-analysis.com/sample/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

[16] VirusTotal. client.bin Scan. https://www.virustotal.com/gui/file/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analyst(s): Isaac Ward

I. Targeted Entities

• Organizations, researchers, and developers leveraging Meta's Llama-Stack for AI model inference and deployment. 

II. Introduction

A critical security vulnerability, CVE-2024-50050, has been identified in Meta's Llama-Stack framework, which is widely used for developing and deploying generative AI applications. This flaw allows attackers to achieve remote code execution (RCE) by exploiting unsafe deserialization of untrusted data via the pyzmq library (ZeroMQ python implementation). Specifically, the vulnerability arises from the use of the recv_pyobj method, which automatically deserializes Python objects using "pickle", a method known for its security risks when handling untrusted inputs. 

If exploited, this vulnerability could compromise AI inference servers, leading to data breaches, resource hijacking, unauthorized model manipulation, or full system compromise. Meta has assigned the flaw a CVSS score of 6.3 (medium), while Snyk and Oligo Security have categorized it as critical, assigning it scores of 9.3 and 9.8, respectively. 

This advisory provides details on the vulnerability and remediation steps to mitigate the risk. 

III. Additional Background Information

Llama-Stack is an open-source framework developed by Meta to streamline the development, deployment, and optimization of generative AI (GenAI) applications. It is primarily designed to support Meta's Llama family of models, offering a comprehensive set of tools and APIs for the entire AI development lifecycle, including: 

• Model training and inference 
• Memory management 
• Evaluation and optimization

The framework is intended to accelerate innovation in the AI space by providing a standardized foundation for developers and enterprises working on Llama-based AI solutions. Since its introduction in July 2024, Llama-Stack has been backed by major AI ecosystem partners such as AWS, NVIDIA, Groq, Ollama, Together AI, and Dell. 

However, the discovery of CVE-2024-50050 has revealed a critical security flaw in Llama-Stack's default inference implementation, raising concerns about the security of AI frameworks that handle sensitive model deployments.

Technical Breakdown of the Vulnerability:

Insecure Deserialization:

• The run_inference method in llama-stack uses recv_pyobj to receive serialized Python objects over a ZeroMQ socket. 
• recv_pyobj automatically deserializes the received data using Python's pickle.loads method. 
• The pickle module is inherently insecure when processing untrusted data, as it can execute arbitrary code during deserialization.

Exploitation Scenario:

If the ZeroMQ socket is exposed over the network, an attacker can send a maliciously crafted serialized object to the socket. When recv_pyobj unpickles the object using pickle.loads, the attacker's payload is executed, leading to arbitrary code execution on the host.

Code Analysis:

The recv_pyobj method in pyzmq is defined as follows:

def recv_pyobj(self, flags: int = 0) -> Any:
msg = self.recv(flags)
return self._deserialize(msg, pickle.loads)

This method:

• Receives pickled data from the socket.
• Passes the data to _deserialize along with pickle.loads for deserialization.
• Deserialize executes pickle.loads, which deserializes the data without validation.

Unsafe Design:

The use of pickle.loads in recv_pyobj is unsafe by design, as it deserializes data from unverified sources.

The maintainer of pyzmq has acknowledged that recv_pyobj should only be used with trusted sources, similar to pickle itself.

Impact

Severity: Critical

Consequences:

• An attacker could craft a malicious serialized object using pickle and send it to the exposed ZeroMQ socket.
• This can lead to full system compromise, data exfiltration, or further lateral movement within the network.

Vulnerability discovery, disclosure and patching

The vulnerability in llama-stack was discovered by Oligo, which leverages its advanced runtime detection capabilities to identify threats that traditional Software Composition Analysis (SCA) tools often miss. Oligo's Application Detection and Response (ADR) platform maintains an extensive database of runtime profiles for third-party libraries, enabling it to detect unusual behavior indicative of exploitation. In the case of llama-stack, Oligo's prebuilt profiles flagged the use of pickle for deserialization as anomalous, as no legitimate instances of code execution within the pickle processing flow had ever been recorded. This triggered an automatic incident report in the Oligo ADR platform, highlighting the potential for remote code execution (RCE) even though no CVE for llama-stack existed at the time. The attack graph and evidence, including Python call stack deviations captured via eBPF, were documented in the Oligo platform, confirming the exploit.

Oligo followed a responsible disclosure process to report the vulnerability to Meta, the maintainers of llama-stack. Meta's security team responded promptly, providing clear guidelines for disclosure through a GitHub issue. The vulnerability was assigned CVE-2024-50050 with a CVSS score of 9.3, reflecting its critical severity. Meta acknowledged the issue and worked collaboratively with Oligo to address it.

Meta released a patch in version 0.0.41 of llama-stack (llama-stack>=0.0.41), which replaced the insecure pickle serialization implementation with a type-safe Pydantic JSON implementation across the API. This change eliminated the risk of arbitrary code execution by ensuring safe deserialization of data. Additionally, pyzmq issued a fix and added a clear warning in its documentation about the risks of using recv_pyobj with untrusted data, emphasizing that it should only be used with trusted sources. The patch and warning can be found in the following commit: pyzmq commit f4e9f17.

Responsible Disclosure Timeline

29 Sep, 2024: Oligo reported the vulnerability to Meta.

30 Sep, 2024: Meta performed an initial evaluation of the report.

1 Oct, 2024: Meta confirmed that their teams were working on a fix.

10 Oct, 2024: Meta released the fix on GitHub and published version 0.0.41 to PyPi.

24 Oct, 2024: Meta issued CVE-2024-50050 to formally document the vulnerability.

This coordinated effort between Oligo and Meta ensured the timely identification, disclosure, and patching of the vulnerability, mitigating the risk of exploitation for users of llama-stack.

IV. MITRE ATT&CK

Displayed is the code vulnerable method in llama stack (Derived from Oligo Blog Security)

Displayed is the RCE code used to deserialize and unpickle the code, making said code no longer secure (Derived from Oligo Blog Security)

VII. Additional OSINT Information

To detect this vulnerability, having real time detection is essential for identifying and getting rid of the risk. Maintaing an extensive and constantly backed up database of profiles for third party libraries.  

 Patch 0.0.41 calls attention to this, it replaces the pickled serialization implementation with Pydantic JSON implementation across the API.

VIII. References

Oligo Security. (January 23, 2025). CVE-2024-50050: Critical Vulnerability in meta llama/llama-stack by Meta. https://www.oligo.security/blog/cve-2024-50050-critical-vulnerability-in-meta-llama-llama-stack 

The Hacker News. (Jan 26, 2025). Meta's Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks. https://thehackernews.com/2025/01/metas-llama-framework-flaw-exposes-ai.html 

SC Media. (January 27, 2025). Severe Meta Llama issue risks RCE in AI systems. https://www.scworld.com/brief/severe-meta-llama-issue-risks-rce-in-ai-systems 

Threat Advisory created by The Cyber Florida Security Operations Center. 

Contributing Security Analysts: Thiago Reis Pagliaroni, Nahyan Jamil

To learn more about Cyber Florida visit: www.cyberflorida.org  

I. Targeted Entities

• Government
• Healthcare
• Manufacturing
• Media
• Technology

II. Introduction

An emerging ransomware group known as FunkSec, appeared in late 2024, compromising over 85 victims in December, more than any ransomware group that month. FunkSec is a new Ransomware-as-a-Service (RaaS) actor focusing on bolstering its malware with the use of Artificial Intelligence (AI). These threat actors are said to be amateurs demanding unusually low ransoms with the threat of posting victims data on FunkSec’s data leak site (DLS). On this DLS, companies are listed as they become compromised. The site also hosts many malicious tools including a free Distributed Denial of Service (DDoS) tool.

Some members of the FunkSec group have appeared in other hacktivist activities and claim to mainly target the United States and India. New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), Recorded Future-– a leading threat intelligence platform, and Broadcom-–a semiconductor and software company, have all released reports urging organizations to stay ahead of the threat. They recommend implementing a defense-in-depth strategy using multiple layers of security, backing up systems, and keeping systems updated and patched.

Ransomware-as-a-service double extortion aims to put more emphasis on paying the ransom as double extortion not only encrypts the data but also copies and exfiltrates it. Threat actors then threaten to leak this data if the ransom isn’t paid. In traditional ransomware good backups of data can defeat ransomware and recover without payment

III. Additional Background Information

In December 2024, FunkSec ransomware group appeared to compromise its first 11 victims sparking immediate interest for security researchers and news outlets. After further investigation of the malware, FunkSec V1.5, originated from Algeria and showed many indications of AI use. The use of AI allowed the group to rapidly iterate this ransomware and create its tools which implies the attackers lack technical expertise. The group is said to seek recognition and visibility as they appear to demand ransoms as low as $10,000. Evidence also indicates that some of the leaked information posted to their DLS was recycled from previous hacktivist-related leaks which raises questions about its authenticity.

Although limited information is available currently, the exploit seems to start with tactics that are defined in the MITRE ATT&CK framework, specifically T1193, T1203, and T1189. T1193 – Spear Phishing Attachment, indicates that adversaries are using a series of spear phishing campaigns to infect systems with ransomware after clicking on email attachments imbedded with malicious macros. T1203 – Exploitation of Client-Side Vulnerabilities, allow attacker to take advantage of a vulnerability within a system and gain access through an exploit of that vulnerability. T1189 – Drive-by Compromise, allows attacker to plant malicious objects within websites and advertisements to lure victims into interacting with these objects. Once the user has initiated an access vector, the system becomes infected, all files are encrypted and cannot be opened until the ransom is paid.

Previous ransomware campaigns that involve such exploitation bring major concern although this attack highlights a new threat as the use of AI clearly elevates the severity of such attacks. FunkSec is found to use AI in its creation of a malicious DDoS tool, pieces of redundant code that call the binaries multiple times, and the extensive perfect English comments. FunkSec’s broad adaption across many attack vectors makes them capable of exploiting many people and organizations through rapid iterations of this malware and evading defenses. These attacks could bring down companies within all industries.

Organizations are strongly urged to maintain proper security practices. These practices should include security awareness training, applying the latest patches and monitoring for indicators of compromise (IoC). Furthermore, safe searching practices should be enforced, urging the practice of only downloading materials from official and trustworthy channels. Failure to follow these procedures could result in severe disruptions and data breaches.

IV. MITRE ATT&CK

VII. Additional OSINT Information

Image 1 of FunkSec’s AI Scorpion

Hybrid Analysis Falcon Sandbox Results

Image 2 of FunkSec’s AI Scorpion

Hybrid Analysis Falcon Sandbox Results

Image 3 of FunkSec Malicious Phishing Site Analysis

Hybrid Analysis Falcon Sandbox Results

Image 4 of FunkSec DLS

Check Point Research. (2025a). FunkSec data leak site. Retrieved 2025.

Image 5 of FunkSec Ransomware Note

Check Point Research. (2025a). FunkSec ransomware note. Retrieved 2025.

Associated Threat Actors:

Scorpion: Prominent member of FunkSec, uses multiple aliasas such as DessertStorm.

El_farado: Promotes FunkSec making sure this group stays visible.

Associated Hacktivist Groups:

-Ghost Algeria: Made evident in a ransom note similar to FunkSec’s.

-Cyb3r Fl00d: Old group based on a screenshot.

Artificial Intelligence (AI) Indicators:

-Very well structured and formatted comments and code, as well as the publication of an AI chatbot named Scorpion.

VIII. References

Dulaunoy, A., Fafner, & Harper, T. (n.d.). RansomLook . RansomLook. https://www.ransomlook.io/

Antoniuk, D. (2025, January 10). New amateurish ransomware group FunkSec using AI to develop malware. Cyber Security News | The Record. https://therecord.media/funksec-ransomware-using-ai-malware

Arghire, I. (2025, January 13). Emerging FUNKSEC ransomware developed using AI. SecurityWeek. https://www.securityweek.com/emerging-funksec-ransomware-developed-using-ai/

Check Point Research. (2025, January 9). Meet FunkSec: A new, surprising ransomware group, powered by ai. Check Point Blog. https://blog.checkpoint.com/research/meet-funksec-a-new-surprising-ransomware-group-powered-by-ai/

Check Point Software. (2024, February 8). What is double extortion ransomware?. Check Point Software. https://www.checkpoint.com/cyber-hub/ransomware/what-is-double-extortion-ransomware/

FunkSec RaaS Dominates the Ransomware Landscape in December. Cyber.nj.gov. (2025, January 16). https://www.cyber.nj.gov/Home/Components/News/News/1574/214?rq=emotet

FUNKSEC ransomware. Broadcom Inc. (2025, January 9). https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware

Hollingworth, D. (2025, January 14). Inside FunkSec, the self-taught hackers supported by Ai Code. Cyber Daily. https://www.cyberdaily.au/security/11575-inside-funksec-the-self-taught-hackers-supported-by-ai-code

Infosecurity Magazine. (2025, January 13). New Ransomware Group uses AI to develop Nefarious Tools. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/new-ransomware-group-uses-ai/

Lakshmanan, R. (2025, January 11). Ai-driven ransomware FUNKSEC targets 85 victims using double extortion tactics. The Hacker News. https://thehackernews.com/2025/01/ai-driven-ransomware-funksec-targets-85.html

LevelBlue – Open Threat Exchange. LevelBlue Open Threat Exchange. (n.d.). https://otx.alienvault.com/pulse/678127dbf6bb4958da4254cd/

MalwareBazaar Database-funksec. MalwareBazaar. (2025). https://bazaar.abuse.ch/browse/tag/funksec/

Meskauskas, T. (2025, January 13). Funklocker (FunkSec) ransomware. FunkLocker (FunkSec) Ransomware – Decryption, removal, and lost files recovery (updated). https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware

Mitre ATT&CK®. MITRE ATT&CK®. (n.d.). https://attack.mitre.org/

Price, A. (2024, December 4). Take me down to FUNKSEC town: Funksec ransomware DLS Emergence . CYJAX. https://www.cyjax.com/resources/blog/take-me-down-to-funksec-town-funksec-ransomware-dls-emergence/

Reynolds, I. (2025, January 11). FUNKSEC: The emergence of ai-driven ransomware threats. SecureTeam. https://secureteam.co.uk/news/funksec-the-emergence-of-ai-driven-ransomware-threats/

Stcpresearch. (2025, January 10). FunkSec – alleged top ransomware group powered by ai. Check Point Research. https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/

Tag funksec. ThreatFox. (n.d.). https://threatfox.abuse.ch/browse/tag/funksec/

Check Point Research. (2025, January 15). FunkSec: The rising yet controversial ransomware threat actor dominating December 2024. Check Point Blog. https://blog.checkpoint.com/research/funksec-the-rising-yet-controversial-ransomware-threat-actor-dominating-december-2024/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Timothy Kircher

I. Targeted Entities

• Internet users

II. Introduction

LandUpdate808 is a malicious downloader that distributes malicious payloads disguised as fake browser updates. The downloader is usually hosted on malicious or compromised websites. LandUpdate808 was identified by the Center for Internet Security as a top ten observed malware in quarter three of 2024, landing as the second most prominent identified malware.

III. Additional Background Information

LandUpdate808 redirects website visitors to first download the loader for the fake update content. The redirect also adds a cookie to the targeted user which has been observed with the naming conventions “isDone” or “isVisited11”. The cookie’s value is set to true after the operation is successful. The cookie has an expiration date of four days and will cause the malware to skip over the previous steps if the cookie is detected. The fake update page is disguised as an out-of-date Chrome notification with a blue download button labeled “Update Chrome”. When clicked, the button will link to an “update.php” file. The payload has been observed as a JS, EXE, and MSIX file that changes file type frequently. Recent reporting has identified multiple domains being tied to the same IP address, a potential indicator that the LandUpdate808 operation is expanding operations.

IV. MITRE ATT&CK

VII. References

Samala, A. (2024b, October 15). New Behavior for LandUpdate808 Observed. Malasada Tech. https://malasada.tech/new-behavior-for-landupdate808-observed/

Samala, A. (2024a, July 2). The LandUpdate808 Fake Update Variant. Malasada Tech. https://malasada.tech/the-landupdate808-fake-update-variant/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Benjamin Price

I. Targeted Entities

• Fortune 500 Companies
• Government Agencies

II. Introduction

According to The Multi-State Information Sharing and Analysis Center’s (MS-ISAC) monitoring services, SocGholish has retained its position as the most prevalent malware in Q3 2024, accounting for 42% of observed infections. SocGholish is a JavaScript-based downloader that spreads primarily through malicious or compromised websites that present fake browser update prompts to users. Once deployed, SocGholish infections can facilitate further exploitation by delivering additional malicious payloads.

III. Additional Background Information

SocGholish, also known as “FakeUpdates,” has emerged as the leading malware in Q3 2024. This malware has been active since 2018 and operates as a JavaScript-based downloader that exploits drive-by-download techniques to gain initial access. SocGholish primarily spreads through compromised websites, which present fake browser or software update prompts to unsuspecting users. When users download and run the updates, they execute a malicious payload that establishes communication with SocGholish’s command-and-control (C2) infrastructure.

The malware typically delivers its payload via direct download of JavaScript files or, less frequently, within obfuscated ZIP archives to evade detection. The attackers have continued to adapt, using techniques such as homoglyphs in filenames to bypass string-based detection methods. Once deployed, SocGholish conducts reconnaissance on infected systems, identifying users, endpoints, and potentially critical assets such as Active Directory domains. In about 10% of cases, the malware escalates to delivering second-stage payloads, including remote access tools (RATs) like Mythic, replacing previously popular choices like NetSupport.

SocGholish serves as an initial access broker, facilitating further exploitation by delivering additional malware, including ransomware variants such as LockBit and WastedLocker. Its activities are often precursors to larger attacks, making it a critical threat to monitor. Infections may involve domain trust enumeration and script-based data exfiltration, primarily executed in memory, complicating detection efforts. Organizations are advised to implement preventive measures, such as disabling automatic JavaScript execution, monitoring for unusual script activity, and swiftly isolating infected hosts to mitigate the impact of potential intrusions.

IV. MITRE ATT&CK

VI. Additional OSINT Information

SocGholish operates as a JavaScript-based malware loader that initially infects victims through compromised websites, presenting them with fake browser or software update prompts. Once users click to “update,” the malware executes a JavaScript payload, connecting back to the attacker’s command and control (C2) server to deliver additional payloads.

Image 1 of SocGholish Payload Delivery

Image 2 of SocGholish Payload Delivery

Image 3 of SocGholish Payload Delivery via Fake Google Alerts

Payload details:

• Primary Payload: The initial JavaScript script collects system and user information, which it sends back to the C2 server, enabling the attacker to assess the target for further exploitation. This reconnaissance phase helps the malware operators determine the value of the target and the appropriate secondary payloads to deploy.
• Secondary Payloads: SocGholish is known to deploy additional malware based on the information gathered. Historically, it used the NetSupport RAT for remote access but has evolved to favor other tools. Since 2022, SocGholish shifted its preference to more advanced payloads, including:
• Cobalt Strike: This well-known post-exploitation tool allows attackers to conduct further reconnaissance, privilege escalation, and lateral movement within networks. However, recent reports show a transition to using Mythic, an alternative to Cobalt Strike.

• Mythic: A versatile open-source command and control framework used for post-compromise operations, allowing attackers to load additional modules and control infected systems stealthily.

• Reconnaissance and Lateral Movement: The secondary payload often includes commands for system discovery and Active Directory enumeration. Common tools used in this phase include nltest.exe for domain trust discovery and whoami for privilege reconnaissance.

• Ransomware Associations: SocGholish has acted as an initial access broker, facilitating access for ransomware groups such as LockBit and WastedLocker. This handoff process enables ransomware operators to capitalize on SocGholish’s infiltration to execute ransom demands or further network disruption.

By delivering these targeted payloads, SocGholish operators can gain persistent access, conduct extensive reconnaissance, and potentially disrupt critical systems. These payloads make SocGholish not only a potent malware threat but also a significant enabler of larger ransomware and espionage campaigns across various industries.

VII. References

The Center for Internet Security, Inc (October 23, 2024) Top 10 Malware Q3 2024 https://www.cisecurity.org/insights/blog/top-10-malware-q3-2024

Red Canary (2024) SocGholish https://redcanary.com/threat-detection-report/threats/socgholish/

MITRE ATT&CK (March 22, 2024) SocGholish https://attack.mitre.org/software/S1124/

Blackpoint Cyber (June 21, 2024) AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion https://blackpointcyber.com/resources/blog/asyncrat-netsupportrat-vssadmin-abuse-for-shadow-copy-deletion-soc-incidents-blackpoint-apg/

Proofpoint (November 22, 2022) Part 1: SocGholish, a very real threat from a very fake update https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

ReliaQuest (January 30, 2023) SocGholish: A Tale of FakeUpdates https://www.reliaquest.com/blog/socgholish-fakeupdates/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker.

I. Targeted Entities

• Fortinet FortiManager Customer
• Managed Service Providers

II. Introduction

A critical vulnerability has been identified in Fortinet's FortiManager platform, a centralized management solution for Fortinet security products. This vulnerability, tracked as CVE-2024-47575, allows for remote code execution (RCE) by unauthorized attackers. The exploitation of this vulnerability is currently active in the wild, posing a significant threat to affected organizations. If successfully exploited, attackers could gain access to critical systems, install malicious programs, and manipulate sensitive data. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories urging organizations to take immediate action by applying the latest patches to mitigate risks.

FortiManager is widely deployed across sectors, including government, telecommunications, financial services, and healthcare, making this vulnerability particularly concerning. Given the increasing sophistication of cyberattacks, unpatched systems present a high risk, allowing attackers to potentially escalate privileges and compromise network infrastructures.

III. Additional Background Information

In October 2024, a critical vulnerability was discovered in Fortinet's FortiManager, a network management solution widely used to centrally configure and monitor Fortinet devices. This vulnerability, tracked as CVE-2024-47575, exploits a missing authentication mechanism in the fgfmd daemon, allowing attackers to execute arbitrary code remotely without valid credentials. Fortinet and CISA have confirmed that malicious actors are actively targeting both on-premises and cloud-based instances of FortiManager through specially crafted requests, leveraging this flaw to compromise network environments.

The exploit is aligned with tactics defined in the MITRE ATT&CK framework, specifically T1190 – Exploit Public-Facing Application, indicating that adversaries are using exposed FortiManager instances as initial access points. Once inside, attackers can install backdoors, modify security configurations, and delete or manipulate data, depending on the privileges of the compromised service accounts. Higher-privileged accounts can allow attackers to escalate their control leading to significant disruptions.

Previous incidents involving vulnerabilities in network appliances highlight the severity of such attacks. FortiManager's broad adoption across multiple critical infrastructures and industries make it an attractive target. Unpatched instances are especially vulnerable to this exploit. Additionally, this vulnerability exposes connected Fortinet devices, allowing attackers to disable firewalls or VPNs and undermine network defenses.

Organizations are strongly advised to apply the latest patches immediately, perform vulnerability assessments, and monitor for indicators of compromise (IoC). Fortinet has released mitigation guidelines, emphasizing the importance of updating software, segmenting networks, and limiting administrative access to prevent further exploitation. Failure to act could result in severe operational disruptions and data breaches, particularly for critical infrastructure providers and enterprises that rely heavily on Fortinet's security infrastructure.

IV. MITRE ATT&CK

VII. References

The Channel CO, CRM (October 24, 2024) 5 Things To Know On The Fortinet FortiManager Attacks  https://www.crn.com/news/security/2024/5-things-to-know-on-the-fortinet-fortimanager-attacks
 

Bleeping Computer (October 23, 2024) Fortinet warns of new critical FortiManager flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/ 

Google Cloud (October 23, 2024) Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 

 New York State (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://its.ny.gov/2024-120 

 Bleeping Computer (October 24, 2024) Mandiant says new Fortinet flaw has been exploited since June https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/ 

 CVE (October 23, 2024) CVE-2024-47575 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2024-47575 

 Fortigaurd (October 17, 2024) Missing authentication in fgfmsd https://www.fortiguard.com/psirt/FG-IR-24-423 

 MS-ISAC (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://learn.cisecurity.org/webmail/799323/2307481671/eb748002d95238b2d31f1dc45b527f271478b2fb5b4d5ee93eb20f05d2825fce

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker. 

I. Targeted Entities

• Small to Medium Government and Business Entities

II. Introduction

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-45519, has been discovered in Zimbra email servers, posing a significant threat to organizations relying on the platform. The vulnerability resides in Zimbra’s postjournal service, which processes incoming emails over SMTP. This vulnerability allows attackers to compromise servers by sending specially crafted emails that trigger arbitrary command execution through the server’s CC field. Once exploited, the vulnerability can be used to install web shells, providing attackers full access to the compromised server and enabling further network infiltration.

III. Additional Background Information

Zimbra Collaboration, a widely used cloud-hosted platform for email and communication services, has become a prime target for cyberattacks due to its prevalence in corporate and government environments. In September 2024, a critical vulnerability, CVE-2024-45519, was uncovered in Zimbra’s postjournal service. This flaw, caused by improper input validation, allows remote attackers to execute arbitrary commands without authentication. The vulnerability has gained increased attention following the release of a proof-of-concept (PoC) exploit, significantly raising the risk of widespread exploitation. Given Zimbra’s importance across various sectors, the exposure of this vulnerability poses a serious threat to affected systems, making it a key concern in the current cybersecurity landscape.

IV. MITRE ATT&CK

VII. References

Dark Reading. (October 1, 2024). Zimbra RCE Vuln Under Attack Needs Immediate Patching. https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now

BleepingComputer. (October 2, 2023). Critical Zimbra RCE flaw exploited to backdoor servers using emails. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/

SOCRadar. (October 02, 2024). RCE Vulnerability in Zimbra (CVE-2024-45519). https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Reis Pagliaroni, Benjamin Price

I. Targeted Entities

• Healthcare sector
• Education sector
• Government organizations
• Manufacturing industries
• Retail industries

II. Introduction

New Indicators of Compromise associated with BlackSuit ransomware have been found in recent attacks. BlackSuit is a sophisticated cyber threat known for its double extortion tactics, encrypting and exfiltrating victim data to demand ransom.

III. Additional Background Information

BlackSuit ransomware emerged as a prominent threat actor in the cyber landscape in 2023. It is believed to be a direct successor to the Royal ransomware, itself a descendant of the notorious Conti ransomware group. BlackSuit shares significant code similarities with Royal, including encryption algorithms and communication methods, indicating that the operators behind BlackSuit have inherited and improved upon Royal’s techniques. An analysis made by Trend Micro revealed that BlackSuit and Royal ransomware have a high degree of similarity, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps. Additionally, BlackSuit employs command-line arguments like those used by Royal, though with some variations and additional arguments.

This technical sophistication has allowed BlackSuit to conduct multiple high-profile attacks across various sectors since its emergence. Notably, one of the most significant attacks targeted a U.S.-based healthcare provider in October 2023, resulting in severe operational disruptions. The financial losses from this attack were estimated to be in the millions, including ransom payments and the cost of recovery and mitigation. In another incident, an educational institution suffered a data breach, leading to the exposure of sensitive student and staff information.

Financial gain is the primary motivation behind BlackSuit attacks. The group employs double extortion tactics, demanding ransom not only to decrypt the data but also to prevent the leaked data from being publicly released. This strategy increases the pressure on victims to pay the ransom, highlighting the ruthlessness and effectiveness of BlackSuit’s extortion methods.

Tools Used

• Blacksuit ransomware: The main payload used for encrypting victim data.
• Bravura Optitune: Legitimate remote monitoring and management (RMM) software used for maintaining remote access.
• InfoStealer: Malware designed to steal sensitive information, including credentials and financial data.
• NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for discovering host names and network services.
• Process Explorer: A Microsoft Sysinternals tool that provides detailed information about processes running on a system, used for monitoring and debugging.
• ProcessHacker: A free tool for monitoring system resources, debugging software, and detecting malware.
• PsKill: Microsoft Sysinternals command-line tool used to terminate Windows processes on local or remote systems.
• PsSuspend: Microsoft Sysinternals command-line tool used to suspend processes on a local or remote system.
• PsExec: A Microsoft Sysinternals tool for executing processes on other systems, primarily used by attackers for lateral movement.
• Rclone (suspected): An open-source tool that can manage content in the cloud, often abused by ransomware actors to exfiltrate data from victim machines.

These tools allow BlackSuit to conduct reconnaissance, maintain persistence, and execute their ransomware effectively. The group’s preference for leveraging legitimate software tools makes their activities harder to detect and mitigate. Understanding the tools and methods employed by BlackSuit ransomware is critical for defending against their attacks.

IV. MITRE ATT&CK

VII. References

Blacksuit (2024) SentinelOne. Available at: https://www.sentinelone.com/anthology/blacksuit/ (Accessed: 08 June 2024).

Montalbano, E. (2024) BlackSuit claims dozens of victims with ransomware, BlackSuit Claims Dozens of Victims With Ransomware. Available at: https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware (Accessed: 08 June 2024).

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Pagliaroni, Yousef Aref, Abdullah Siddiqi, and Nahyan Jamil.

I. Targeted Entities

Enterprises and Government Organizations

II. Introduction

LockBit ransomware operators have deployed a new AV-bypass tool named “Warp AVKiller” in their latest campaigns, as identified by a trusted third party. This advanced tool, derived from the Go-based Warp Stealer malware, is engineered to evade detection by security products. The attack methodology includes creating new user accounts through Windows Management Instrumentation (WMI), integrating them into a Local Group, and configuring them in the Windows Autologon registry entry. This setup ensures that the new user accounts automatically log in upon system restart, initiating the execution of LockBit ransomware. The Cybersecurity and Infrastructure Security Agency (CISA) and The US Department of Homeland Security (DHS) urges immediate review and reinforcement of security protocols to counter this threat.

III. Additional Background Information

LockBit is a ransomware-as-a-service business that allows less technical users to purchase ready-made ransomware toolkits to launch their own cyberattacks. LockBit creates malware and licenses the code in exchange for a percentage of the ransoms paid.

Several sources, including CISA, say that LockBit was the most deployed ransomware variant across the world. LockBit ransomware is responsible for numerous cyberattacks worldwide. Initially detected in 2019, it has evolved through multiple versions, with LockBit 3.0 being the latest. This ransomware gains initial access via purchased credentials, unpatched vulnerabilities, or insider threats. It employs a double extortion tactic, encrypting data and threatening to release it unless the ransom is paid. LockBit targets mid-sized organizations, leveraging its Ransomware-as-a-Service model for widespread distribution.

In recent news, The Lockbit ransomware group claimed to have breached the US Federal Reserve, stating that they exfiltrating 33 TB of sensitive data, such as Americans’ banking secrets. They added the Federal Reserve to their Tor data leak site and threatened to leak the stolen data on June 25, 2024. Lockbit did exfiltrate 33 TB of sensitive data, but it was not the Federal Reserve. LockBit targeted Evolve Bank & Trust, a US banking company. Evolve confirmed the breach, stating that the stolen data originated from this incident.

IV. Recommendations

VI. References

(1) Sophia, Fox-Sowell “FBI obtains 7,000 lockbit ransomware decryption keys” StateScoop, June 6, 2024 https://statescoop.com/fbi-obtains-7000-lockbit-ransomware-decryption-keys/#:~:text=LockBit%20creates%20malware%20and%20licenses,across%20the%20world%20in%202022

(2) “What Is LockBit Ransomware?” Blackberry, 2021 https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/lockbit

(3) “Lockbit ransomware – what you need to know” Kaspersky, 2020 https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware

(4) Paganini, P, “Fox-Sowell “Lockbit claims the hack of the US Federal Reserve.” Security Affairs, June 24, 2024 https://statescoop.com/fbi-obtains-7000-lockbit-ransomware-decryption-keys/#:~:text=LockBit%20creates%20malware%20and%20licenses,across%20the%20world%20in%202022

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy and Nahyan Jamil.