Weekly Intelligence Report – 02 June 2023

Published On : 2023-06-02
Share :
Weekly Intelligence Report – 02 June 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, and Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – BlackCat Ransomware | Malware – DogeRAT
  • BlackCat Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – DogeRAT
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Tropical Scorpius aka Void Rabisu Shifted its Focus to Geopolitics and Deploys RomCom Backdoor

  • Suspected Threat Actors: Void Rabisu aka Tropical Scorpius
  • Attack Type: Spear Phishing
  • Target Geography: Ukraine and Europe
  • Target Industry: Energy, Finance, Defence, Government, and IT
  • Objective: Espionage
  • Target Technology: Windows
  • Business Impact: Financial Loss, Operational Disruption

Recently, researchers detected the campaign started in mid-2022 attributed to the threat actor named Void Rabisu, also known as Tropical Scorpius, who is connected to both the Cuba ransomware and the RomCom backdoor. The threat actor was financially motivated and used to target ransomware. However, the focus shifted in the month of October 2022, and the threat actor started attacking with geopolitical aims. Void Rabisu has been employing Google Ads to attract its targets and direct them to the lure sites. Additionally, the RomCom campaigns conducted by Void Rabisu involve the use of highly targeted spear phishing emails. This campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. The recent RomCom activity has revealed several instances of websites used by malware operators from December 2022 to April 2023. These websites mimic legitimate software such as Gimp, Go to Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, Devolutions’ Remote Desktop Manager, and others. These deceptive websites are designed to trick users into downloading malicious RomCom software. The fake websites used in RomCom campaigns are promoted through Google advertisements and targeted phishing emails, primarily focusing on victims located in Eastern Europe. These websites distribute MSI installers that imitate legitimate applications but are compromised with a malicious DLL file called “InstallA.dll.” When the victim runs the installer, the malicious file extracts three additional DLLs into the %PUBLIC%\Libraries folder. These extracted DLLs are responsible for handling communication with the command-and-control server and executing commands as instructed by the operators.

Void Rabisu demonstrates a level of sophistication in its operations, combining tactics such as Google Ads, targeted spear phishing, and the use of deceptive websites to distribute their malicious payloads. Their connection to Cuba ransomware and RomCom backdoor indicates a broad range of activities and potentially underscores their involvement in a variety of cyber threats.
The RomCom backdoor has evolved by incorporating advanced techniques used by both APT groups and prominent cybercriminal campaigns, indicating the adoption of detection evasion methods. Void Rabisu is an example of a financially motivated threat actor whose goals align with geopolitical circumstances, which is expected to continue and grow.

Major Geopolitical Developments in Cybersecurity

The US Department of Defense singles out China, Russia, Iran, and North Korea as the most acute threats

The Pentagon has recently presented its renewed 2023 cyber strategy to Congress. The Ministry says the strategy represents an evolution of the 2018 strategy document and provides direction for the implementation of the 2022 National Defense Strategy in cyberspace. The document itself is classified, but Pentagon has released an unclassified fact sheet, which emphasizes that the strategy is taking important lessons from Russia’s ongoing war on Ukraine, which “has demonstrated how cyber capabilities may be used in a large-scale conventional conflict.” The fact sheet also identifies the principal sources of threats in cyberspace to be China (characterized as an actor that pushes the tempo in the fifth domain), Russia (characterized as an actor with demonstrated capability and will to hit critical infrastructure), North Korea, Iran, “violent extremist organizations,” and transnational criminal organizations (often aligned with the “foreign policy objectives” of the governments that support and protect them, also known as privateers ).

Iranian operations against Israeli logistics

Iranian threat actor Agrius has been observed continuing to target unnamed entities in Israel. Researchers’ observations suggest that what appear to be destructive ransomware attacks are masking influence operations. The APT group, now calling both itself and its newest ransomware strain “Moneybird,” has been seen in recent attacks deploying their unseen ransomware written in C++. The first point of compromise was public-facing web servers, which, once breached, gave hackers access to networks, enabling them to move laterally and conduct reconnaissance and data theft.

Another Iranian threat group has been observed attacking Israeli shipping and logistics companies in an attempt to steal customers’ data. This activity has been attributed with low confidence to a known APT TA456, also called Imperial Kitten. At least eight companies were impacted by the campaign, according to researchers.

Chinese hackers penetrating US infrastructure

A joint advisory from all Five Eyes countries (Australia, Canada, New Zealand, the United Kingdom, and the United States) reports a major Chinese cyberespionage operation that has reportedly succeeded in penetrating a range of US critical infrastructure sectors. The attack is attributed to a Chinese APT known as Volt Typhoon, a group that has been active for at least two years. The industries of communications, manufacturing, utilities, transportation, construction, maritime industries, government, information technology, and education have all become targets of the observed campaign. The threat actor has likely been trying to conduct espionage and keep access, without being discovered for as long as feasible, according to the observed behaviour.

Guam, a US territory in the Western Pacific that is home to significant US military bases, has been the target of a large portion of the alleged activity. Should China choose to follow Russia’s geopolitical lead and invade what it sees as a rebellious province, those bases would be crucial to any US involvement on behalf of Taiwan. China, for its part, rejects the accusations as the result of a planned American misinformation effort and denies taking part in any of the actions, the Five Eyes claim it did in connection with the Volt Typhoon.

Other Observations

CYFIRMA Research team observed a potential data leak related to RaidForums, (www[.]raidforums[.]com). RaidForums is a database-sharing and marketplace forum. They have exclusive database breaches and leaks, plus an active marketplace. The compromised data includes various sensitive information, such as username (stored as varchar), password (stored as varchar), salt (stored as varchar), login key (stored as varchar), and other confidential data.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.