Lockbit and Silver Fox Trojans are the two ransomware families that AsiaInfo Security will focus on in 2023. Lockbit can be described as the most active and rampant ransomware in 2023, with thousands of victims exceeding 100 million ransoms, and attack skills are constantly escalating with buffs. The Silver Fox Trojan Horse is the "King of Volumes" in 2023, with continuous iterations and the use of multiple black and gray gangs, which has become an important part of the upstream of the "industrial chain".
LockBit is the most active and rampant ransomware in the world. The attacks spread across North America, Europe, and the Asia-Pacific region, and according to AsiaInfo security data, LockBit has grown to 22 percent since the second half of 202381% topped the list of extortion families attacking regional extortion families in China. Lockbit's ransomware techniques and distribution ransom tactics are constantly being improved up to its 3Version 0 has become a typical representative of the triple extortion of "encryption, theft, and DDoS".
Lockbit attacks are also targeted in critical infrastructure industries, especially in manufacturing, government, cybersecurity, and defense. Lockbit was responsible for attacks such as the attack on the municipal water utility in Portugal, the attack on India's National Aerospace Laboratory, and the extortion attack in Canada.
Based on its harmfulness, on February 20 this year, law enforcement agencies of the United States, France, the United Kingdom and other countries launched a joint law enforcement operation called "Kronos" to cooperate against the Lockbit organization, and the operation successfully arrested criminals and unblocked 200 crypto wallets. Authorities seized 34 Lockbit servers and launched free decryption tools in various locations. 3 international arrest warrants, 5 indictments. European law enforcement succeeded in destroying the main Lockbit platform.
What's New! LockBit restarts business, recovers data sites and threats**. On February 24, the person in charge of lockbitsupp said that the server was not upgraded in time, resulting in being invaded by the FBI and leaking data, and said that the server was being updated and the vulnerability was rewarded. It announced that the Lockbit service is basically restored, ready to release 4Version 0, renamed "FBI SUPP", began a new round of frequent attacks** and challenged law enforcement.
Lockbit replies to the open letter].
Silver Fox infestation has ravaged many industries such as finance, energy, e-commerce, education and healthcare, with a large range of attacks and many victims. Attackers often deliver Trojans through communication tools or disguise them as program packages. Its camouflage programs usually include a variety of common tools, hot news names, files, etc., and are promoted by search engines to induce users to install.
Such documents should be noted
In less than a year, the Silver Fox Trojan iterated 6 major versions, and made great efforts in the attack mode, attack component deployment mode, and the upgrade of malicious sample delivery.
At the end of 2023, a black and gray industry family named "Tree Wolf" (also known as Snow Wolf) has appeared in finance, technology, operators, and enterprise units, using HFS to build a platform to store files, and transmitting phishing links or fraudulent files in the name of "tax" and "audit" in the name of WeChat, QQ, and TG.
Through the organization's use of the "2024 Tax Year Income and Expenditure Statement Automatic Deduction Items (Computer Version)", "List of Illegal and Discipline-Violating Units in 2023", "List of Rectification Announcements Ordered to Rectify within a Time Limit" and other compressed package files as fishing bait, there is an MFC program written in C++ after the compressed package is decompressed, which reduces the possibility of detection and killing.
The hunting process is linked to the organization using the HFS framework, and partly using PexPay82ICU uses GH0ST as a sample payload for C&C.
The old sample ** address uses a direct connection of 123pan, and the direct connection feature is "domain name user ID directory", and according to the timeline of the associated sample, the organization has been active since October last year.
The server site where the sample is stored is shown in the figure (it is currently impossible to open), the organization likes to use the Hong Kong IP as the server to store the sample, the Hong Kong server has the characteristics of no filing, high speed and stability, can be accessed at home and abroad, and is cheap, and is deeply loved by the black and gray industry
Trojan against TG:
The Snow Wolf organization hits the Silver Fox rule (body="Preview"&&body="Documents")||title="Documents");The Tree Wolf hit the "Silver Fox Puppet" variant we discovered half a month ago, which is consistent with the "-puppet" parameter mentioned in the Tree Wolf article of the Kingsoft Security Team.
The above families all use HFS to build file storage services, ** a tax audit, lawyer's letter and other sensitive documents, and finally release gh0st remote control.
The phishing interface is also relatively similar, as shown in the following figure:
File hosting** is built by HFS, as shown in the following figure
Most of the servers are deployed in Hong Kong, China
Based on the above characteristics, AsiaInfo's security threat tracking team determined that Tree Wolf, Snow Wolf, and Silver Fox belonged to the same organization.
About the CICA Security Threat Intelligence CenterAsiaInfo Security Threat Intelligence Center has been deeply engaged in the field of threat intelligence for many years, and has a first-class threat intelligence analysis, artificial intelligence and big data team in China. The Threat Intelligence Center focuses on actual combat and scenario-based intelligence, drives threat intelligence operations with data, and uses AI to empower the whole process of threat intelligence production and operation, and is in a leading position in China in mining governance, phishing detection, hacking tool detection, ransomware governance, and ransomware leak point detection. The Threat Intelligence Center pioneered the hour-level response mechanism of threat intelligence cloud linkage, providing customers with the experience of "one-point reach, network-wide immunity".