The attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "paypal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe").
The malware is spread via phishing emails embedded with a malicious Windows executable file. ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it.
In the analysed attack, the attackers first created a Telegram account and a dedicated Telegram bot which they then bundled with the ToxicEye malware and spread it via spam campaigns as an email attachment.
If opened by a victim, the malicious attachment connects to Telegram, enabling the attackers to gain a foothold on their device via the bot.
After gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware against the company’s IT network. DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.
The zero-day vulnerability tracked with CVE-2021-30665 and CVE-2021-30663 as Buffer overflow and Integer Overflow vulnerabilities. Buffer overflows occur when a developer does not sanitize or validate the user input before allocating space for it in the buffer. Integer overflow leads to the execution of buffer overflow vulnerability which allows the attacker to gain shell and elevate his privileges once this vulnerability is exploited. The validation checks are actually disabled by the integer overflow vulnerability thus resulting in execution of buffer overflow. The vulnerabilities allows a remote attacker to execute arbitrary code on the target system.
Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS (85th Main Special Service Center) uniquely leveraged software containers to easily scale its brute force attempts. Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.
Recently, Kaseya, a well-known enterprise IT firm, is at the centre of the latest data encryption attack by REvil on its VSA product, software for remotely monitoring PCs, servers, printers, networks, and point-of-sale systems. Kaseya's VSA software had been used to spread ransomware that had encrypted "well over 1,000 businesses”. The attack exploited a zero-day or previously unknown vulnerability in Kaseya VSA. REVil has now demanded $70 million for a universal decryption tool to end the Kaseya attack. Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.