Emerging Threats

CISO Monthly Roundup, April 2023: ThreatLabz 2023 Phishing Report, Trigona ransomware, DevOPT backdoor, and RSAC/BOTCONF presentations

May 04, 2023
CISO Monthly Roundup, April 2023 CISO Monthly Roundup, April 2023

The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. Over the past month, ThreatLabz released the 2023 Phishing Report, analyzed Trigona ransomware, discovered DevOpt backdoor, and presented at the RSAC 2023.

2023 Phishing Report reveals surge in attacks

ThreatLabz released its 2023 Phishing Report detailing relevant observations pulled from the Zscaler security cloud, which handles over 280 billion global transactions per day. In this report, ThreatLabz examines data from January 2022 through December 2022 to identify phishing trends, at-risk industries, affected geographies, and emerging tactics. Phishing attacks have increased 47.2% in the last year, as cyber criminals have turned to sophisticated techniques for launching large-scale attacks.    

Figure 1: Phishing attacks, year-over-year

Sectors most targeted by phishing attacks include education (25.1%), finance (16.6%), and government (13.8%). Threat actor’s top private industry targets include the crypto exchange Binance, illegal streaming services, and Microsoft’s SharePoint and OneDrive. The top five countries singled out for phishing attacks were the United States, United Kingdom, the Netherlands, Russia, and Canada. The ThreatLabz 2023 Phishing Report contains a wealth of actionable information and addresses current technologies such as black market phishing kits, Phishing-as-a-service (PaaS) offerings, and more.

Get the 2023 Phishing Report

Zscaler Zero Trust Exchange Coverage: Zscaler Posture Control, Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

Trigona ransomware analysis

ThreatLabz has been monitoring the activities of Trigona ransomware, a malware that is authored in Delphi and has been active since June of 2022. Some OSINT sources claim the Trigona threat actor’s TTPs overlap with BlackCat/ALPHV, but the two codebases are quite different. Trigona encrypts files with a 4,211-bit RSA public key and 256-AES symmetric key. The AES encryption leverages CBC and OFB modes, does not use padding, and has a large file footer making decryption a bit tricky. 

Figure 2: Trigona ransom note

ThreatLabz has created a Python-based tool that can extract and decrypt the ransomware’s configuration file. Trigona does not seem as advanced as other ransomware groups due to its clunky encryption scheme and cumbersome (paid) decryption process. However, the ransomware is being actively updated and now features a data wiper that can destroy files and hinder analysis. Zscaler customers are protected from this threat as the platform detects multiple Trigona indicators. 

Read the full analysis of Trigona

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Discovering DevOpt: a multifunctional backdoor

ThreatLabz recently discovered DevOpt, a new backdoor with multiple capabilities. Since its discovery multiple versions of DevOpt have appeared, indicating that the malware is under heavy development. The backdoor was discovered on a Russian site that tricks victims into downloading the malicious payload by convincing them they are performing a paid task. 

Figure 3: Russian website (translated to English) enticing users into downloading malicious payloads

DevOpt’s capabilities include keylogging, information stealing, grabber malware, clipper use, and persistence mechanisms. The backdoor gains persistence through modifying the Windows registry and creating scheduled tasks. The IP addresses of DecOpt’s C2 infrastructure are hardcoded into the malware. Zscaler detects several of DevOpts IoCs and prevents this threat from harming customers.

Read more about DevOpt backdoor

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

ThreatLabz RAT as ransomware presentation at BOTCONF

In April 2023, our ThreatLabz team presented new research at BotConf 2023 which is an annual international cybersecurity conference that focuses specifically on fighting malware and other cyberthreats that utilize botnets.

Our presentation at BotConf focused on a hybrid cyberthreat, Remote Access Trojans (RATs) implementing Ransomware modules to increase their financial gains. These threats are termed “Rat as a Ransomware”. 

Our initial case study focused on a financially motivated threat actor named TA558, who targeted Travel, Hotel, and Hospitality industries in the LATAM region. This campaign started around October 2022 and is still ongoing. The attack vector involves the deployment of a remote access trojan called "VenomRAT" with a Ransomware module. 

Figure 4: RAT as Ransomware attacks

We saw the threat actor using a cracked builder of VenomRAT distributed on the Leak forums. Our demonstration included several infection chains that were grouped into different clusters and showcased multiple persistence mechanisms. All of these mechanisms lead to the deployment of VenomRAT with a ransomware module. We also demonstrated a flaw in the AES decryption routine of the ransomware, which allowed us to decrypt the files for VenomRAT ransomware as well as the Magnus ransomware. This was possible since the code implemented was identical copied from an open source project.

Learn more about RAT as ransomware attacks

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

Deepen Desai’s RSA presentation on MFA attacks

The Death of Conventional MFA: How AiTM Attacks Are Changing the Game

This is a brief summary of a topic I presented at the RSAC. Multi-factor authentication (MFA) has been a traditional staple of good security hygiene. In the past, large players in the industry went so far as to claim “MFA can block over 99.9 percent of account compromise attacks.” Yet, recent adversary-in-the-middle (AiTM) attacks on MFA demonstrate that a once-revered technology can quickly become the next cyberattack success story. During our talk we looked at various categories of MFA bypass attacks that are prevalent in the wild and also reviewed the techniques used by cybercriminals to execute these attacks.

Figure 5: MFA bypass techniques by complexity, prevalence, and target

For example, consider the way threat actors bypassed MFA in the phishing attacks against Microsoft 365 accounts.

In June 2022, ThreatLabz noticed large-scale threat campaigns using advanced phishing kits. By analyzing data in the Zscaler cloud, we found these campaigns used several newly-registered domains to support their phishing and credential stealing efforts. One defining feature of these campaigns was their use of adversary-in-the-middle (AiTM) techniques to bypass MFA. These attacks, specifically aimed at enterprises using Microsoft and Google services, utilized several evasion techniques to circumvent conventional email and network security.    

The majority of organizations targeted by these campaigns were in the US, UK, New Zealand, and Australia. Individual targets of these attacks received an email with a malicious link. The malicious links used a variety of redirection methods to obscure their activity, but ultimately took users to a phishing page. Unlike traditional phishing pages, which simply harvest user credentials, these malicious pages facilitated AiTM attacks to steal MFA.

For example, the advanced phishing kit used in this campaign acted as a proxy between the victims and the Microsoft site. Adversaries could intercept Microsoft HTML communications intended for the user and manipulate them before relaying them on to the victim. This allowed the attackers to replace legitimate links to Microsoft domains with equivalent links to the phishing domain. 

This attack strategy is only one of many ways we’ve seen MFA bypassed by modern threat actors. Additional techniques include MFA fatigue, SIM swapping, abusing device enrollment, and social engineering. It is important to note that not all forms of MFA are vulnerable to these attacks. Enterprises should increasingly adopt FIDO2 based MFA in combination with zero trust architecture for enforcing posture checks and leveraging conditional access to crown-jewel applications.

Read ThreatLabz breakdown of these phishing campaigns         

Other notable ThreatLabz appearances in April:


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.


The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers, securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.


What to read next: 

ThreatLabz 2023 Phishing Report

Modern hackers keep returning to time-tested tricks

Meet Zscaler executives at Zenith Live 2023