Emerging Threats

CISO Monthly Roundup, June 2023: ThreatLabz annual State of Ransomware report, understanding RedEnergy Stealer-as-a-Ransomware, investigating Bandit Stealer, exposing Mystic Stealer, and MOVEit vulnerability guidance

Jul 07, 2023
CISO Monthly Roundup, June 2023

The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. Over the past month, ThreatLabz released the 2023 State of Ransomware report, analyzed RedEnergy Stealer-as-a-Ransomware, investigated Bandit Stealer, examined Mystic Stealer, and offered MOVEit vulnerability guidance.

2023 ThreatLabz State of Ransomware report

Threatlabz released their 2023 report on the current state of ransomware at Zenith Live ‘23, in Berlin. Threatlabz analyzed data from external intelligence sources, internal research, and the over 500 trillion daily signals processed by the Zscaler global security cloud. They used this information to determine the most active ransomware families, highly targeted regions, primary attack vectors, and more.      

Figure 1: YoY comparison of extortion attacks by industry, showing percentage of change

The report covers key ransomware trends, the top five ransomware families to watch, attack statistics, threat predictions, and other relevant information. Key findings include a 37.75% increase in ransomware attacks, surging encryption-less ransom attacks, and evidence that the United States is one of the most targeted countries. The appendix offers readers helpful MITRE ATT&CK framework mappings for the top five ransomware threats identified by ThreatLabz.

Read the full 2023 ThreatLabz State of Ransomware report


Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.    

Understanding RedEnergy Stealer-as-a-Ransomware attacks

ThreatLabz is tracking a new malware variant named RedEnergy capable of performing info-stealing and ransomware attacks. This hybrid Stealer-as-a-Ransomware threat initiates its attack chain by providing malicious links that mimic reputable business pages on LinkedIn. When a victim clicks the malicious link to visit the LinkedIn page they are redirected to the attacker’s website, and prompted to update their browser. All four browser update options download the RedEnergy payload. 

Figure 2: RedEnergy download page presenting itself as a browser update request

RedEnergy uses several obfuscation techniques and communicates with its C2 servers over HTTPS. It executes a multi-stage attack that includes establishing persistence, communicating with DNS servers, and downloading additional payloads. When encrypting a target system, RedEnergy appends a “.FACKOFF” extension to the affected files. It modifies desktop.ini to evade detection and change the file system folder display settings. At the final stage, the malware deletes Windows backup plans, shadow drives, and drops a ransom note.

Read the full analysis of RedEnergy 

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Investigating Bandit Stealer 

ThreatLabz is tracking a new malware called Bandit Stealer that collects cookies, login credentials, credit card information, and other data from web browsers. Bandit Stealer, first seen in April 2023, also targets email and FTP credentials, and cryptocurrency wallet applications. Once the malware harvests information it uses Telegram to send it back to its C2 server.

Figure 3: An advertisement for Bandit Stealer found on an underground forum

Bandit Stealer is written in Golang, and uses multiple techniques to detect and avoid virtual environments and automated malware analysis platforms. It employs the profcs Golang library to check for running processes related to threat analysis/prevention and terminates if it discovers any. The malware also references an extensive list of IP addresses, MAC addresses, user names, and computer names to detect the presence of security vendors within an environment.

Read the full analysis of Bandit Stealer’s capabilities

Zscaler Zero Trust Exchange Coverage: Zscaler Posture Control, Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

Exposing the secrets of Mystic Stealer

ThreatLabz has been working with our colleagues at InQuest to analyze Mystic Stealer, a new infostealer malware advertised since April 2023. Mystic Stealer can gather credentials from nearly 40 web browsers and over 70 browser extensions. It collects extensive data from victims including the system hostname, user name, GUID, geolocation (using the local keyboard layout), and browser autofill information. It also targets crypto wallets, Telegram, and Steam credentials.

Figure 4: Mystic Stealer advertisement on underground forum

The developers of Mystic Stealer use polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants to protect and obfuscate the malware. Mystic stealer also uses a custom binary protocol that is encrypted with RC4 to communicate with its C2 servers. When data is exfiltrated from a victim’s system, Mystic Stealer tags the stolen information with a label identifying its type.

Read a detailed breakdown of Mystic Stealer

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Notable vulnerabilities that organizations should prioritize for patching:

MOVEit Transfer Vulnerabilities

On June 12th Progress Software disclosed a vulnerability in their MOVEit managed file transfer software. The vulnerability, CVE-2023-35708, was given a CVSS Base Score of 9.8, which classifies it as a critical security issue. If properly exploited, a remote and unauthenticated threat actor could use this vulnerability to perform privilege escalation and steal or modify data through SQL injection. This latest vulnerability disclosure comes after Progress Software recently patched two previous vulnerabilities, CVE-2023-34362 and CVE-2023-35036.

Vulnerable organizations are advised to disable all HTTP and HTTPS traffic to their MOVEit transfer environment until the latest patches and fixes are applied. ThreatLabz has released the following Zscaler update specifically in response to this vulnerability:

Zscaler Private Access AppProtection:

Progress MOVEit Transfer SILCertToUser or UserCheckClientCert SQL Injection (CVE-2023-35036 or CVE-2023-35708): 6000667

The Cl0p Ransomware gang has been actively exploiting this vulnerability, impacting several global organizations and stealing large volumes of data. This further signifies the importance of timely patching of both external and internal assets.

Read more details on the MOVEit vulnerabilities

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 7300+ customers, securing over 300 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next:

2023 ThreatLabz State of Ransomware report

At last, AI can help you illustrate cyber risk

The deception game: Negative trust in cybersecurity