Bitdefender Threat Debrief | July 2023

MDR Insights

The notorious CL0p hacker group has been highlighted in recent news due to a significant increase in their ransomware attacks. This cybercriminal organization has targeted multiple banks, federal agencies, and corporations, exploiting a specific vulnerability known as CVE-2023-34362 in MOVEit software. Thanks to this vulnerability, they gained unauthorized access to sensitive data, leading to severe data breaches across various sectors.

The attack technique involved compromising Internet-facing MOVEit transfer web applications by exploiting the flaw. Subsequently, the threat actors implanted malware into these applications, enabling them to extract data from the underlying MOVEit databases without authorization.

In response to these malicious activities, the FBI and the CISA have issued a joint cybersecurity advisory. The advisory sheds light on CL0P's tactics, emphasizing the group's adaptability and notorious reputation. Known for their involvement in financial fraud, phishing attacks, and zero-day exploits, CL0P operates as a

In recent months, CL0P has been particularly active in targeting the GoAnywhere MFT platform, using zero-day vulnerabilities to steal data and demand ransoms. Their sophisticated toolkit includes malware such as FlawedAmmyy/FlawedGrace RAT, SDBot RAT, and Truebot downloader module, enabling them to collect sensitive information and spread their malware extensively.

Their impact has been significant, compromising over 3,000 U.S.-based organizations and 8,000 global organizations. By leveraging Truebot to download FlawedGrace or Cobalt Strike beacons, they gain further network access once they infiltrate the Active Directory server. Additionally, they've exploited the SQL injection zero-day vulnerability CVE-2023-34362 to install the LEMURLOOT web shell on MOVEit Transfer web applications.

To combat this threat, the FBI and CISA have recommended several countermeasures, including routine software patching and updating, regular vulnerability assessments, and adherence to established cybersecurity best practices. They've also provided lists of IP addresses and domains associated with TA505, relevant MITRE ATT&CK techniques, and recommended mitigation strategies.

Organizations are strongly encouraged to validate their security controls and promptly report ransomware incidents to the FBI or CISA. Additional resources on managing ransomware threats can be accessed on stopransomware.gov and the CISA/MS-ISAC Joint Ransomware Guide. With opportunistic attacks on the rise, we also recommend reading our article on understanding and managing software vulnerabilities.

Ransomware Report

Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in June 2023 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some RaaS groups represent a higher percentage compared to groups that are more selective about their targets since they prefer volume over value.

The following ransomware data is based on detections, not infections.

Top 10 Ransomware Families

We analyzed malware detections from June 1 to June 30. In total, we identified 226 ransomware families. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.

Top 10 Countries

In total, we detected ransomware from 137 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Ransomware attacks often occur opportunistically, with the frequency of such detections increasing in relation to the size of a country’s population.

Android trojans

Below are the top 10 trojans targeting Android we have seen in our telemetry during June 2023.

SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server.

Downloader.DN – Repacked applications taken from the Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.

Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload that the malware downloads and executes.

HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.

AgentSpy.E - Applications that were taken from Google Play Store and re-packed with malware. The malware packages are obfuscated, with the primary objective

SpyAgent.DW - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.

Agent.gQNIO - Generic name that detects obfuscated applications that are signed with debug certificate and bundled with numerous adware SDKs.

Marcher.AV - Applications that disguise themselves as Google Play Store applications. The malware tries to ask for accessibility permissions to capture keystrokes and also uses the VNC screen recording function to log the user’s activity on the phone.

Banker.XO - Polymorphic applications that impersonate legitimate apps (Google, Facebook, Sagawa Express, etc.). Once installed, it locates banking applications installed on the device and tries to download a trojanized version from the C&C server.

Banker.XJ - Applications that drop and install encrypted modules. This trojan grants device admin privileges and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive commands and upload sensitive information.

Homograph Phishing Report

Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about the “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.

Below is the list of the top 10 most common targets for phishing sites.

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release and subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.

We would like to thank Bitdefenders Alin Damian, Mihai Leonte, Justin Mills, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Iulian Timischi, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.