In this version of the Hacker's Playbook Threat Coverage round-up, we highlight attack coverage for several new threats. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker's Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.
NotLockBit Ransomware - What you need to know
Threat researchers from SentinelOne have identified a new ransomware family known as "macOS.NotLockBit" that can potentially affect macOS machines. It was believed until now that ransomware threats for macOS were nothing more than proof of concepts and/or were incapable of succeeding in their goals. However, the discovery highlights that a new threat actor is leveraging the LockBit name to gain notoriety.
This ransomware is written in Go and is distributed as an x86_64 binary - it is intended to run on Intel Macs or Apple silicon Macs with the Rosetta emulation software installed. On execution, the ransomware gathers system information from the host. On Mac targets, it can read the property list file at /System/Library/CoreServices/SystemVersion.plist to collect the product name, version, and build and to query sysctl hw.machine to gather the architecture and sysctl kern.boottime for the time since last boot.
The malware uses an embedded public key to encrypt a randomly generated master key used in the file encryption process and is written to a README.txt file deposited in each folder containing encrypted files, recognizable by their .abcd file extension. Before the file-locking operation, the malware attempts to exfiltrate the user's data to a remote server. The threat actor abuses AWS S3 cloud storage using credentials hardcoded into the binary.
It is believed that this ransomware is still being developed and has the potential of threat actors leveraging it to attack macOS machines in the near future cannot be ignored.
SafeBreach Coverage of NotLockBit Ransomware
The following individual attacks were added to the Hacker's Playbook and can be individually run to validate organizational controls:
Embargo Ransomware and MDeployer- What you need to know
Threat researchers from ESET have discovered a new Rust-programming language-based toolkit that is being used to distribute Embargo ransomware. This toolkit also contains a malware loader and an EDR killer tool named MDeployer and MS4Killer respectively.
The Embargo group primarily leverages MDeployer to facilitate malicious activities on the compromised network. Its main purpose is to decrypt two encrypted files a.cache and b.cache (dropped by an unknown previous stage) and execute two payloads: MS4Killer and Embargo ransomware. Initially, MS4Killer is decrypted from the file b.cache, which is then dropped into praxisbackup.exe and executed. The ransomware payload is then decrypted from the file a.cache, saved as pay.exe, and then executed. Once the ransomware completes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system.
The Embargo ransomware, also written in Rust, appends encrypted files with a random six-character extension containing letters and numbers (ex. .b58eeb) and drops the ransom note titled "HOW_TO_RECOVER_FILES.txt" in all encrypted directories. The ransomware group has its own infrastructure with which to secretly communicate with victims, the researchers found, but also provides the option to negotiate over Tox chat.
SafeBreach Coverage of Embargo Ransomware and MDeployer
The following individual attacks were added to the Hacker's Playbook and can be individually run to validate organizational controls:
Iranian Threat Group Emennet Pasargad (bd.exe RAT and First.exe Trojan) - What you need to know
A joint cybersecurity advisory released by the Federal Bureau of Investigation (FBI), U.S. Department of Treasury, and Israel National Cyber Directorate highlights new IOCs being leveraged by the Iranian threat group Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten. Emennet Pasargad has conducted operations that have affected multiple countries, including the United States, France, Israel, and Sweden.
According to the advisory, the threat group has undertaken a project to harvest data and content from IP cameras to further its malicious goals. Additionally, it has leveraged using fictitious resellers to provision operational server infrastructure that it provides to its members to perform malicious activities.
In July 2024, this threat group used "VPS-agent" infrastructure to compromise a French commercial dynamic display provider, attempting to display photo montages denouncing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games. This cyberattack was coupled with disinformation maneuvers including publication of a fake news article onto a French collaborative media website and the spread of threat messages to several Israeli athletes and their entourage under the banner of a fake French far-right group 'Regiment GUD', impersonating the real French far-right group 'GUD'.
SafeBreach Coverage of bd.exe RAT and First.exe Trojan
In addition to the prominent threats above, we also added coverage to the following additional threats to ensure an additional, comprehensive level of coverage for our customers.