In a recent revelation by cybersecurity experts at Adlumin, it appears that the notorious Play ransomware has taken a new turn – it’s now being offered as a service for others to exploit.
This discovery sheds light on a concerning trend that could make cyber threats more accessible and widespread.
A Disturbing Lack of Variation
What caught the attention of analysts is the surprising uniformity in the attacks!
It seems like those behind the assaults are not crafting unique strategies but instead are diligently following a playbook that comes with ransomware-as-a-service (RaaS).
It’s like a recipe for disaster for even less-experienced individuals!
Playing by the Same Rules
Adlumin’s investigation into various Play ransomware attacks reveals a pattern that’s almost too consistent to ignore.
Hiding malicious files in the public music folder ➡️using identical passwords for high-privilege accounts ➡️ executing the same commands.
From Exchange Server Exploits to RaaS
Play, also known as Balloonfly and PlayCrypt, made its debut in June 2022 by exploiting weaknesses in Microsoft Exchange Server.
The creators, unique in their approach, not only developed the malware but also carried out the attacks. However, recent developments indicate a shift towards offering Play as a full-fledged RaaS operation.
RaaS: Cybercrime for Everyone
The appeal of this new model lies in its all-inclusive package. RaaS operators now offer complete ransomware kits, including documentation, forums, technical support, and assistance in negotiating ransoms.
It’s like cybercrime made easy, tempting even those with limited hacking skills, often referred to as “script kiddies.”
ZPAQ: The Trojan’s Disguise
This time, the cyber adversaries have opted for a rather unconventional delivery method—utilizing the ZPAQ compression format.
Now, you might wonder, what makes ZPAQ stand out in the world of file compression?
According to the insights shared by G Data malware analyst Anna Lvova, ZPAQ offers a superior compression ratio and incorporates a nifty journaling function.
This translates to smaller archives, saving both precious storage space and bandwidth during file transfers. However, there’s a catch—ZPAQ suffers from limited software support.
Agent Tesla: A Brief Encounter
For those unfamiliar, Agent Tesla is not new. Born in 2014, it operates as a keylogger and remote access trojan (RAT), available to other threat actors through a malware-as-a-service (MaaS) model.
Its modus operandi often involves serving as the initial payload, granting remote access and facilitating the download of more sophisticated tools, such as ransomware.
The goal is to outsmart traditional security measures.
The Endgame
The ultimate aim is to infect the endpoint with Agent Tesla, cleverly concealed using .NET Reactor, a legitimate code protection software.
To communicate and execute commands, the malware relies on the familiar grounds of Telegram.
Kinsing’s Mischief Exposed!
Meet Kinsing, a Linux malware with a notorious track record of targeting misconfigured containerized environments for cryptocurrency mining.
Trend Micro sheds light on the group’s modus operandi, highlighting its penchant for leveraging compromised server resources to reap illicit profits through cryptocurrency mining.
Crypto Mining: Impact on Infrastructure and Performance
Once inside a system, Kinsing doesn’t waste any time. It deploys a cryptocurrency mining script that taps into the host’s resources to mine digital currencies like Bitcoin.
The aftermath? Significant damage to infrastructure and a noticeable hit on system performance, as articulated by Trend Micro.
BattleFront is Expanding!
Frequent use of ransomware as a service, compression formats and phishing attacks has made it evident that the threat landscape has widened.
The solution is resilience and most importantly a commitment to build a secure cyberspace.
Anas Hasan
November 22, 2023
6 months ago
