Halcyon Threat Insights 002: February 2024

The following are high-level findings from the Halcyon Threat Research and Intelligence team, detected in February 2024. As always with shifting ransomware landscape, there are some interesting trends that can be uncovered with enough data.

Ransomware Prevented per Industry Vertical

Finance, IT and Education were the most targeted industry verticals in February 2024:

• Finance & Insurance 31%
• Information & Technology 19%
• Education 13%
• Professional, Scientific & Technical Services 8%
• Transportation & Warehousing 8%
• Manufacturing 5%
• Healthcare & Pharmaceutical 4%
• State & Local Government 4%
• Arts, Entertainment & Recreation 3%
• Retail Trade 2%
• Other 1%
• Utilities 1%
• Construction 0.4%
• Accommodations & Food Services 0.3%
• Mining 0.3%

Threat Types by Category

Ransomware Precursors: Trojans Take the Lead

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments. These stealthy malware strains are precursors to the delivery of the ransomware payload.  

Ransomware pre-cursors can be leveraged by attackers for:

• initial access
• bypassing or evading security tools
• establishing persistence
• credential theft
• lateral movement and privilege escalation
• living-off-the-land (LotL) techniques
• establishing command and control (C2)
• the exfiltration of sensitive data
• delivering other malicious payloads including ransomware

Some of the stealthy Trojans Halcyon detected include:  

ClipBanker Trojan

This sophisticated malware targets sensitive information, particularly focusing on cryptocurrency transactions. It operates by monitoring the Windows clipboard for manipulating or stealing data, including currency-related information.  

The malware employs various methods to infiltrate systems, often masquerading as legitimate cryptocurrency applications or being installed via Trojan droppers. Once inside, ClipBanker attempts to evade detection by whitelisting itself in common antivirus software, making it a stealthy and dangerous threat to infected machines.  

Trojan:Win32/Doina.RPX!MTB

This Trojan is a sophisticated cyber threat that employs a PowerShell script with a Domain Generation Algorithm to steal cryptocurrency wallets from infected machines. Additionally, it attempts to whitelist itself from antivirus software for evasion, rendering it virtually invisible to most security tools.  

Trojan.VMProtect/Convagent

This is a VMProtect-packed Trojan with anti-VM (virtual machine) capabilities to avoid sandboxing and other attempts at analysis. This malware is commonly associated with costly data destruction attacks and serious network performance disruptions.  

RedLine Stealer Trojan

This commodity malware is commonly used for data exfiltration, one of the more common TTPs ransomware operators employ for double extortion schemes where sensitive data is first exfiltrated before the encryption process commences.  

The data is then leveraged to compel a ransom payment or used for further extortion if the victim recovers impacted systems without having paid a ransom demand to receive the decryption key from the attackers. It is also commonly leveraged as a dropper for secondary malware payload deployments.  

Trojan Encoded/Blowfish

This stealthy Trojan employs XOR encoding and Blowfish encryption to manipulate data covertly and securely. It exploits task scheduling to automate its execution and communicates over application layer protocols to evade detection by security tools.  

Ransomware operators have become adept at bypassing, unhooking, blinding or otherwise evading traditional endpoint security tools, which is why even larger organizations with mature security programs and a full security stack continue to find themselves victims of successful ransomware attacks.

Trojan.Malgent/RedCap

This backdoor Trojan resets Microsoft Teams and Microsoft Office credentials and abuses Microsoft Exchange Servers for data exfiltration. Again, data exfiltration has become a very effective and common tactic for ransomware operators.  

Even if an organization can successfully recover from a ransomware attack without paying a ransom demand to the attackers, the loss of sensitive data in the attack can put the organization at risk of legal and regulatory actions or result in the loss of market viability should the data contain intellectual property and/or trade secrets.

Other Trojans of note:

• VBS/BadJoke.MR!tr Trojan: A versatile Trojan with capabilities including remote access and Denial of Service (DoS) attacks.  
• Trojan Disguised as Crack/Keygen: Malware masquerading as legitimate crack/keygen software for compromising systems and potentially downloading additional malware payloads.  
• Trojan.Fraudpack: Rogue program masquerading as an antivirus application, misleading users and causing system damage.  
• Backdoor.Win32.Androm: A backdoor Trojan with modular capabilities often used to load additional malware onto infected systems.  
• KMSAuto Windows Crack: An illegal activation tool for Windows operating systems, often bundled with malware.  
• KMS Windows Hack: A Windows activation tool used for illegal purposes, potentially bundled with other malicious payloads.  
• Crypto Miner: Unauthorized crypto mining software that exploits system resources.

These findings highlight the diverse range of sophisticated malware targeting various systems, emphasizing the importance of robust security measures to prevent data theft, system compromise, and unauthorized access.  

‍

‍Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.