A new BlueSky ransomware has been discovered that primarily targets Windows hosts, uses multi-threading for faster encryption, and may be targeting users from Ukraine, as its code is similar to that used by Russian hackers Conti and Babuk Ransomware. The BlueSky multithreading module is similar to the Conti v3 source code, and the network search module is an exact copy of it. At the same time (like Babuk Ransomware), BlueSky encrypts files using ChaCha20 and Curve25519 algorithms to generate keys. To avoid defenses, BlueSky uses string encryption, API obfuscation, and error protection mechanisms to slow down the reverse engineering process. Due to certain code similarities, antivirus software and security systems are able to detect and identify the ransomware as Conti.
Also, the state-backed Russian cyber espionage group APT29 (CozyBear, CozyDuke, Nobelium, Group 100), whose activities are attributed to the Russian Foreign Intelligence Service, was particularly active in 2022, targeting Microsoft 365 accounts at organizations responsible for influencing and shaping foreign policy NATO countries supporting Ukraine. In an effort to gain access to foreign policy information, Russian hackers have actively attacked accounts in exposed espionage campaigns. The cyber group continues to demonstrate exceptional operational security to prevent analysts from detecting and uncovering their attack methods. To avoid auditing compromised accounts, hackers disable the target user’s permission auditing feature before their mail folders are affected. Email harvesting is the most likely activity after auditing is disabled. In addition, attackers have been found to conduct successful password guessing attacks that allow them to take over inactive accounts and use the access they gain. The group also relied on “MFA fatigue” by spamming victims with push notifications until they accepted it.
Meanwhile, analysts are reporting a remote access Trojan (RAT) targeting Android and Windows called Escanor that is being actively marketed through a Telegram channel of the same name managed by a Telegram user account named HAX_CRYPT. The Windows RAT is delivered via malicious Microsoft Word, Excel, PDF, or HTML5 files to install the Hidden VNC (HVNC) client, which allows the malware operator to remotely interact with the victim computer via a full graphical remote desktop. An Android RAT can track the location of a victim’s device, activate the camera, and capture one-time password (OTP) codes sent by banks or other institutions via text messages. The same actor selling Escanor also sold hacked versions of other hacking tools actively used by Russian cyber groups, including Venom RAT, Cobalt Strike, and Security Killer HVNC. Most of the goods on the Telegram channel are offered at low prices from 50 to 100 dollars. USA, through various cryptocurrency transactions.
Russian-sponsored cyber groups continue to update their tactics, techniques and procedures. Analysts expect that they will continue to maintain a high level of preparedness, trying to monitor the development of access methods and tactics in new and stealthy ways, and a wide range of cybercriminals with varying skill levels will use existing malware to gain access to victims’ computers and mobile devices through low prices and availability.
The best way, especially for Ukrainian users, to avoid disruptive and dangerous intrusions is with strong endpoint security solutions combined with end device monitoring for suspicious events, email attachments and links to download Excel, Word, PDF and HTML files.