Global Threat Intelligence Report

Internal threats are the threats that BlackBerry identifies and guards against within its own customer base. External threats (covered in the next section) are those reported by third parties, such as in industry news publications, security vendors or government agencies.

Type: Infostealer

Targets: Telecommunications, healthcare

Regions: Latin America (LATAM), North America

Vidar is an infostealer that has been around since 2018. Likely the off-shoot of the once-notorious infostealer Arkei, Vidar has remained extremely active and is often sold via malware-as-a-service (MaaS) on underground forums. The malware is highly flexible and can be dropped onto a victim’s device through a variety of ways, such as via phishing documents, malvertising (advertising that spreads malware) and by secondary distribution via other malware. Earlier in 2024, we observed that Vidar was also used to target critical infrastructure. During this reporting period, we observed that Vidar primarily attacked telecommunications and healthcare sectors, especially in LATAM countries, and was also observed targeting healthcare in North America.

Type: Downloader

Targets: Food and agriculture, healthcare

Regions: LATAM, North America

Operational since 2011, SmokeLoader is a prominent delivery mechanism for second-stage malicious payloads including a variety of trojans, infostealers and even ransomware. SmokeLoader, which is sold as MaaS, can also harvest user credentials. It is popular with a number of high-profile threat groups due to its capacity to deploy additional malware. In May 2024, Europol coordinated Operation Endgame to target malicious downloaders. Over 100 malware servers were taken down or disrupted and over 2,000 domains were seized by law enforcement. Though these actions severely crippled the operations of the threat groups behind SmokeLoader, binaries related to the malware were still observed this quarter in the North American healthcare sector and the food and agriculture industry in LATAM.

Type: Infostealer

Targets: Telecommunications, food and agriculture, healthcare

Regions: LATAM, North America

RisePro is a multifunctional infostealer often sold as MaaS on underground forums. RisePro was initially observed in late 2022. Then, in late 2023 and early 2024, BlackBerry noticed a sharp increase of RisePro activity.

The RisePro infostealer can be dropped onto a victim’s device in a variety of ways, frequently through malicious links or email attachments. It has also been deployed via PrivateLoader, a pay-per-install (PPI) malware often used as a malware distribution service.

Once on a victim’s device, RisePro communicates with its command-and-control (C2) server where it receives commands to steal data, drop additional malware and exfiltrate information from the device. This quarter, RisePro was observed targeting food, agriculture and telecommunications companies in LATAM countries and healthcare services in North America.

Type: Downloader

Targets: Education, transportation, healthcare, food and agriculture

Regions: APAC, North America

GuLoader (also known as CloudEyE) is a prominent downloader that distributes other malware. Since 2020, the threat group behind GuLoader has added anti-analysis techniques to make it more difficult for security services to identify its attacks or devise countermeasures. GuLoader commonly works in tandem with other malware, namely infostealers like FormBook, Agent Tesla and Remcos.

During this reporting cycle, GuLoader appeared to target mainly North American organizations in transportation, food and agriculture, and education. However, GuLoader binaries were also found in transportation companies in APAC countries.

Type: Infostealer

Targets: Food and agriculture, energy, finance

Regions: APAC, LATAM, North America

Lumma Stealer (aka LummaC2) is a C-based infostealer that, for the second reporting period running, has targeted food and agriculture companies in LATAM and the energy sector in APAC. Lumma Stealer is MaaS that specializes in exfiltrating sensitive data like login credentials and banking details to commit bank fraud. Additionally, Lumma Stealer targeted financial services firms in both North America and APAC.

Internal threats are the threats that BlackBerry identifies and guards against within its own customer base. External threats (covered in the next section) are those reported by third parties, such as in industry news publications, security vendors or government agencies.

Type: Bot/Infostealer

Targets: Manufacturing, commercial services, capital goods

Regions: Europe, the Middle East and Africa (EMEA), APAC, LATAM

First appearing in 2018, Amadey is a modular malware still active across the threat landscape. Through iterative changes, it has remained relevant with recent advances in its communications. Amadey can gather intelligence and poll victim machines before exfiltrating data to its C2. It is often used as a bot network to spread other malware en masse and frequently facilitates the deployment of infostealers and malicious cryptominers.

During this reporting period, Amadey targeted manufacturing and commercial services in the EMEA, APAC and LATAM regions, as well as capital goods services specifically within LATAM nations.

Type: Downloader

Targets: Manufacturing, commercial services

Regions: APAC, LATAM, North America

PrivateLoader is a widespread facilitator of malware operating as a pay-per-install service for distributing malware. Often distributed via fake websites hosting “cracked” software, PrivateLoader can download a variety of malicious payloads, including a wide range of infostealers like RisePro. PrivateLoader uses a technique known as SEO poisoning to increase the prominence of their fake websites. The technique tricks users by making them assume the top search results are the most credible and is very effective when people fail to look closely at their search results. During this reporting period, PrivateLoader targeted manufacturing in North America and commercial services in LATAM and APAC.

Type: Remote Access Trojan

Targets: Manufacturing, food retailing, commercial services

Regions: APAC, LATAM, North America

Agent Tesla is a prominent remote access trojan (RAT) specializing in information theft which has been actively targeting users with Microsoft Windows OS-based systems since 2014. Sold via underground forums and promoted as a MaaS offering, this commercial malware is known for stealing sensitive data and credentials, recording keystrokes and capturing screenshots of victims’ screens. It is often leveraged in phishing campaigns and hosted/distributed as trojanized cracked software.

A number of sectors were targeted by Agent Tesla this cycle, including manufacturing, food retail and commercial services in countries in APAC, LATAM and North America.

Type: Infostealer

Targets: Food retailing

Regions: APAC

FormBook and its evolution, XLoader, are sophisticated malware families operating both as complex infostealers and versatile downloaders for additional malware. Since their inception, these malware families have been resilient and constantly evolving to evade and circumvent cyber defenses through anti-VM techniques, process injection and custom encryption routines.

Often sold as MaaS, XLoader can steal data from browsers, email clients and a range of other applications. A number of cyber-incidents related to XLoader targeted food retailers in APAC countries this quarter.

Type: Downloader

Targets: Commercial services, food retailing, manufacturing

Regions: APAC, EMEA, North America

GuLoader, also known as CloudEyE, is a prominent downloader used in numerous attacks as a delivery mechanism for other malware. Active since 2020, it has undergone iterative changes, becoming more sophisticated and integrating additional anti-analysis techniques. GuLoader commonly works with other malware, namely infostealers like FormBook, Agent Tesla and Remcos.

This quarter, GuLoader targeted manufacturing in North America, food retailers in APAC and commercial services in both EMEA and APAC.

Type: Infostealer

Targets: Commercial services, capital goods

Regions: APAC

RisePro is a multifunctional infostealer often sold as MaaS on underground forums. RisePro was initially observed in late 2022. Then, in late 2023 and early 2024, BlackBerry noticed a sharp increase of RisePro activity. RisePro can be dropped onto a victim’s device in a variety of ways, often through malicious links or email attachments. It also has been deployed via PrivateLoader, a PPI malware frequently used as a malware distribution service. Once on a device, RisePro communicates with its C2 server where it receives commands to steal data, drop additional malware or exfiltrate information from the victim’s device.

Type: Infostealer

Targets: Manufacturing, food retailing, commercial services, capital goods

Regions: APAC, EMEA, LATAM

Vidar is an infostealer that has been around since 2018 and may be the offshoot of the infostealer known as Arkei. Vidar has been extremely active and is often sold as MaaS through underground forums. The malware is highly flexible and can be dropped onto a victim device in a variety of ways, such as via phishing documents, malvertising (advertising that spreads malware) and by secondary distribution via other malware. During this reporting period, Vidar targeted a host of commercial enterprise industries, including manufacturing in EMEA, food retailing in APAC, capital goods in LATAM and commercial services in both LATAM and APAC.

Beyond the threat actors noted in our internal investigations and findings, several other groups have launched various cyberattacks this quarter. These groups often employ an array of tools and malware to execute their illicit activities. Here, we highlight some of the most impactful attackers and notable tools identified by our Threat Research and Intelligence Team this quarter.

BlackSuit is a private ransomware operation that surfaced in April 2023. This group employs a multifaceted extortion strategy, involving both the exfiltration and encryption of victim data. They also maintain dark web data leak sites where stolen confidential data from noncompliant victims is publicly posted. BlackSuit targets organizations of all sizes across various industries, including healthcare, education, information technology (IT), government, retail and manufacturing.

BlackSuit’s attack methods include phishing emails, malicious torrent files and exploiting vulnerabilities in VPNs and firewalls. The group leverages a mix of legitimate and malicious tools such as Cobalt Strike, WinRAR, PuTTY, Rclone, Advanced IP Scanner, Mimikatz, PsExec, Rubeus and GMER for lateral movement and credential dumping. Their ransomware payloads are designed to target both Windows® and Linux® operating systems and, in some cases, VMware ESXi servers.

The U.S. Department of Health and Human Services has highlighted similarities between BlackSuit and Royal ransomware, suggesting that BlackSuit may originate from Royal’s creator, the notorious Conti group. The encryption mechanisms and command line parameters used by BlackSuit bear a striking resemblance to those found in Royal, indicating a shared codebase.

Targets this period include:

• Kadokawa Corporation, a Japanese media conglomerate, where the group masqueraded as a legitimate component of the Qihoo 360 antivirus software.
• Other notable targets include the town of Cedar Falls in Iowa; an American multinational software company; the Kansas City Kansas Police Department; and global pharmaceutical company Octapharma Plasma, Inc.

BlackBasta (aka Black Basta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that surfaced in early 2022. According to a joint report by CISA and the FBI, BlackBasta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, across North America, Europe and Australia.

BlackBasta employs typical initial access methods, including phishing and exploiting known vulnerabilities. After gaining access, adversaries conduct reconnaissance to map the target network and dump credentials using Mimikatz. Using the harvested credentials, ransomware operators escalate privileges and move laterally to compromise the network. Prior to encryption, BlackBasta threat actors disable defenses, exfiltrate sensitive information and delete shadow volume copies to remain hidden until the final strike. The group is known to employ double extortion tactics, encrypting critical data and vital servers and threatening to publish sensitive information on their public leak site.

Targets this reporting period include:

• A prominent U.S. healthcare provider. BlackBasta encrypted the provider’s patient data and its operational systems, compromising patient care and data privacy.
• Keytronic, a U.S. manufacturer. A BlackBasta-attributed cyberattack disrupted its operations and restricted access to essential business applications. Additionally, the company suffered a data breach when the ransomware gang leaked the stolen data.

These attacks highlight BlackBasta’s continued focus on high-value targets across various sectors, employing sophisticated ransomware tactics to maximize their disruption and extortion potential.

LockBit, a cybercriminal group with alleged affiliations to Russia, specializes as a RaaS provider through its eponymous malware. The group’s operators diligently maintain and enhance the ransomware, overseeing negotiations and orchestrating its deployment once a successful breach happens. LockBit employs a double extortion strategy that not only encrypts the local data to restrict victim access, but also exfiltrates sensitive information, threatening public data exposure unless a ransom is paid.

Operation Cronos, an international cybercrime taskforce, severely disrupted LockBit in February. However, the group remained highly active and was the most aggressive in targeting EMEA organizations this quarter. Targets include:

• Localized critical infrastructure. In EMEA, LockBit has largely targeted en masse SMBs, mostly in the United Kingdom, Germany and France. The group primarily focuses on small-scale critical infrastructure targets related to education, healthcare and the public sector.
• Hôpital de Cannes - Simone Veil, in France. A LockBit attack led to severe operational disruptions, compelling the hospital to take all computers offline and reschedule non-emergency procedures and appointments.
• Wichita, the largest city in Kansas with a population of 400,000. This significant ransomware attack forced the city to take its computer systems offline, causing widespread disruption. LockBit publicly posted a ransom deadline on their website, increasing pressure on the city’s administration to comply with their demands.

ShinyHunters is a threat group that first emerged in 2020, and it is known for several data breaches across multiple industries. Their attacks reportedly include those against Indonesian e-commerce company Tokopedia, as well as GitHub and Pizza Hut Australia. ShinyHunters has offered stolen data for sale on forums, occasionally leaking data from some breaches for free. Ironically, the group often finds vulnerabilities through code available in GitHub repositories. It scours unsecured cloud buckets, abuses stolen credentials and leverages phishing attacks to facilitate their breaches.

Other alleged targets for this reporting period include:

• Banco Santander S.A., a Spanish bank serving customers across Latin America, the U.S., the U.K. and Spain. ShinyHunters put data from this breach up for sale for approximately U.S. $2 million, impacting 30 million customers and employees.
• A multinational entertainment ticket sales and distribution company. Their customers had their data stolen via an account on Snowflake, an AI data cloud used by the company. The account lacked multi-factor authentication, which enabled the threat group’s access. ShinyHunters offered to sell this data for U.S. $500,000.

Akira ransomware was first observed in March 2023 and quickly gained notoriety due to its wide-ranging attacks across various sectors. The group’s operations have been characterized by a series of high-profile attacks and a persistent presence in the ransomware landscape. Akira is particularly known for its use of double extortion tactics, where it not only encrypts data but also threatens to leak the stolen data if the ransom is not paid. This approach has proven effective in compelling victims to meet their demands.

Initially focused on Windows systems, Akira has since expanded its operations to include a Linux variant. The group employs common initial access methods, including phishing campaigns and exploiting known vulnerabilities. Akira also utilizes publicly available tools such as Mimikatz and LaZagne for credential access, PsExec for remote execution and AnyDesk or Radmin for remote access.

Akira operates as a RaaS, was initially developed in C++, and uses an .akira extension for encrypted files. A Rust-based variant has also been observed, which uses the .powerranges extension. Akira’s most recent activities have targeted the healthcare, financial services, manufacturing and technology sectors. These attacks highlight the group’s adaptability and continued threat to a broad range of industries.

Tools like Rclone, Rubeus, GMER, WinSCP and Cobalt Strike are vital in data management, penetration testing and system maintenance. Their flexibility and accessibility also make them useful tools to be misused by threat actors.

Cobalt Strike serves as a sophisticated adversary simulation framework meticulously engineered to replicate the persistent presence of threat actors within network environments. Structured around two pivotal components — an agent (Beacon) and a server (Team Server) — Cobalt Strike orchestrates a seamless interaction. The Cobalt Strike Team Server, functioning as a long-term C2 server hosted on the Internet, maintains constant communication with Beacon payloads deployed on victim machines.

While Cobalt Strike is primarily utilized as a tool for penetration testers and red teamers to assess the security posture of networks, it has unfortunately also been exploited by malicious threat actors. Despite its intended purpose, instances of its code being leaked online have occurred, leading to rapid weaponization by a diverse array of adversaries. This dual nature highlights the importance of vigilance and robust cybersecurity measures to mitigate the risks associated with its misuse, safeguarding networks from potential exploitation.

The BlackBerry Research and Intelligence Team analyzed five of the most observed MITRE Techniques:

Hijack Execution Flow (T1574) is a sophisticated technique employed by adversaries to intercept and manipulate the normal execution flow of a system, allowing them to execute malicious code instead. This method was found to be very prevalent in the last quarter, showcasing its popularity due to its effectiveness in achieving persistence and executing unauthorized actions.

There are multiple routes of leveraging the methods under this technique, including DLL search order hijacking, DLL side-loading, and injecting malicious code into legitimate processes. By hijacking the execution flow, attackers can gain control over the system without triggering standard security alerts. This makes it challenging for security tools to detect and prevent future activities by the threat actor. For instance, by placing a malicious DLL in a location that gets searched before the legitimate one, the attacker can ensure their code gets executed when a legitimate application loads the DLL.

One significant advantage of this technique for adversaries is its ability to bypass security measures. Since the malicious code is executed in the context of a trusted process, it can evade traditional security mechanisms that rely on process behavior analysis. This capability makes Hijack Execution Flow particularly dangerous, as it can be used to perform a wide range of malicious activities, from privilege escalation to data exfiltration.

To defend against T1574, organizations should implement comprehensive security measures, including application whitelisting, rigorous patch management, and continuous monitoring of system and network activities. Regularly updating software and ensuring that only authorized applications can run significantly reduces the risk of execution flow hijacking.

User awareness training also plays a vital role in helping employees recognize signs of potential execution flow hijacking attempts, contributing to a robust security posture. Finally, employing advanced threat detection solutions that can identify abnormal behavior patterns associated with this technique is crucial for timely detection and response. Some examples of use of T1574 include:

• DLL Search Order Hijacking: A common example is the exploitation of the DLL search order in Windows. If an attacker places a malicious msvcrt.dll in the application’s working directory, it may be loaded by the application instead of the legitimate version from the system directory.
• DLL Side-Loading: In 2018, the APT group OceanLotus used DLL side-loading with the legitimate Microsoft Word executable to load a malicious DLL that established persistence and executed further payloads.
• COM Hijacking: An attacker registers a malicious COM object under a specific registry key that a legitimate application frequently queries. When the application calls the COM object, the malicious code is executed instead of the intended COM object.
• Windows AppInit_DLLs: By modifying the registry keys like AppInit_DLLs, an attacker ensures their malicious DLL is loaded into all applicable processes, granting them control over these processes.
• Injection into Legitimate Processes: A known case is this technique involves the use of reflective DLL injection by the Cobalt Strike tool, where the payload is injected into a legitimate process to evade detection by security software.

In the Boot or Logon Autostart Execution (T1547) technique, an attacker first ensures that the malware runs automatically during system startup or user login. Then the attacker uses mechanisms such as registry keys, startup folders, scheduled tasks, or service registrations to maintain persistence or to gain elevated privileges on the compromised system. These mechanisms are designed to facilitate legitimate software functionality and system management tasks on the operating system. However, adversaries can abuse these functions to embed their malicious code, thus helping it to blend in with normal system operations. Understanding and securing these critical operating system mechanisms is essential for protecting against unauthorized persistence and privilege escalation.

Here is an example of a registry key location frequently used to establish persistence:

‘HKLM\Software\Microsoft\Windows\CurrentVersion\Run’ – This is the Windows registry used to configure programs to run automatically when the operating system starts.

An example of a Startup Folder used to establish persistence is:

‘%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup’ – This path leads to the Startup Folder, where shortcuts to programs that should start automatically when the user logs on are placed.

The following is an example of how service creation can be leveraged for persistence:

‘sc create Updater binPath= “C:\Windows\malicious[.]exe” start= auto’ – The command utilizes the service utility to create a service named “Updater” that is configured to start automatically at system boot.

Another example of establishing persistence and gaining elevated privileges is through the Windows Task Scheduler:

‘schtasks /create /tn “Updater” /tr “C:\Windows\malicious[.]exe” /sc onlogon /ru SYSTEM’ – The command creates a scheduled task named “Updater” that runs the executable malicious.exe in the specified location every time a user logs on, with the specific task running under the SYSTEM account for elevated privileges.

The MITRE technique Impair Defenses (T1562), under the tactic Defense Evasion (TA0005), was recognized as one of the top five most commonly occurring techniques used by adversaries this reporting period. This technique alters elements of a victim’s environment to hinder or disable defensive mechanisms. Adversaries not only impair preventive defenses like firewalls and antivirus (AV) software but also disrupt detection capabilities that defenders use to audit activity and identify malicious behaviors.

When threat actors successfully impair a victim’s defenses, they gain the freedom to attack without being detected. This allows them to inject malicious binaries, which can be used to exploit other MITRE techniques, such as keyloggers, worms, trojans and malicious web shells. These can all lead to ransomware being executed on a machine.

It is crucial to employ protective measures against the MITRE technique T1562 to safeguard your system from such attacks. This technique is often used at the beginning of an attack, making it essential to detect and counteract it as early as possible.

Below is a list of command lines that are useful to monitor:

• sc stop <ServiceName>
• sc config <ServiceName> start=disabled
• net stop <ServiceName>
• taskkill /IM <ToolName> /F
• netsh advfirewall set allprofiles state off
• bcdedit.exe /deletevalue {default} safeboot
• bcdedit /set {default} recoveryenabled no

The Application Window Discovery technique (T1010), under the Discovery tactic (TA0007), was identified by BlackBerry specialists as one of the top techniques used by cyberthreat actors in this reporting timeframe. This technique involves listing open Windows applications, providing threat actors with useful insights into the usage patterns of the target system. This information can be invaluable in identifying specific data worth collecting, as well as the security software that attackers must evade to avoid detection. Threat actors use this technique to better understand the environment and plan their attack to be as aggressive as possible without being detected.

To first get the list of open Windows applications, attackers typically exploit built-in system features. For example, they might utilize commands from the Command and Scripting Interpreter, or functions from the native API to collect the necessary information. These native tools and functions are often used because they are less likely to cause suspicion and can offer comprehensive information about the system.

Given that these behaviors are suspicious and can provide an adversary with significant information about the victim’s system, it is important to have a security software configuration capable of detecting these commands or actions executed by adversaries.

Below is a list of command lines that may be useful to monitor:

• gps | where {$_.mainwindowtitle}
• Get-Process | Where-Object MainWindowTitle
• “cscript.exe”, “rundll32.exe”, “explorer.exe”, “wscript.exe”, “PowerShell.exe”, “pwsh.dll”, “winlogon.exe”, “cmd.exe” being the parent process to the use of these APIs: “user32.dll!GetWindowTextA”, “user32.dll!GetForegroundWindow”, “user32.dll!GetActiveWindow”, “user32.dll!GetWindowTextW”
• tasklist & tasklist /v

The MITRE ATT&CK framework identifies Software Discovery (T1518) as a key technique under the Discovery tactic (TA0007). This method is frequently used by adversaries to gain insight into the software environment of targeted systems, making it a critical step in many cyberattacks. Software Discovery allows attackers to identify vulnerabilities by determining which applications and versions are installed on a system. This information helps adversaries exploit outdated or unpatched software, plan ways to disable or evade security measures and tailor their attacks for maximum effectiveness.

Common methods for software discovery include using Windows Management Instrumentation (WMI) with commands like wmic “product” get name, version, vendor and PowerShell scripts such as Get-ItemProperty or Get-WmiObject. These methods enable attackers to retrieve detailed software information, query the Windows registry, and identify running processes and associated applications. The implications of successful software discovery are significant. Attackers can exploit identified software vulnerabilities to escalate privileges or execute arbitrary code. They can also disable or circumvent security defenses, increasing the likelihood of operating undetected. Additionally, by understanding the software environment, adversaries can deploy malware specifically targeting discovered applications, enhancing the efficacy and stealth of their attacks.

To protect against this technique, organizations should implement robust monitoring and alerting mechanisms. Monitoring the use of commands and scripts commonly associated with software discovery is essential. Employing advanced threat detection systems that use behavioral analysis can help detect unusual activities. Ensuring all software is up-to-date and patched, limiting the use of administrative tools to authorized personnel, and maintaining comprehensive logs of command execution are also crucial steps.