Good morning folks! I know I slacked off last week, but I finally have some updates on the threat side of things that we all should be aware of:

Our friends at Talos did some cool research on a new Remote Access Trojan (RAT) that they are calling SugarGh0st. They have a low confidence may be a Chinese-speaking threat actor. So far they have targeted a variety of orgs in South Korea and the Ministry of Foreign Affairs in Uzbekistan. There is a lot of findings here that indicate the notorious Gh0st RAT has gotten some new tricks. This one begins with decoy documents that are forged and have embedded RAT payloads, and expands on Gh0st with some new Recon capabilities and evasion techniques that we can expect will make their way into ops throughout other target areas.

  • Want a high-level primer? https://blog.talosintelligence.com/new-sugargh0st-rat/
  • Want to get nerdy? https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/

The Israel-Hamas conflict in Gaza has spurred a lot of threat actors to join the fray. One in particular has made the pivot from targeting education to now attacking the Israeli power grid. This is a trend we see in a lot of more mature threat actors, who progress in sophistication, bringing their unique traits to the field. WildCard, so dubbed by Intezer, has some interesting tactics worth learning about for the geeks. Their malware of choice is SysJoker, hence their APT name, and they are probably responsible for a massive early attack on the Israeli power grid in 2017 that was called Eletric Powder. We expect that many potential adversaries are learning from these folks. Sandworm isn’t the only teacher in the space!

  • Want a high-level primer?: https://cyberscoop.com/hacking-israel-wild-card/
  • Want to get nerdy? https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/

Last update we talked about Scattered Spider getting skittish and running from the pressure. The US’s CISA and FBI issued a joint advisory warning of some of their more foundational capabilities. They are seeking any reports that can further help build their case.

Things I am keeping an eye on myself?

  • The Ukraine has their work cut out for them on many fronts. They just took out a huge chunk of Ransomware talent, though! 71 folks arrested! These perps were accused of deploying LockerGoga, MegaCortex, HIVE and Dharma ransomware.
  • Interesting TrendMicro report notes that RaaS attacks are up 47%. They also found the number of groups have increased 11%. Most interesting, 1-in-6 ransomware attacks are conducted by the venerable Lockbit ransomware group. I’m taking the action to learn a lot more about them.
  • Blackberry’s new Threat Report is out now.
  • Okta. Again.

Please reach out if you want to talk shop or have any questions!