While the #Akira #ransomware leak site experienced availability issues in October, reports of their demise have been greatly exaggerated. The burst of new victim activity when the site came back online in November caused some speculation that this was their final act before a rebrand or shutting down. Sophos X-Ops is still observing Akira activity across our MDR and Incident Response customers, including 8 incidents following the leak site disruption.

Sophos X-Ops will provide further updates and technical analysis on STAC 5881 and Fog and Frag ransomware here: https://news.sophos.com/en-us/2024/11/08/veeam-exploit-seen-used-again-with-a-new-ransomware-frag/

Sophos detects this activity as Troj/Agent-BKNP, Troj/Gapz-E, Troj/Loader-CR & Troj/Steal-DXW. We will continue to post updates on these activity clusters’ activity here and on the Sophos research blog. IOCs for these attacks can be found on Sophos X-Ops’ GitHub here:https://github.com/sophoslabs/IoCs/blob/master/STAC1807_June_update.csv.
/end

We also found additional command and control activity executed through sideloading of Trend Micro’s ASDTool.exe, which leveraged a shellcode loader in the form of msi.dll to chain their C2 payload, msiconf.dll. This same shellcode loader was identified as being sideloaded by an additional Trend Micro tool, DVASS.exe, renamed as WUDFUsbccidDriver.exe. /5

These backdoors provide persistence, command and control, and keylogging. Below, disassembly of the keyboard logging through the sideloaded user32.dll /4

The source of the command was an updated version of the CCoreDoor (aka EtherealGh0st) malware via DLL sideloading through mscorsvw.exe (part of the .NET framework). /3

We covered three security threat activity clusters in our report. One of those, STAC1807(Cluster Bravo)—the least active during our observation of activities during the reported intrusion—has been observed in operation elsewhere.

An investigation into incidents at two organizations in Southeast Asia, which were resolved by MDR, uncovered malware being deployed by way of a script downloaded from an unrelated healthcare organization’s Exchange web email server, retrieved with a curl command. /2

Sophos continues to observe Chinese state-sponsored espionage targeting a wide range of organizations in Southeast Asia tied to the activity we recently covered in our Operation Crimson Palace report in recent incidents handled by Sophos MDR.

https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia/ /1

We’ve also seen other ScreenConnect abuse in our telemetry, some delivering AsyncRAT (via WSF script execution); infostealers; and SimpleHelp Remote Access Client

@GossiTheDog I think we can safely update the dictionary to list this as a prime example of "Fuck You Money"

@bencrypted @th3_protoCOL I broke down finally! 😉