More Spiders, Babuk Locker, and More Big Game Hunting

Written February 22nd, 2021

Editor’s Note: This series highlights current threats our cybersecurity experts guard against on a regular basis, for NetCentrics’ government and commercial clients.

There isn’t a shortage of spiders in the world. Like the last cybersecurity threat report, several spiders recently announced their arrival, including SOLAR SPIDER and CIRCUS SPIDER. Also on the rise is BGH (“Big Game Hunting”) ransomware. Let’s dive into these.

Solar Spider and Circus Spider

SOLAR SPIDER uses emails containing a 7zip (.7z) archive attachment, which in turn contain a malicious HTA file. When the HTA file is opened, it runs an embedded JSOutProx JavaScript. According to Crowdstrike at least two phishing campaigns were identified impersonating the Reserve Bank of India.

CIRCUS SPIDER, meanwhile, is keeping the U.S. Department of Justice (DOJ) busy. The DOJ seized a ransomware affiliate using CIRCUS SPIDER’s dedicated leak site (DLS) and charged Sebastian Vachon-Desjardins with four different crimes. The ransom take totaled an estimated $27.6 million, according to Bleeping Computer. “This operation does not mean it’s the end of the Netwalker operation but it’s definitely a step closer,” writes Ionut Ilascu. Let’s hope so, but we’ll see.

Babuk Locker and Big Game Hunting

According to Security Intelligence, Babuk Locker has earned the “dubious title of first new enterprise ransomware strain of 2021.” Crowdstrike reports that it successfully infected a UK-based professional services company. This company held multiple government contracts, including some associated with the UK National Health Service (NHS) Test and Trace programme used to contain the spread of COVID-19. Victims were redirected and instructed to use a personal chat portal. Once there, they were pressured to pay ransom. This ransomware group has loudly stated intentions to become a BGH actor.

Ransomware attackers continue to refine their approaches. Here are two recent examples. One Phobos ransomware operator was observed deploying ransomware from an adversary-controlled machine, possibly a first. The other was an Android backdoor used by VELVET CHOLLIMA. The group used this backdoor to infect an open-source messenger app and cyptocurrency monitor app called CapMarket.

With this and other recent activity, remember: threat actors are willing and able to do damage. Stay alert and keep your patches updated.  Here are the FBI’s recommendations to protect yourself from ransomware.

Photo: Juan Pablo Mascanfroni