HYAS Threat Intel Report April 1 2024

Weekly Threat Intelligence Report

Date: April 1, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Each week, we are sharing what we are seeing in our HYAS Insight threat intelligence and investigation platform, specifically a summary of the top autonomous system numbers (ASNs) and malware origins, as well as the most prominent malware families. We identified certain information that raises several concerning points that warrant thorough analysis and consideration.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Summary of Top ASNs and Malware Origins

AS9318 - SK Broadband Co Ltd (South Korea)

AS9318, also known as SK Broadband Co Ltd, is a significant Internet Service Provider (ISP) based in South Korea. Despite its prominence, there's a notable presence of malware activity associated with this ASN. This suggests potential cybersecurity vulnerabilities within the network infrastructure, possibly stemming from compromised end-user machines or malicious clients. To address this issue, SK Broadband Co Ltd should enhance its security protocols, tighten control over network users, and collaborate with cybersecurity organizations for effective malware mitigation strategies.

AS8968 - BT Italia S.p.A. (Italy)

AS8968, managed by BT Italia S.p.A., is an ASN based in Italy. Despite being a reputable ISP, it exhibits substantial malware activity. This could indicate compromised systems within the network rather than inherent malicious intent from the ISP itself. BT Italia S.p.A. needs to implement stricter security measures to mitigate this issue effectively.

AS216309 - TNSECURITY (UK)

AS216309 is an ASN registered within the UK under TNSECURITY. While the location suggests legitimacy, there are reported instances of high malware activity associated with this ASN. It's imperative to investigate potential cybersecurity threats or lax security protocols within the ISP connected to this ASN. Constant vigilance and improved defenses are crucial in countering such hazards.

AS7684 - Sakura Internet Inc. (Japan)

AS7684, managed by Sakura Internet Inc., is a prominent web hosting and data services provider based in Japan. Despite its reputable services, there's significant malware activity linked to this ASN. This raises concerns about compromised user systems or exploitation of services by malicious entities. A thorough cybersecurity investigation is necessary to mitigate these risks effectively.

Recommended Mitigation/Action Steps

Enhance Security Protocols: Implement stricter security measures within the network infrastructure to prevent malware infections and unauthorized access.

Tighten User Controls: Strengthen user authentication processes and access controls to mitigate the risk of malicious activities originating from compromised user devices.

Collaborate with Cybersecurity Organizations: Engage with cybersecurity organizations for assistance in malware mitigation strategies and threat intelligence sharing.

Thorough Investigation: Conduct a comprehensive cybersecurity investigation to identify the root cause of malware activity and implement targeted remediation measures.

Continuous Monitoring and Improvement: Establish continuous monitoring mechanisms and regularly update security protocols to adapt to evolving cyber threats effectively.

By implementing these mitigation and action steps, ISPs can enhance their cybersecurity posture and mitigate the risks associated with malware activities, safeguarding their networks and users against potential threats.

Analysis of AS216319 Malware Traffic

The discovery of significant Amadey and Redline-based malware traffic within AS216319, registered to CHROMIS LTD in the UK, presents a multifaceted cybersecurity challenge that demands careful scrutiny and strategic response.

Firstly, the identification of malware traffic associated with well-known threat actors like Amadey and Redline underscores the evolving sophistication of cyber threats and the adaptability of threat actors. Both malware families are notorious for their capabilities in data theft, system compromise, and evasion of traditional security measures. The presence of such malware within AS216319 suggests potential security vulnerabilities or compromises within CHROMIS LTD's network infrastructure.

Secondly, the discrepancy between the registered location of AS216319 in the UK and the observed origin of the traffic in Moscow, Russia, raises serious concerns. The involvement of CHROMIS LTD in providing a block of IP addresses to ELITE-HOSTING-LTD in Russia adds complexity to the situation, suggesting possible collusion or unwitting facilitation of malicious activities.

Further investigation is crucial to uncover the underlying mechanisms driving this anomalous behavior and assess the extent of the security breach. Forensic analysis of affected systems and network infrastructure is necessary to identify the root cause of the compromise and gather evidence for potential legal or law enforcement action.

Effective incident response protocols must be enacted promptly to mitigate the impact of the malware traffic and prevent further exploitation. This includes isolating affected systems, blocking malicious IP addresses, and implementing security patches or updates to fortify defenses against future attacks.

Communication and collaboration with relevant stakeholders, including customers, partners, law enforcement agencies, and regulatory bodies, are paramount to share information about the incident, coordinate response efforts, and mitigate potential impacts on affected parties.

Enhanced security measures must be implemented within CHROMIS LTD's network infrastructure to bolster defenses against similar incidents in the future. This includes enhancing intrusion detection systems, network monitoring capabilities, access controls, and employee awareness training to improve overall cybersecurity posture.

Moreover, ensuring compliance with legal and regulatory requirements is essential to mitigate potential legal and reputational risks associated with the incident. CHROMIS LTD must adhere to data protection laws and incident reporting obligations to safeguard customer data and maintain trust and integrity within the cybersecurity community.

In conclusion, the discovery of Amadey and Redline-based malware traffic within AS216319 highlights the critical importance of proactive threat intelligence, robust security measures, and effective incident response capabilities in mitigating cybersecurity threats and safeguarding against malicious activity. Only through diligent investigation, collaboration, and decisive action can CHROMIS LTD address this security breach and strengthen its defenses against future threats.

In response to this information, several actions should be taken:

Immediate Mitigation: CHROMIS LTD should take immediate steps to investigate and mitigate the identified malware traffic. This may involve isolating affected systems, blocking malicious IP addresses, and implementing security patches or updates to prevent further exploitation.

Forensic Analysis: Conducting a thorough forensic analysis of the affected systems and network infrastructure is essential to determine the extent of the compromise, identify the root cause, and gather evidence for potential legal or law enforcement action.

Communication and Collaboration: CHROMIS LTD should communicate with relevant stakeholders, including customers, partners, and law enforcement agencies, to share information about the incident, coordinate response efforts, and mitigate potential impacts.

Enhanced Security Measures: Review and enhance existing security measures, including intrusion detection systems, network monitoring, access controls, and employee awareness training, to prevent similar incidents in the future and strengthen overall cybersecurity posture.

Legal and Regulatory Compliance: Ensure compliance with relevant legal and regulatory requirements, such as data protection laws and incident reporting obligations, to mitigate potential legal and reputational risks associated with the incident.

Sign up for the NEW (and free!) HYAS Insight Intel Feed

Top Malware Families Analysis

1. Urelas

Description: Urelas is a sophisticated malware family known for its stealthy behavior and advanced evasion techniques. It typically operates as a trojan horse, infiltrating systems through deceptive means such as email phishing campaigns or malicious downloads. Once inside a target system, Urelas establishes persistence, allowing remote attackers to maintain control and execute various malicious activities undetected. Common functionalities of Urelas include data exfiltration, remote command execution, and keylogging. It poses a significant threat to both individual users and organizations due to its ability to evade detection by traditional security measures.

2. Sality

Description: Sality is a polymorphic virus that spreads primarily through removable drives and network shares. It infects executable files on infected systems and attaches its malicious code, allowing it to propagate to other systems when executed. Sality is known for its ability to evade detection by antivirus software through encryption and obfuscation techniques. Once infected, Sality compromises system stability and security, potentially leading to data loss, system crashes, and unauthorized access. It also has worm-like capabilities, enabling it to spread rapidly across networks, making it a significant threat to both individual users and large-scale networks.

3. Stealc

Description: Stealc, also known as information-stealing malware, is designed to covertly collect sensitive information from infected systems. It typically targets credentials, financial data, and personal information stored on the victim's device. Stealc variants are commonly distributed through phishing emails, malicious websites, or bundled with other software. Once installed, Stealc operates silently in the background, harvesting data and transmitting it to remote command-and-control servers controlled by threat actors. Its stealthy nature and ability to evade detection make it a potent threat to individuals, businesses, and organizations, posing significant risks to data privacy and security.

4. Amadey

Description: Amadey is a versatile malware family known for its multifunctionality and wide range of malicious capabilities. It is commonly distributed through phishing emails, malicious attachments, or compromised websites. Amadey's functionalities include remote access, keylogging, credential theft, and cryptocurrency mining. It can also download and execute additional payloads, allowing threat actors to customize its behavior for specific malicious purposes. Amadey's adaptability and ability to evade detection by traditional antivirus solutions make it a persistent threat to both individuals and organizations, capable of causing substantial financial and reputational damage.

5. Redline

Description: Redline Stealer is a type of malware designed to infiltrate systems and steal sensitive information. Recognized for its ability to bypass detection, it collects data like usernames, passwords, credit card numbers, and other personal details from a host of applications, including web browsers. It reaches its victims through spear-phishing emails, malicious websites, and infected software downloads. This malware is sold in the cybercriminal underworld, posing serious threats to cybersecurity, and requiring proactive defensive measures against potential intrusions.

Analysis and Recommendations:

Continuous Monitoring: Implement robust monitoring systems to detect and mitigate malware threats promptly.

User Education: Conduct regular security awareness training to educate users about common malware threats and best practices for avoiding infection.

Patch Management: Keep systems and software up to date with the latest security patches to prevent exploitation by malware.

Endpoint Protection: Deploy advanced endpoint protection solutions capable of detecting and blocking known and unknown malware threats.

Incident Response: Develop and regularly test incident response plans to ensure a swift and coordinated response to malware incidents.

Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence to stay informed about emerging malware threats and trends.

By adopting these proactive measures and remaining vigilant against evolving malware threats, organizations can enhance their cybersecurity posture and mitigate the risks associated with the top malware families.

What Can We Learn From This?

Analysis by Adam Lopez, Director of Solutions Engineering, HYAS

The involvement of ISPs from South Korea (AS9318), Italy (AS8968), the UK (AS216309 and AS216319), and Japan (AS7684) underscores the global nature of cybersecurity threats. Malware does not discriminate by geography, affecting ISPs worldwide, indicating the pervasive risk across different network infrastructures. A recurring theme is the presence of malware activity despite the ISPs’ reputations for quality service.

This suggests that even well-managed networks can become vectors for malware dissemination, highlighting the importance of constant vigilance, sophisticated monitoring, and robust security protocols to detect and mitigate threats.

The identification of specific malware families (Amadey, Redline, Urelas, Sality, Stealc) indicates a range of cyber threats, from information stealers to polymorphic viruses, showcasing the complexity and adaptability of cyber adversaries. The diversity of these threats necessitates a multifaceted security approach, combining technical, procedural, and educational strategies to counteract them effectively.

Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read last week's report:
HYAS Threat Intel Report - March 25, 2024

Sign up for the NEW (and free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.  

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.