This article discusses a range of exploits and malware variants associated with RansomHub, Betruger, and various other threats. Notably, it highlights multiple hashes identified as indicators of compromise related to these malware family. The findings suggest significant concerns regarding the cybersecurity landscape with active threats to different platforms. Affected: RansomHub, Betruger, EDRkillshifter, SystemBC, NetScan, Atera, Mimikatz, Splashtop
Keypoints :
- Identification of multiple hashes related to RansomHub and Betruger malware variants.
- Revelation of several exploits linked to CVE-2022-24521 and CVE-2023-27532 vulnerabilities.
- Discussion of various tools and methods including Rclone, Mimikatz, and other unknown files.
- Highlighting of the impact and potential risks posed by these cyber threats.
- Recognition of notable tools used in the attacks, such as ScreenConnect and Splashtop.
MITRE Techniques :
- Exploitation for Client Execution (T1203) – Used CVE-2023-27532 exploit to execute code on target systems.
- Credential Dumping (T1003) – Employed Mimikatz and Secretsdump for harvesting user credentials.
- Remote Services (T1021) – Utilized Stowaway Proxy Tool and Splashtop for remote access to compromised machines.
- Data Encrypted for Impact (T1486) – Associated with the RansomHub malware family targeting data encryption.
- Utilization of Scripts (T1064) – Deploying VBS scripts in the attack vectors for malicious purposes.
Indicator of Compromise :
- [MD5] ae7c31d4547dd293ba3fd3982b715c65
- [MD5] b058c128c801e2ee03874e183239ff36
- [SHA-256] 84099559a6d1dd1fec8a5c065da9f0747fab8ebb7368c197224fa33035eabe8d
- [SHA-256] a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
- [MD5] 1f1d3587e458dd883f9ca282fbf5591
Full Story: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-betruger-backdoor