CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks

T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.

T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.

T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.

Subject: CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks

Tactics: TA0005 Defense Evasion, TA0002 Execution, TA0040 Impact, TA0001 Initial Access

Technique: T1059 Command and Scripting Interpreter, T1486 Data Encrypted for Impact, T1490 Inhibit System Recovery, T1566.002 Phishing: Spearphishing Link

Procedure:

T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.

T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.

T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.

Engagement Opportunity:

CyberVolk’s reliance on social engineering tactics like phishing presents an opportunity to engage with the group through user awareness training and simulated phishing campaigns. This can help identify vulnerable users and improve overall organizational resilience to such attacks.

Threat Actor: CyberVolk (GLORIAMIST)

Threat Objective:

Disrupting operations and extorting money from entities opposed to Russian interests.

Deception Opportunity:

Deploy decoy files and folders within the network that mimic sensitive data or critical system files. Monitor attempts to access or exfiltrate these decoy files to identify attacker activity and gather intelligence on their tools and techniques.

Sensor Data Placement: User-Mode

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The ransomware’s behavior of dropping files, terminating specific processes, and displaying a payment screen with a timer provides multiple observables. These observables can be collected from user-mode and application layers, offering a good balance between accessibility and reliability.

  • Sensor Data Placement: User-Mode, Application
     
  • Observable Level: Core to Adversary-Brought Tool (ransomware payload), Core to Pre-Existing Tool (MMC, Task Manager)

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.sentinelone.com/labs/cybervolk-a-deep-dive-into-the-hacktivists-tools-and-ransomware-fueling-pro-russian-cyber-attacks/

Link to Report II.:

Additional Comments:

CyberVolk is a dynamic and adaptive threat actor that leverages readily available tools and constantly evolves its tactics. Its close association with other pro-Russian hacktivist groups adds another layer of complexity to its operations.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: CyberVolk Attack Graph

[1]: Initial Access (TA0001) - Phishing (T1566) - Utilize phishing emails and LinkedIn messages to distribute malicious links (Core to Adversary-Brought Tool)
[2]: Execution (TA0002) - Command and Scripting Interpreter (T1059) - Drop bitmap images into the %temp% folder and display them before encryption (Core to Pre-Existing Tool)
[3]: Defense Evasion (TA0005) - Inhibit System Recovery (T1490) - Terminate processes associated with Microsoft Management Console (MMC) or Task Manager (Core to Pre-Existing Tool)
[4]: Impact (TA0040) - Data Encrypted for Impact (T1486) - Display a payment screen with a decryption timer and payment details (Core to Adversary-Brought Tool)

1 --> 2 (Lack of User Awareness - EAV0001)
2 --> 3 (None)
3 --> 4 (None)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: CyberVolk Pseudocode

function Initial_Access_Phishing(target_email):
# Craft phishing email or LinkedIn message with malicious link
# Send email or message to target_email
return malicious_link

function Execution_Command_and_Scripting_Interpreter(malicious_link):
# Execute malicious link to download and run ransomware
# Drop bitmap images into the %temp% folder
# Display bitmap images
return ransomware_process

function Defense_Evasion_Inhibit_System_Recovery(ransomware_process):
# Terminate processes associated with MMC or Task Manager
return system_vulnerable_state

function Impact_Data_Encrypted_for_Impact(system_vulnerable_state):
# Encrypt data on the system
# Display payment screen with decryption timer and payment details
return encrypted_system

Leave a Reply