Blogs

Previously Unknown Threat Group: Hydrochasma 

Hydrochasma is a newly discovered cyberthreat group that has been targeting medical and shipping organizations in Asia since at least October 2022. State-sponsored cyberattacks have been increasing in recent years, with governments and their intelligence agencies engaging in cyber espionage to gain an edge in political, economic, and military affairs.

Summary  

A group of cyber criminals are advertising a new, fully undetectable, post-exploitation tool, Exfiltrator-22 (EX-22), on underground forums. This framework was designed to spread ransomware through corporate networks while evading detection. It’s marketed via a framework-as-a-service model, offering affiliates the opportunity to purchase per month or lifetime access to the tool.

The rise of custom malware usage by Chinese state-sponsored advanced persistent threat (APT) groups is a growing concern among cybersecurity experts. This article focuses on the newly discovered backdoor called MQsTTang by the Chinese APT group, Mustang Panda. MQsTTang is a single-stage backdoor that uses MQTT for command-and-control (C2) communications, which is an unusual choice for APT groups. The article also highlights the trend of Chinese APT groups using custom malware, and the implications of this trend for organizations.  

Summary  

A trend in malware being developed to specifically target Linux systems is being observed in the wild. Previously, malware targeting Linux was relatively scarce and primitive in comparison to other proprietary operating systems.

What is BlackLotus?

BlackLotus is a stealthy Unified Extensible Firmware Interface (UEFI) bootkit, which is a type of malware that can bypass Secure Boot defenses, making it a potent threat in the cyber landscape. Secure Boot is a security feature in modern computer systems that ensures that only trusted software is loaded during the boot process.

Introduction: What is Havoc? 

Havoc, a new open-source repository command-and-control (C2) framework, is being used by threat actors as an alternative to Cobalt Strike and Brute Ratel (post-exploitation command and control frameworks). C2 frameworks provide threat actors with the ability to drop beacons on breached networks for later movement and delivery of additional malicious payloads.

What is Sharp Panda?

Sharp Panda, also known as APT19, Emissary Panda, or Iron Tiger, is a Chinese Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily targets government organizations, defense contractors, and research institutions in Southeast Asia, Europe, and the United States. 

By: Critical Start Cyber Threat Intelligence (CTI) Team 

What is Dark Pink? 

An emerging campaign of advanced persistent threat (APT) attacks is spreading across the Asia-Pacific (APAC) region, and it has been attributed to a new group called Dark Pink (also known as Saaiwc Group by some Chinese researchers). While evidence suggests that the group has likely been active since mid-2021, their first known successful attack wasn't observed until June 2022.

By: Critical Start Cyber Threat Intelligence (CTI) Team 

Definitions:

An IOC (Indicator of Compromise) and a TTP (Tactics, Techniques, and Procedures) are two different types of cybersecurity indicators that organizations use to detect and respond to cyber threats.

As cyber threats continue to evolve and grow, it is increasingly clear that a coordinated and comprehensive approach to cybersecurity is necessary. Governments around the world have recognized the need for national cybersecurity strategies to protect their citizens, businesses, and critical infrastructure.