Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Rasnowmare attacks. Show all posts
TOX
Cyber Attacks CyberCrime CyberThreat DDoS DradonForce Meta's dominance RAMP RansomHub Ransomware Nerwork Rasnowmare attacks TOX

DragonForce Asserts Dominance Over RansomHub Ransomware Network

 


A series of targeted attacks involving DragonForce, a ransomware group that has reportedly been operating in the Middle East and North Africa region (MENA) are reported to have been launched against companies in the Kingdom of Saudi Arabia (KSA) amidst the escalating cyber threats throughout the region. A significant incident involving a real estate and construction company based in Riyadh, which underscored the group's commitment to targeting high-value targets within critical sectors, was one of the most significant incidents involving the group. 

In the recent past, there has been an increase in the sophistication of cyberattacks targeting major companies and vital infrastructure around the region, resulting in this recent development. In addition to demonstrating the increasing capabilities of threat actors such as DragonForce, this breach also emphasizes the need to maintain enhanced vigilance and preparedness among cybersecurity professionals and law enforcement agencies within the Kingdom of Saudi Arabia and its surrounding countries. 

Experts are anticipating that as the group's tactics continue to be effective, they will expand beyond MENA in terms of geographic scale. This incident has wider implications than just the immediate victims. As a cautionary marker of the rapidly evolving threat landscape, this incident serves as a warning of the threats that may threaten global digital security systems in the future. 

Cyble, a cybersecurity firm, has confirmed that a threat actor known as DragonForce recently posted a message on the RAMP cybercrime forum announcing a new “project.” This announcement was later mirrored on DragonForce's onion-based data leak site (DLS), marking the beginning of a new operational infrastructure for DragonForce. A part of this initiative was the introduction of two new onion domains that DragonForce launched, both protected by CAPTCHA verification, which aligned with the group's traditional Tor-based deployment practices. 

Interestingly, both of these sites are prominently branded and emblazoned with RansomHub, a group that specializes in ransomware. While it is still unclear whether DragonForce has seized control of RansomHub in the past or has just infiltrated its systems, Cyble has observed that RansomHub's onion site has been unavailable since March 31. As a result of this prolonged downtime, there has been considerable speculation within the cyber security community as to whether DragonForce may be planning to acquire or hostilely take over the RansomHub infrastructure. 

In addition to this development, DragonForce recently formally announced its plans to expand its ransomware-as-a-service operations, which are aligned with DragonForce's broader strategy of expanding the company's ransomware-as-a-service operations. As part of this initiative, the group introduced an affiliate-based model in which third-party actors—or “franchisees”—can operate under DragonForce brand names. 

As part of the new model, affiliates will reportedly be provided with comprehensive backend support, which includes anti-DDoS defences, advanced encryption protocols, and specialized toolkits that allow them to manage infections across a range of environments, including ESXi, NAS, BSD, and Windows. A significant investment is being made into infrastructure to attract and empower partners, thereby enhancing the group's reach and impact as a whole. This is a deliberate attempt by the group to streamline operations and present a more organized and business-like ransomware platform to victims by including features like encryption status monitoring and persistent communication mechanisms. 

Despite the uncertainty that surrounds RansomHub's future, it is currently possible that it will become fully absorbed under the DragonForce brand or continue to operate independently, but current indicators suggest that a possible consolidation within the ransomware ecosystem may result in increased sophistication and coordination among cybercriminals. 

Despite the increased competition in the ransomware-as-a-service (RaaS) market, DragonForce is positioning itself as a prominent player by offering its affiliates one of the most attractive commission structures on the dark web. This aggressive profit-sharing model aims to attract skilled cybercriminals in an attempt to build an affiliate network that is loyal, results-driven and enables partners to keep up to 80% of ransom payments successfully extorted from victims. A key component of DragonForce's communication strategy is TOX, a Tor-based instant messaging platform that serves as the main channel for communicating with both victims and affiliates as well as serving as a secure, secure means of communicating. 

In addition to providing the public key to the group, RAMP, an underground forum used by ransomware operators and access brokers, is also available to anyone interested in further securing these exchanges. This persistent presence on the platform, especially a forum visit traced back to February 24, 2025, indicates a sustained effort by them to maintain visibility and engagement within the key cybercriminal community. In addition to serving as a recruitment hub, the DragonForce affiliate network is also highlighted in advertisements displayed on RAMP as one of the most reliable networks within the dark web. With support for multiple platforms, including Windows, Linux, and ESXi, the ransomware framework is marketed as a robust system that can deliver consistent payouts while offering extensive back-end support. 

As of January 20th, 2025, the most recent affiliate-related announcements have been posted, but the associated PGP encryption key has been generated since September 2024, further demonstrating the organization's systematic approach to security. A prior operational leak involved sensitive affiliate-facing URLs that were used for extortion from victims. DragonForce underwent significant internal reforms after this. Among these reforms was the implementation of a new vetting process that requires prospective affiliates to provide verifiable evidence of victim access, such as data volume metrics and file trees, to justify their eligibility. 

Essentially, this shift was meant to ensure that only committed and capable individuals could be onboarded, which would lead to improved operational security and integrity for the organization. Furthermore, DragonForce offers a variety of premium services to vetted affiliates, including call services, which allow direct pressure to be applied to victims, as well as advanced decryption capabilities that can be used on NTLM and Kerberos hashes. A lot of these services are especially useful when access brokers are trying to navigate post-compromise stages in environments like Active Directory that are complex. 

It is important to remember that DragonForce ransomware is an independent entity and should not be confused with the Malaysian hacktivist group that operates under the same name. This group has been known for defacing websites and launching DDoS attacks, among other things. While the two organizations share a name, they are completely different in their motivations, structures, and methods, and they are not known to be affiliated with each other. 

As ongoing speculation continues regarding the nature of a potential alliance between RansomHub and DragonForce continues to surface, Cyble reports that this latest development closely follows DragonForce's announcement of a significant expansion of its ransomware service (RaaS) operations on March 18. The DragonForce Ransomware Cartel, as part of this strategic shift, introduced the franchise-style affiliate program, whereby partners can operate and launch their own ransomware campaigns under the umbrella of DragonForce Ransomware Cartel. 

Affiliates can take advantage of this model because it allows them to maintain a high degree of operational independence while still being overseen by a central management team. Backend support is provided in a comprehensive way to all participants, including dedicated admin and client panels as well as secure data hosting environments and a resilient, always-on infrastructure that is secured with anti-DDoS mechanisms that keep the system running smoothly. This structure is designed to maintain the group's overarching operational standards as well as balance affiliate autonomy with consistency and control. 

It is worth noting that DragonForce has also introduced a series of advanced technical upgrades to its ransomware payloads targeted at ESXi, NAS, BSD, and Windows platforms along with its structural expansion. In addition, several sophisticated features have been added to the security system, including real-time encryption tracking, detached execution processes, persistent user interface messages to reinforce ransom demands, and better recovery protocols to reduce disruption. In addition, the group developed the two-pass header protection technology to enhance the cryptographic robustness of the encryption engine by using external entropy sources. This technique is also integrated with the BearSSL AES-CTR encryption protocol to enhance its cryptography. 

In addition to the technological and infrastructure advances made by DragonForce, Cyble points out that DragonForce's commitment to scale its operations at a very high level of professionalism will be reflected in these advancements. By creating a more refined and affiliate-focused ransomware ecosystem, the company hopes to attract experienced cybercriminals to collaborate with them. During the past year, DragonForce has continued to grow as a more structured and formidable player within the ransomware-as-a-service ecosystem. 

However, its recent activities indicate a broader shift in cybercriminal activity, characterized by a shift towards increasing sophistication, strategic alliances, and operational maturity in the cybercriminal underground. The apparent takeover or alignment of RansomHub with the company and the dramatic advancements in infrastructure and technology, along with the emergence of a series of threats, highlight the urgent need for the cybersecurity stakeholders to reevaluate threat models and strengthen their defensive positions. 

The most effective way for organizations, particularly those in critical sectors and high-risk regions, is to implement proactive threat intelligence strategies, enforce stringent access controls, and seriously prioritize incident response preparedness in order to counter evolving threats. With a digital landscape in which adversaries adopt business-like approaches to cause greater impact, only a cohesive and anticipatory security approach can prove robust in the face of the rising tide of cyber-extortion, which is becoming more organized and sophisticated by the day.
Read more »
Rasnowmare attacks
Cloud Service Cyber Attacks CyberCrime Cybersecurity Cyebrthreats Evasive Panda Rasnowmare attacks

Evasive Panda Unfurls Cloud Services Under Siege

 


Using stolen Web session cookies, Evasive Panda, a China-sponsored hacking team, has unveiled CloudScout, a sleek and professional toolset created to recover data from compromised cloud services. ESET researchers have discovered CloudScout through an investigation into a couple of past breaches in Taiwan (both targeting religious institutions and government organizations), which brought them to the attention of the company. The CloudScout application is written in .NET and was designed to offer seamless integration with MgBot, Evasive Panda's proprietary malware framework. 

In a step-by-step process, MgBot feeds CloudScout previously stolen cookies, then uses the pass-the-cookie technique to use the stolen cookies to access and infiltrate data on the cloud - a method that allows hacker to hijack authenticated Web browser sessions by hijacking the cookies. There are several names given to the "evasive Panda" group, including the "BRONZE HIGHLAND," the "Daggerfly," and the "StormBamboo" group. This group has operated at least since 2012. 

The objective of Evasive Panda is to engage in cyberespionage campaigns against countries, institutions, and individuals that oppose China's interests through the preparation and dissemination of spies, such as those in the Tibetan diaspora, religious and academic groups in Taiwan, Hong Kong, and groups supporting democracy within the Chinese society. As well as being observed in certain instances, its cyberespionage activities have the tendency to extend to other countries such as Vietnam, Myanmar, and South Korea at times. 

Evasive Panda has accumulated several attack vectors, which makes it an impressive attack strategy. There have been instances in which its operators have conducted sophisticated TTPs and exploits such as supply-chain and watering-hole attacks, DNS hijacking and other forms of attack; in addition, they have used the latest CVEs that affect Microsoft Office, Confluence, and web server applications to exploit the system. In addition to this, the group is demonstrating to be capable of creating sophisticated malware, which is shown by its collection of multi-platform backdoors for Windows, macOS, and Android, which are all well documented. 

It is most commonly used on Windows by hackers, mainly MgBot (a custom malware framework built with eight plugins, detailed in our previous blog post in which we explain its features), and Nightdoor, which was developed only recently. The backdoor, described in another blog post of ours, is a sophisticated backdoor that uses a public cloud to communicate with the command and control servers. CloudScout is designed with the internal framework allowing it to process complex tasks, such as configuring, managing, and decrypting cookies that are required to make web requests to the modules. 

As part of the CommonUtilities package, CloudScout can also manage HTTP requests and cookies, which allows the tool to adapt to the varied structures of each service being targeted, making it an effective tool for aggressive monitoring. During a period, the malware would monitor directories for new configuration files, calling for new extraction cycles that would then remove any evidence of activity. This would occur regularly. CloudScout employs a number of targeted methods that appear to have been designed for Taiwanese users, which is evident by the language preferences and region-specific configurations embedded within its modules that appear to be tailored for Taiwanese users. As a result of our analysis, it seems that CloudScout may have additional modules targeting social media, such as Facebook and Twitter, but we are not aware of these modules in active deployments at this time. 

The CloudScout tool set is a .NET toolset that Evasive Panda uses to steal data stored in cloud storage services, Ho explained. Using the pass-the-cookie technique, it hijacks authenticated sessions from web browsers that have been registered using a pass-the-cookie extension to the MgBot service. There is an alarming development in Canadian cyberspace as the Government of Canada has accused a "sophisticated state-sponsored threat actor" from China of conducting a broad, extensive reconnaissance campaign spanning several months, against a variety of domains within the country. 

In a recent statement, it was revealed that a majority of the targeted organizations were Canadian government departments and agencies, including federal political parties, as well as key legislative bodies such as the House of Commons and the Senate. Additionally, Evasive Panda, an advanced persistent threat (APT) group, targeted dozens of other entities spanning democratic institutions, critical infrastructure, defence sectors, media organizations, think tanks, and non-governmental organizations (NGOs). This broad reach underscores the serious nature of the ongoing cyber threat. Known by various aliases such as Bronze Highland, Daggerfly, and StormBamboo, Evasive Panda has been actively engaged in cyber espionage since at least 2012.

Its primary focus has been civil society targets, especially those associated with independence movements and democratic advocacy. ESET researchers note that this APT group is particularly focused on independence movements within the Tibetan diaspora, religious and academic organizations in Taiwan and Hong Kong, and democracy supporters within China. In recent years, Evasive Panda's operations have extended internationally, reaching regions such as Vietnam, Myanmar, South Korea, and, to a lesser extent, Nigeria. According to the researchers, Evasive Panda is known for continually evolving its cyberattack techniques. 

The latest attacks have demonstrated a marked increase in sophistication, signaling the group’s commitment to refining its approach and adapting to cybersecurity defenses. This new level of sophistication adds urgency for both national and international stakeholders to heighten their defenses and remain vigilant against this persistent and increasingly advanced cyber espionage threat.
Read more »
Subscribe to: Posts (Atom)