In the third quarter of 2022, Trellix delivered a new, powerful resource to support the future of extended detection and response (XDR) and cybersecurity. The Trellix Advanced Research Center, comprised of hundreds of elite security analysts and researchers was established to help customers detect, respond, and remediate the latest cybersecurity threats.
Threat actors also made headlines in Q3 2022 – and our Advanced Research Center team countered with research and findings on a global scale. Our team took you through the dismantling of REvil including the steps taken to build their cybercriminal enterprise and the missteps that led to their downfall. The Advanced Research Center revealed what the code told us, the All-Star lineup and followed the money to REvil’s end. When United States Speaker of the House Nancy Pelosi visited Taiwan, our team examined the news-making geopolitical tensions after detecting a spike in regional cyber threat activity targeting the Taiwan government.
Welcome to the first Threat Report from the Trellix Advanced Research Center.
The launch of our Advanced Research Center this September was an important milestone in our trajectory since emerging as Trellix earlier this year. Our goal is to identify and illuminate a broad spectrum of threats in today's complex landscape through research in nearly every vertical of threat, including those targeting governments, financial, retail, manufacturing, critical infrastructure, healthcare, industrial controls, and many other industries. The Advanced Research Center consists of a cohesive group of researchers with a shared purpose: to produce actionable real-time threat intelligence and world class efficacy to help customers stay protected against the latest cybersecurity threats, while powering our leading XDR platform.
The last quarter saw cyber events continue to intensify in their technical sophistication and in their potential for economic and geopolitical impact. We observed uninterrupted activity out of Russia, Chinese actors targeting Taiwan, North Korean actors launching cyberattacks timed with missile drills, activities not only attributed to state-sponsored groups, but we observed a rise in politically motivated hacktivist activity. All this, plus continued attacks on healthcare and education systems targeted by ransomware gangs along with the shortage of cybersecurity talent around the world now reaching 3.4 million, shows the need for threat intelligence work isn’t slowing down.
Since the introduction of our Advanced Research Center, we have published research into a 15-year-old vulnerability impacting 350,000 open-source projects, threats to Taiwan, our efforts to support law enforcement action against members of REvil, the evolution of social engineering tactics used in BazarCall campaigns and phishing attacks targeted U.S. election workers.
With this report, we continue to build our momentum as Trellix’s Advanced Research Center stands at the forefront of our industry helping organizations better understand, detect, and respond to cyber threats. In addition to the data you have known us to deliver in these reports, you will see new data from our email research experts and new insights on our Cobalt Strike infrastructure tracker, one of the many cyber-threat trackers we maintain 24/7. As this report sees new iterations each quarter, we will continue to add new insights, metrics, and intelligence. We’re just getting started.
If there are topics you would like to see, don’t hesitate to reach out to me @John_Fokker or our team @TrellixARC on Twitter. We’re ready.
Trellix’s backend systems provide telemetry that we use as input for these reports. We combine our telemetry with open-source intelligence around threats and our own investigations into prevalent threats like ransomware, nation-state activity, etc.
When we talk about telemetry, we talk about detections, not infections. A detection is recorded when a file, URL, IP address, or other indicator is detected by one of our products and reported back to us.
Privacy of our customers is key. It is also important when it comes down to telemetry and mapping that out to the sectors and countries of our customers. Client-base per country differs and numbers could be showcasing increases while we have to look deeper into the data to explain. An example: The Telecom sector often scores high in our data. It doesn’t necessarily mean this sector is highly targeted. The Telecom sector contains ISP providers as well that own IP-address spaces that can be bought by companies. What does this mean? Submissions from the IP-address space of the ISP are showing up as Telecom detections but could be from ISP clients that are operating in a different sector.
As the cybersecurity landscape changes and organizations become more sophisticated, it’s important to note that organizations use legitimate indicators in test scenarios to prepare their security operations teams for response. This means that while some data may score high, it may include threat indicators from security preparation exercises.
The following Global Ransomware stats are based on our telemetry (customers logs) correlated with the malicious campaigns collected and analyzed by the Threat Intelligence Group:
Most Reported Ransomware Global Customer Sectors
Our global telemetry showed indicators of compromise (IoCs) that belong to several ransomware campaigns. The following industry sectors represent the most impacted by the identified campaigns:
Our global telemetry showed indicators of compromise (IoCs) that belong to several ransomware campaigns. The following countries represent the most impacted by the identified campaigns:
32
Germany showed an increase of 32% of identified ransomware campaigns from Q2 to Q3 2022, while the United States realized a 9% increase and Israel showed a 52% decrease in identified campaigns for the same period.
Global Ransomware Family Detections Q3 2022
1.
LockBit
22%
2.
HelloXD
11%
3.
Zeppelin
11%
4.
Phobos
10%
5.
BlackCat
10%
Malicious Tools Used in Global Ransomware Campaigns Q3 2022
Our global telemetry showed indicators of compromise (IoCs) that belong to several ransomware campaigns. The following malicious tools represent the most used in the identified campaigns:
1.
Cobalt Strike
33%
2.
Mimikatz
22%
3.
RCLONE
10%
4.
BloodHound
7%
5.
WinPEAS
6%
Most Reported MITRE ATT&CK Patterns Q3 2022
Our global telemetry showed indicators of compromise (IoCs) that belong to several Ransomware campaigns. The following MITRE ATT&CK Techniques represent the most utilized in the identified campaigns:
1.
Data Encrypted for Impact
2.
System Information Discovery
3.
File and Directory Discovery
4.
Inhibit System Recovery
5.
Service Stop
27
Germany ranked highest among countries impacted by indicators of compromise (IoCs) in Q3 2022, comprising 27% of top-10 impacted countries by the identified ransomware campaigns.
The following stats are based on our telemetry correlated with the malicious campaigns that the Trellix Advanced Research Center collected and analyzed in Q3 2022. Our telemetry on U.S. customers showed indicators of compromise (IoCs) that belong to several ransomware campaigns. The following industry sectors represent the most impacted by the identified campaigns:
38
Business Services accounted for 38% of total ransomware detections among the top-10 sectors in the United States in Q3 2022, ahead of Transportation and Shipping (23%), Telecom (9%), Government (9%), and Media and Communications (9%).
100
Detections in the Transportation & Shipping sector (all modes including trucking and aviation) increased 100% from Q2 to Q3 2022. Notable increases and decreases include Telecom (+56%) and Finance (-59%).
U.S. Ransomware Families Q3 2022
LockBit was the most prevalent of ransomware families, used in 19% of top-10 queries Q3 2022, ahead of Phobos (16%), AvosLocker (13%), Zeppelin (10%), and Cuba (9%).
Most Detected U.S. Ransomware Tools Q3 2022
Our telemetry on U.S. customers showed indicators of compromise (IoCs) that belong to several ransomware campaigns. The following malicious tools represent the most used in the identified campaigns:
1.
Cobalt Strike
34%
2.
Mimikatz
22%
3.
RCLONE
10%
4.
Bloodhound
6%
5.
Grabff
6%
Most Detected MITRE ATT&CK Techniques Q3 2022
Our telemetry on U.S. customers showed indicators of compromise (IoCs) that belong to several ransomware campaigns. The following MITRE ATT&CK Techniques represent the most utilized in the identified campaigns:
1.
Data Encrypted for Impact
2.
System Information Discovery
3.
File and Directory Discovery
4.
Modify Registry
5.
Process Discovery
These stats are based on our telemetry correlated with the malicious campaigns that the Threat Intelligence Group within our Advanced Research Center collects and analyzes:
Most Active APT Groups Q3 2022
Our global telemetry showed indicators of compromise (IoCs) that belong to several campaigns from advanced persistent threat groups (APT). These threat actor groups are known to use a variety of tools during their campaigns. These tools range from commodity malicious tools, used by numerous actors, to custom malware used exclusively by a particular APT. The following APT Groups represent the most active in the identified campaigns:
Based on our IOC tracking, Mustang Panda was the most active APT group in Q3 2022. Most of the Mustang Panda detections are a specific version of PlugX that was attributed to this group. We know PlugX is a weapon of choice for a lot of Chinese threat actors, and the Chinese APT threat landscape shows a lot of overlap between groups.
Our global telemetry showed indicators of compromise (IoCs) that belong to several campaigns from advanced persistent threat groups (APT). The following countries, sectors, and tools represent the most impacted by the identified campaigns:
29
Germany was the most targeted country by APT actors in Q3, comprising 29% of detections among top-to-ranked client countries.
Top Client Countries Q3 2022
1.
Germany
29%
2.
United States
16%
3.
Turkey
12%
4.
Israel
10%
5.
India
7%
Nation-State Sectors Q3 2022
Our global telemetry showed indicators of compromise (IoCs) that belong to several campaigns from APT groups. The following industry sectors represent the most impacted by the identified campaigns:
Nation-State Malicious Tools Q3 2022
Our global telemetry showed indicators of compromise (IoCs) that belong to several campaigns from APT groups. The following malicious tools represent the most used in the identified campaigns:
1.
Mimikatz
24%
2.
PlugX
20%
3.
Cobalt Strike
18%
4.
Crimson RAT
7%
5.
Metasploit
6%
These stats are based on telemetry generated from the several email security appliances installed on customers around the world. The detection logs are aggregated and analyzed to produce the following sections:
Top Vectors Most Impacted by Malicious Emails Q3 2022
url
91
url comprised 91% of the top-10 most utilized means of packing malicious payloads from all detected malicious emails in Q3 2022.
Top Email Attack Categories Q3 2022
1.
Phish
68%
2.
Malware
22%
3.
Scam
9%
4.
Exploit
<1%
5.
APT
<1%
Top Exploited Customer Email CVEs Q3 2022
Vulnerabilities Impacting Microsoft Office Equation Editor
75
The "equation editor vulnerabilities” comprised by CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 were the most exploited among malicious emails received by customers in Q3 2022. The exploits that target these vulnerabilities are incorporated in very generic malware families like Formbook, Netwire, and Generic Downloaders.
Top Sectors Most Impacted by Malicious Emails Q3 2022
Financial Services
20
Financial Services was the sector most impacted by malicious emails in Q3 2022, followed by State and Local Government (13%), Manufacturing (12%), Federal Government (11%), and Services & Consulting (10%)
Trojan
83
Trojan comprised 83% of the top-5 most utilized attack categories detected in malicious emails in Q3 2022.
Top Email Malware Families Q3 2022
1.
Exsto
17%
2.
Agenttesla
16%
3.
Formbook
15%
4.
Leonem
7%
5.
Guloader
7%
Notable breach data from open-sourced publicly reported incidents in Q3 2022:
Top Attack Vectors Q3 2022
35
The United States experienced the most reported incidents (35%) in Q3 2022.
Top Attack Sectors Q3 2022
1.
Multiple Industries
20%
2.
Individuals
11%
3.
Public
11%
4.
Healthcare
9%
5.
Technology
6%
In the third quarter of 2022, threat actors, including APT and ransomware groups, continued to rely on OS binaries to carry out mundane tasks. Living off the Land with the OS binaries such as the Windows Command Shell (CMD) and PowerShell, threat actors can take a more hands-off approach and script phases of a campaign, from initial access, reconnaissance, or exfiltration of targeted information. CMD and PowerShell do continue to be the most prevalent binaries that are abused with scheduled tasks nipping at their heels. Over the last three quarters and throughout 2021 threat actors have made use of the OS binaries in all stages of an attack, from initial access to malware deployment, ingress tool transfers all the way to impact as mapped out on the MITRE ATT&CK Matrix. Loader and downloader may make use of CMD to spawn MSHTA to load a payload or download additional malware or to exfiltrate system and infrastructure information, scheduled tasks may be used to install webshells to maintain persistent access or kick off the encryption process in a ransomware campaign. APT groups use OS binaries when performing tasks such as the discovery of AD users, groups, and permissions, discovering domain trusts, as well as bypassing security hindrances and elevating privileges. Ransomware campaigns have been seen utilizing OS binaries and third-party tools to steal valid credentials, deploy additional payloads and spawn data collection and exfiltration tasks.
Most Prevalent OS Binaries Q3 2022
1.
Windows Command Shell/CMD
38%
2.
Powershell
37%
3.
Schtasks
21%
4.
WMI/WMIC
18%
5.
Rund1132
13%
Throughout daily operations, we repeatedly see these OS binaries make their way through the attack lifecycle and will continue to report their abuses.
Third-party tools continue to be of interest to threat actors as they pursue the path of least resistance. Remote access tools provide a great resource to threat actors, recently there has been an uptick in red team tools present in campaigns and quite a few tools have been developed to avoid detections that come with tools that have been used for some time such as Cobalt Strike. When threat actors pair the third-party tools, that system administrators and security practitioners may use, with the OS binaries their arsenals grow without much effort. These tools can be used for discovery of network assets, the collection and compression of the data of interest and exfiltration to the threat actor controlled C2 server.
Top Third-Party Tools Q3 2022
1.
Remote Access Tools
29%
2.
Red Team Tools
16%
3.
File Transfer
10%
4.
Network Discovery
9%
5.
AD Discovery
4%
A recent addition to the third-party tools section includes a “Red Team Tools” segment which highlights the red team tools that we see threat actors abusing. These tools may include but are not limited to tools such as Cobalt Strike, BruteRatel, or the Sliver Implant. Over the past few years, the Trellix Advanced Research Center has continuously tracked the presence and abuse of the Cobalt Strike red team tool. Through our tracking we have identified a majority of Cobalt Strike C2 servers operating throughout Asia, Europe, and North America. Additionally, our threat hunting operations have allowed us to identify license types in use, aggregate the data and attribute the use to licensed, cracked, and stolen versions of Cobalt Strike and attribute their use to clusters of threat actors. Of those identified, just over 56% can be attributed to trial versions of the tool, 26% comes from licensing abused by the EvilCorp and Maze Groups, 17% of operations from licenses abused by UNC1878 (RYUK) with the remaining 1% originating from legitimate security firms, cracked versions and those abused by the REvil group.
Cobalt Strike was originally developed to be a red team tool that allowed security practitioners to emulate an attack scenario and perform tabletop exercises. Threat actors took notice of the tool’s capabilities, and just as hackers will be hackers, repurposed the tool for malicious intent. Cobalt Strike became popular amongst threat groups and soon became the go-to tool as cracked versions found their way into darkweb forums and trail versions into attacks. Development of detection capabilities made it harder to abuse the tool for both good and nefarious purposes. Other tools such as the Sliver Implant and BruteRatel were developed as alternatives to Cobalt Strike. They are appearing in campaigns, slowly being adopted by threat actors seeking tools with fewer detections to go unnoticed during an attack.
Cobalt Strike continues to be a popular tool of choice amongst threat actors when carrying out tasks from initial access to exfiltration. During the third quarter of 2022 the Trellix Advanced Research Center has seen campaigns ranging from politically motivated threat groups to state-sponsored APTs make use of Cobalt Strike throughout the attack life cycle. The red team tool has also been identified in campaigns where “credential recovery,” infrastructure discovery, and exfiltration tasks were carried out prior to the encryption phase by standalone ransomware families as well as ransomware-as-a-service operators. The uptick in use of these third-party red team tools continue as they make their way to the threat landscape, and as such, it is important to make them a part of the tools included in reports when they are present in the top-third-party tools used for attacks.
15
The number of Q3 2022 events processed in the Insights platform in which ransomware was the final payload stood at just over 15 percent.
Ransomware events processed in the Insights platform track the threat actor and tools they abuse. Nearly every ransomware event shows evidence of living off the land which includes the abuse OS Binaries present on the system, or the third-party tools used by IT and InfoSec teams to carry out daily tasks. These tools may be abused for automation, task scheduling, privilege escalation, password “recovery” as well as ingress tool transfer. The number of Q3 2022 events processed in the Insights platform in which ransomware was the final payload stood at just over 15 percent. Some of the campaigns may have contained more than one ransomware family or the ransomware was yet to be identified as of these statistics. The families of ransomware we have listed represent those that have been reported by industry organizations as well as those that are tracked by the Trellix Advanced Research Center. Interestingly, of the several new and surviving ransomware families that continue to make headlines our telemetry shows us that there are still families of ransomware, like Phobos, that continue to be active yet are less visible in public reports. Phobos is sold as a complete ransomware kit on the underground forums. The persons behind Phobos aren’t really driving infections and attacking large organizations. It is up to the Phobos buyer to deploy it. This is essentially the difference between a RaaS and selling a complete kit. It is still used quite bit as we detect many new versions. It is currently unknown to what extend Phobos is being updated and improved.
Alfred Alvarado
Sushant Arva
John Fokker
Lennard Galang
Tim Hux
Tim Polzer
Srini Seethapathy
Rohan Shah
Sal Vashisht
Leandro Velasco
Alfred Alvarado
Sushant Arva
John Fokker
Lennard Galang
Tim Hux
Tim Polzer
Srini Seethapathy
Rohan Shah
Sal Vashisht
Leandro Velasco
To keep track of the latest and most impactful threats identified by the Trellix Advanced Research Center, view these resources:
Evolving threats, meet adaptive defense.
Learn about a new approach to modeling cybersecurity defense.
Get the WhitepaperThe Trellix Advanced Research Center has the cybersecurity industry’s most comprehensive charter and is at the forefront of emerging methods, trends, and actors across the threat landscape. The premier partner of security operations teams across the globe, The Trellix Advanced Research Center provides intelligence and cutting-edge content to security analysts while powering our leading XDR platform.
Trellix is a global company redefining the future of cybersecurity and soulful work. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confident in the protection and resilience of their operations. Trellix, along with an extensive partner ecosystem, accelerated technology innovation through machine learning and automation to empower over 40,000 business and government customers with living security.
Subscribe to Receive Our Threat Information
This document and the information continued herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy I Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability.
Trellix is a trademark or registered trademark of Musarubra US LLC or its affiliates in the US and other countries. Other names and brand may be claimed as the property of others.