Weekly Threat Briefing: Feb 17 - Feb 21, 2025

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.

#StopRansomware: Ghost Ransomware

Bottom Line: A joint advisory from the FBI, CISA, and MS-ISAC was released on Ghost ransomware. The report details updated Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) associated with Ghost Ransomware actors, based on recent investigations.

On February 19th, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory detailing the latest developments concerning Ghost ransomware activity. The advisory includes updated Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) identified in investigations conducted in January 2025. The joint effort aims to provide mitigations to reduce the likelihood of Ghost ransomware incidents.

Ghost (aka Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture) ransomware, operated by Chinese threat actors, began targeting outdated and unsecured internet facing services in early 2021. This operation impacted organizations including critical infrastructure, information technology, manufacturing, educational institutions, and multiple small and medium sized firms worldwide from more than 70 countries, including China.

Ghost operators are known to compromise the internet facing assets via known vulnerabilities that have not been patched. Some of the common vulnerabilities leveraged for initial access are CVE-2018-13379 in Fortinet FortiOS devices, CVE-2019-0604 in Microsoft SharePoint, CVE-2010-2861 and CVE-2009-3960 in Adobe ColdFusion, and CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 in Microsoft Exchange. Upon successful exploitation of vulnerable servers, the threat actors uploaded malicious web shell to the compromised servers to download Cobalt Strike beacon malware.

For persistence, the attackers created new local and domain accounts and changed passwords of the existing ones. The attackers used Cobalt Strike functions to steal tokens of System user to gain privileges. Some open-source tools such as SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato were also observed to be used for privilege escalation. Hashdump and Mimikatz were used to dump credentials from the victim devices.

Using Cobalt Strike, the threat actors identified the antivirus service running on the devices and disabled it to evade detection. Cobalt Strike was further used for domain account discovery along with open-source tools such as SharpShares for network share discovery, Ladon 911, and SharpNBTScan for remote systems discovery. Ghost operators were able to move laterally in the network with the elevated access and use of Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on other victim devices.

Command-and-Control (C2) operations were executed using Cobalt Strike functions. Encryption on victim devices was carried out using payload files such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. However, Ghost threat actors did not prioritize data exfiltration. Various file extensions were noted for different payload executables. The ransomware payloads cleared Windows Event logs and deleted system volume shadow copies. The threat actors were observed relying heavily on the use of Cobalt Strike beacon throughout the attack lifecycle.

From the FBI’s investigation it was observed that Ghost actors did not focus on any particular industry. When encountering a secure network, they would move on to a new target rather than attempting to find ways to infiltrate the network.

eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to the flaws mentioned in the report. eSentire MDR for Endpoint and MDR for Network has detections in place to identify activities associated with Ghost ransomware. eSentire's Threat Response Unit (TRU) is conducting threat hunts for the available IoCs.

Learn more in the full threat briefing here.

Darcula-suite 3.0 Phishing Kit

Bottom Line: A new phishing kit, tracked as Darcula Phishing Kit (V3) allows attackers to spoof any brand's website. With advanced customization features and anti-detection tools, the phishing kit can significantly enhance the scope and effectiveness of phishing attacks.

On February 20th, Netcraft researchers released a report on the new version of the Darcula Phishing Kit(V3), which allows users to spoof any brand's website. The new version of the platform enables criminals to create phishing campaigns with minimal technical skills. Since March 2024, Netcraft has detected and blocked over 90,000 new darcula phishing domains and nearly 31,000 IP addresses.

The core innovation in Darcula-suite is its DIY phishing kit generation system. By using a simple user interface, a fraudster can generate a phishing kit for any brand. To build a Darcula-suite phishing kit, an attacker starts by inputting the legitimate brand’s URL into the platform, which automatically scrapes the HTML and assets needed for the phishing page using a Puppeteer-style browser automation tool.

Next, the attacker customizes the page by injecting phishing content, such as fake login forms or payment details, and selecting from various scam templates designed to capture sensitive data. They then restyle the form to closely match the brand's design, making the phishing attempt more convincing.

Afterward, the platform generates separate pages for the initial lure page. This contains the address input forms, card details, and Two-Factor Authentication (2FA) code. Finally, the phishing kit is packaged as a .cat-page bundle, ready for deployment via the admin panel.

The Darcula-suite comes equipped with improved admin dashboards. These dashboards allow attackers to monitor campaign success, manage stolen data, and track stolen credit card details. Scammers have the ability to customize phishing forms to steal credentials, payment details, and Multi-Factor Authentication (MFA) codes. The platform's Telegram integration provides real-time alerts when victims submit data.

The kit uses IP blocking to limit access from cybersecurity companies and user agent blocking used to stop automated scrapers, such as Google’s crawlers and other monitoring tools. Darcula-suite offers pre-made templates, like fake password reset pages, credit card payment forms, and 2FA code entry prompts.

The tool also has the feature to convert stolen credit card data into virtual card images that can then be added to digital payment apps.

Phishing attempts may now appear more convincing due to the use of generative AI; classic red flags like urgent messaging or offers that seem overly attractive should raise concern. Organizations should ensure employees are aware of common phishing tactics and implement a Phishing and Security Awareness Training (PSAT) program that educates and informs employees on emerging threats.

Additionally, Darcula-suite provides fraudsters the ability to use and sell stolen financial information by creating images of the victim's credit card, which can be added to digital wallets or sold on the black market. Users are advised to frequently review their bank and credit card statements for any unauthorized transactions and enable MFA wherever possible.

eSentire MDR for Log has detections in place to identify risky sign-on activity common in phishing campaigns. eSentire MDR for Network detects activity associated with the Darcula phishing kit.

Learn more in the full threat briefing here.

Russia-Aligned Threat Actors Actively Targeting Signal Messenger

Bottom Line: Russian-aligned threat actors are exploiting Signal Messenger's linked devices feature to intercept sensitive communications. Device linking is a legitimate feature on multiple platforms but can create risk as threat actor devices may be added for stealthy surveillance.

Researchers from Google’s Threat Intelligence Group (GTIG) have shared information on recent Russian state-sponsored APT activity that is targeting Signal Messenger accounts associated with individuals of interest to Russian intelligence services. Signal is a privacy focused open-source encrypted messaging service used for messaging, voice calls, and file sharing. The use of Signal to share sensitive communications has made it a high-value target for espionage focused threat actors.

The “most novel and widely used technique” observed in these attacks involves exploiting the legitimate Linked Devices feature. This feature allows Signal users to connect multiple devices to a single account. In observed attacks, threat actors established initial contact via phishing emails. The emails include a QR code, that is posed as a Signal resource, such as a security alert, group invites, or legitimate device paring instruction. Scanning the QR code links the victim account to a threat actor-controlled device. This connection does not grant access to previously sent messages but allows for real-time interception of all future messages.

GTIG has identified three Russian associated APT groups employing similar tactics: UNC5792, UNC4221, and APT44 (Sandworm, Seashell Blizzard). UNC4221 went so far as to develop a custom Signal phishing kit to enable Signal account compromise at scale. To date, the reported-on activity has primarily impacted government and military communications related to the ongoing invasion of Ukraine.

Mobile device security is a critical part of modern-day cybersecurity. Sophisticated threat actors may choose to specifically target mobile devices and applications, in an attempt to bypass other security features. It is important for users to understand the potential risks of using personal devices for work related tasks.

If employees are using personal devices, there is an increased risk that the compromise of these devices will lead to additional attacks against corporate environments. This has previously been observed in cases where users’ personal devices are compromised via information-stealer malware, and saved work credentials are then sold via Dark Web marketplaces.

The eSentire Threat Response Unit (TRU) continues to track this campaign, and other reports on Russian APT activity, for additional details and detection opportunities.

Learn more in the full threat briefing here.

About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.