Intelligence Summary

August 2, 2022
TLP:AMBER

Current intelligence picture: July 7, 2022, to

July 20, 2022
Intel 471’s Intelligence Summary (INTSUM) collates the most prevalent threats and vulnerabilities observed in the cyber
underground during the reporting period. It endeavors to provide context and analytical assessment to activity deemed
significant by Intel 471's cyber threat intelligence (CTI) experts. This edition of the INTSUM covers activity observed from
July 7, 2022, to July 20, 2022, hereafter referred to as “the reporting period.”

Key points

● The Raccoon Stealer information stealer is being pushed by malware install services, including the botnet
families Discoloader, PrivateLoader and/or SmokeLoader.
● A popular underground actor was highly active during the reporting period and victims included military and
government entities. However, we assess offers from the actor’s group are more opportunistic than targeted.
● On July 20, 2022, the Red Hackers Alliance Russia aka RHA R hacktivist group announced the formation of a pro-
Russian hacktivist alliance. It is possible the pro-Russian hacktivist group KillNet and its affiliated groups will seek
to join forces with the alliance.

Uptick in malware offers, updates indicate increased demand

We observed an increase in updated malware product offers and installation services during the reporting period,
possibly due to an increased cyber underground demand. Malware such as information-stealers and remote access
trojans (RAT) were observed to have been upgraded by cybercriminals during the reporting period.

Comment: Information-stealer malware is easy to obtain, spread and monetize because it does not require attachments,
spam, penetration testers, lateral movement or exploits. Offering updated versions of these malware products ensures
MaaS operators can remain competitive, build a brand and maintain a client base. Experienced and novice actors alike
use information stealers since low-skill, low-effort spray-and-pray campaigns can be conducted.

Assessment: Malware install services enable actors to disseminate malware to a large target set without the
requirement of an effective delivery method. Consequently, a broad range of unsophisticated actors can leverage
information stealers to turn a profit. Our research indicates Raccoon Stealer is being pushed by malware install services,
including the botnet families Discoloader, PrivateLoader and/or SmokeLoader. The prevalence of these botnets indicates
there possibly will be an increase in credential offers.

Additionally, Russia’s war in Ukraine, declining global stock markets and rising inflation contributed to a decline in
cryptocurrency value.[1] This instability likely contributed to an uptick in malware attacks, shifting actors’ focus away
from ransomware deployment. Actors may obtain direct access to financial accounts from which they can transfer
themselves funds, rather than requesting payment in highly volatile cryptocurrency.

Significant activity by a popular underground actor

During the reporting period a popular underground actor continued to promote a VIP subscription service that allowed
subscribers to receive private content via email which included combination lists, databases, exploits and a priv8

© Intel 471 Inc. 2022 1

browser add-on. The actor also released exfiltrated data to a Telegram group. On July 13, 2022, we reported the actor
recently offered compromised access credentials with administrative privileges to a system operated by a Spanish
regional government. The credentials allegedly were obtained by leveraging an exploit for an undisclosed vulnerability
impacting the Yii hypertext preprocessor (PHP) web-application framework, which allows a user to obtain unauthorized
administrative access credentials due to misconfiguration on the service.

The actor previously posted to a Telegram channel offering to sell an exploit for an undisclosed vulnerability targeting
the Yii framework that allegedly impacted hundreds of entities in China, Germany, Indonesia, Latin America, Thailand,
the U.S. and other regions.

Comment: The actor is a long-standing member of the cyber underground and has operated using numerous handles.
The actor is a member and likely leader of an underground group, which primarily specializes in selling compromised
access and data.

Assessment: We assess the offers are more opportunistic than targeted, despite the group’s victims including military
and government entities. The primary motivation of the group is financial gain, but we also observed it is ideologically
motivated, including involvement in supporting Ukraine after Russia's invasion and supporting the Colombian people
during the protests and strikes in April 2021. The group’s offers typically are legitimate, however, it frequently
exaggerates the importance of its findings.

Pro-Russia hacktivism gains pace, Red Hackers Alliance formed

Russian-aligned hacktivism has continued to gain a foothold across the reporting period, targeting entities from
countries perceived to oppose Russia’s war in Ukraine. This activity primarily focused on conducting distributed denial-
of-service (DDoS) attacks against organizations spanning several industries and sectors.

KillNet

On July 13, 2022, and July 14, 2022, KillNet declared a shift in focus from Lithuania-based entities, which were targeted
due to a perceived trade blockade on the Russian-owned province of Kaliningrad, to Polish entities. On July 12, 2022, the
group claimed to have developed a new DDoS attack tool that possibly is an updated version of the Vera botnet. The
KillNet group previously claimed to use a new DDoS method against targets in the U.S. On July 9, 2022, the pro-Russian
hacktivist group KillNet dissolved its DDoS unit LEGION before declaring a second version of the unit would be created
before July 20, 2022. On July 8, 2022, KillNet launched a DDoS attack on the U.S. Congress.

Comment: Beginning in June 2022, the Vera botnet was commercialized as a publicly available version featuring five
subscription levels depending on the buyer’s DDoS objectives. A former associate of KillNet advertised the DDoS
infrastructure for hire service on a Telegram channel following their departure from KillNet due to strategic
disagreements with the actor using the KillMilk handle on the group’s future. KillNet later claimed in early July 2022 to
be using powerful new DDoS tools, which coincided with when the new version of the Vera DDoS bot was released.

Comment: The new LEGION unit eventually was announced outside the reporting period July 21, 2022, following a
quieter period of activity. The resumption of activity saw KillNet declare its intent to commence attacks on the Western
defense industry, beginning with the U.S. defense company Lockheed Martin Corp.

Assessment: It is possible the former KillNet member reconciled with KillNet members for the release of the new version
of the Vera DDoS bot. The time of the new version’s release coincided with KillNet’s claim of using a powerful new DDoS
tool. On a technical level, the claim of the tool’s potency has not been reflected with an increase in activity or targeting
of higher-profile entities.

© Intel 471 Inc. 2022 2

Red Hackers Alliance

On July 20, 2022, the operator or operators of the @RHA_Red_Hackers_Alliance_Russia Telegram channel, allegedly
affiliated with the Red Hackers Alliance Russia aka RHA R hacktivist group, announced the formation of a pro-Russian
hacktivist alliance. Eight groups allegedly comprised this “union,” which intended to fight for the “cyber protection of
Russia and its citizens.” Other ideologically aligned groups also were invited to join the alliance.

Comment: Activity since the declaration of the new union included an alleged DDoS attack on a law enforcement agency
and a call for recruitment of penetration testers and software developers.

Assessment: There is a general sense that Russia-aligned hacktivism is gaining ground at present. It is possible KillNet
and its affiliated groups will seek to join forces with the alliance. Larger groups may enable pro-Russian hacktivists to
increase the scale of their DDoS attacks on Western entities. Equally, the alliance of groups could result in
disagreements regarding the targeting of foreign entities and how best to conduct DDoS attacks or other hacktivist
activity, as has already been seen in groups such as KillNet. Intel 471 will continue to monitor the new union and any
possible collaboration with other groups such as KillNet and its allies.

GIRs

1.1 Malware variants

1.1.3 Remote access trojan (RAT) malware
1.1.5 Information-stealer malware
1.1.6 Loader malware
1.1.7 Botnet malware
1.3 Malware development, support and delivery
1.3.3 Malware source code
1.3.4 Web-injects
1.3.5 Malware crypting
1.3.6 Counter antivirus (CAV)
5.1 Pre-attack tactics
5.1.2 Build capabilities
5.2.3 Persistence tactic
5.2.5 Defense evasion tactic
5.2.9 Collection tactic
5.5 Information compromise or disclosure tactics
5.5.6 Hacktivis
6.2 All geographic regions
6.2.4 Europe
6.2.4.28 Lithuania
6.2.4.38 Poland

Sources
[1]
Crypto Crash Rattles Cybercriminals, Pushing Them Beyond Ransomware – CNET
https://www.cnet.com/personal-finance/crypto/crypto-crash-rattles-cybercriminals-pushing-them-beyond-
ransomware/

© Intel 471 Inc. 2022 3