Cyber security researchers have expanded the activities of an initial access broker (IAB) Tomaker It has been assigned to cactus like double extortion ransomware gangs.
The IAB has been evaluated with moderate belief as an economically induced danger actor, a custom malware called scanning and lagtoy (Aka Holerun) for weak systems.
“Lagtoy can be used to create reverse shells and execute the command on the infected endpoints,” said Sisko Talos researcher Joy Chen, Ashier Malhotra, Ashley Shane, Vitor Ventura and Brandon White said.
Malware was first documented by Google -owned Mandiants in late March 2023, using a danger actor that tracks it as UnC961. The activity cluster is also known from other names such as Gold Melody and Prophet Spider.
The threat actor has been seen taking advantage of a huge arsenal of the security flaws known in the internet-facing applications to achieve the initial access, followed by a reconnaissance, credential harvesting and laptoy perineogen within a week.
The attackers also open SSH connections for a remote host, which is called Magnet Ram Capture to download a forensic tool, which is to get a memory dump of the machine in a possible attempt to collect the credibility of the victim.
Lagtoy is designed to contact a hard-coded command-and-control (C2) server to recover the command for later execution at the endpoint. It can be used to create procedures and run commands with the same privileges under specified users.
Malware is also equipped to process three commands from the C2 server, with a sleeping interval of 11000 milliseconds between them.
“After a lullah in about three weeks of activity, we noticed that the Cactus ransomware groups make their way into the afflicted venture, using credentials stolen by the timetra,” Tellos said.
“The relatively short time, based on the lack of data theft and the subsequent handover of the cactus, it is unlikely that the tooymaker had no detective-inspired ambitions or goals.”
In an event analyzed by Tellos, Cactus ransomware colleagues are said to have conducted their own reconnaissance and perseverance activities before data exfoliation and encryption. It has also been observed that there are several ways to establish long -term access by using Opens, Adeedsk and Ehorus agents.
“Tymaker is an economically induced initial access broker (IAB) that achieves access to high-value outfits and then reaches secondary threat actors who usually make double recovery and access to access through ransomware deployment,” the company said.
