• Shift in tactics: Sandworm Team, historically known for its disruptive cyber operations, has seen a staggering increase in detections by 1669%, with a proportional contribution variance of 40%. This monumental rise suggests an unprecedented escalation in their cyber activities from the Russia-linked group.

• Aggressive expansion of operations: APT29, a group with a history of extensive cyber espionage, showed a significant uptick in activity, with detections increasing by 124%. Similarly, APT34 and Covellite also demonstrated substantial increases in detections, by 97% and 85% respectively, indicating heightened operational tempos or the initiation of new campaigns.

• Homeostasis: In contrast, groups like Mustang Panda, Turla, and APT28 saw minimal changes in their activity levels, with Mustang Panda showing a slight decrease of -2% and Turla a modest increase of 3% in detections.

• New actors emerge: Noteworthy is the emergence of UNC4698, which saw a 363% increase in detections, suggesting the rise of a potentially significant new player in the APT landscape.

Lesser-known or unidentified groups, saw a 62% increase in detections, indicating a diverse and growing array of threats beyond the well-documented APT entities. This increase of 8% in their proportional contribution to the total detections highlights the constant evolution and diversification of cyber threats.

APT groups and countries of origin

China-linked threat groups remain the most prolific originator of APT activities

When looking at countries of origin, Trellix telemetry from October 2023 through March 2024 also observed notable shifts in the landscape of state-sponsored cyber activities.

• Substantial escalation in operations: Geopolitical motivations and cybersecurity capabilities are evolving across different nations. Our telemetry observed the following:

  • Russia-linked threat groups have shown a significant increase in APT detections, up by 31%, with its proportional contribution rising by 4%. This indicates a substantial escalation in cyber operations, possibly reflecting broader strategic objectives or responses to global cybersecurity dynamics.

  • Iran-linked threat groups have also markedly ramped up cyber activities, with an 8% increase in detections and a 3.89% rise in proportional contribution. This highlights a significant expansion in Iran’s cyber operations, in line with its geopolitical aims and involvement in the Israeli-Hamas war.

• Broader diversification: China remains the most prolific originator of APT activities, with detections slightly increasing by 1%. However, its proportional contribution to the overall detections has seen a slight decrease of -1%, which might suggest a broader diversification of APT origins during this period. February of this year also saw reports of significant efforts from China-backed APT Volt Typhoon targeting U.S. critical infrastructure; more on this in the following section.

• Shift in strategy: Conversely, groups linked to North Korea, Vietnam, and India have seen dramatic decreases in their APT activities, with North Korea-linked detections dropping by -82%, Vietnam by -80%, and India by -82%. The significant downturn in North Korea's proportional contribution (-6%) is particularly notable, possibly indicating a shift in focus, strategy, or capabilities.

• More countries emerging: Pakistan-linked and Belarus-linked groups have seen considerable increases in their APT activities, with detections up by 55% and an astonishing 2019%, respectively. These increases, particularly the exponential rise associated with Belarus, underscore the emergence of new or previously underrecognized actors in the APT arena.

  The category of "Other" shows a 121% increase in detections, indicating that APT activities are not limited to the most frequently cited countries. This diversity highlights the global nature of cyber threats and the necessity for a wide-ranging and adaptive cybersecurity posture.

We will be tracking these new patterns closely in the months ahead.

Countries and regions with APT associated detections

Turkey has seen an unprecedented surge in APT-related detections

This section focuses on the countries regions where Trellix detected APT related activity by APT groups from Q4 of 2023 through Q1 of 2024, revealing significant shifts in focus and strategy among these sophisticated cyber actors.

The Trellix Advanced Research Center assesses with a moderate level of confidence that the following factors impacted activity detected in certain countries and regions specific countries: 

• Operational objectives: Detections in threats targeting Turkey increased by a staggering 1458%, translating to a 16% rise in its proportional contribution to the total detections. This remarkable increase indicates a significant shift in cyber threat focus towards Turkey, possibly reflecting broader geopolitical tensions or specific operational objectives of the APT groups.

• Strategic importance: India and Italy have also experienced considerable increases in detections, with detections up by 614% and 308%, respectively. These countries’ rising prominence in the list of targets may point to their growing strategic importance in the cyber domain, whether due to economic, political, or technological factors.

• Broadening landscape: Interestingly, Vietnam and the United States, while still generating significant APT detections, have shown different trends. Vietnam's detections increased by 9%, yet its proportional contribution decreased by -9%, indicating a broadening of the targeting landscape. The United States saw a moderate increase of 15% in detections but experienced a -7% drop in its proportional contribution, suggesting a diversification in the targeting strategies of APT groups.

• Geopolitical developments: Germany, China, Papua New Guinea, and Brazil have all seen increases in detections, with Germany and China witnessing significant proportional contribution changes. This diversification in targeting reflects the strategic and opportunistic adjustments APT groups make in response to global cybersecurity postures and geopolitical developments.

• Enhancement of national security: Conversely, Indonesia experienced a notable decrease in detections by -48%, coupled with a -4% drop in its proportional contribution. This reduction might suggest a temporary deprioritization or a successful enhancement of national cybersecurity measures.

• Consolidation of focus: The "Other" category, representing a collective of various other countries generating significant APT detections, saw a -23% decrease in detections and a -21% decline in proportional contribution. This decrease highlights a possible consolidation of focus by APT groups on specific high-interest targets during this period.

We see potential for the landscape to continue changing rapidly due to geopolitical trends.

Malicious tools

The analysis of malicious tools used in APT campaigns from Q4 2023 to Q1 2024 reveals notable trends in the preferences and operational tactics of cyber threat actors. The variance in detection rates and their proportional contributions provides insights into the evolving cyber threat landscape and the shifting dynamics of tool usage among these sophisticated groups.

The following trends were observed:

• Offensive tools getting stronger: Cobalt Strike remains a tool of choice for many Threat groups, despite a 17% decrease in detections. Its relatively small decrease in proportional contribution variance (+1%) suggests it retains its popularity and effectiveness in cyber operations, underlining the challenge of defending against versatile and widely used offensive tools.

• Reliance on web shells, PowerShell and Remote Access attacks: China Chopper, PowerSploit, and Gh0st RAT also saw significant decreases in detections, by 23%, 24%, and 24%, respectively. Despite these decreases, their slight changes in proportional contribution variance indicate they remain integral to the toolkit of a threat actor. These tools, known for their capabilities in web shell attacks, PowerShell exploits, and remote access, highlight the continued reliance on proven, versatile tools for cyber operations.

• Less detectable tools: Empire, Derusbi, BADFLICK, JJdoor/Transporter, JumpKick, and MURKYTOP experienced similar downward trends in detections, all exceeding a 25% decrease. This uniform decline could reflect a broader shift in the tools preferred by threat groups or an adaptation to countermeasures and detection techniques, prompting a move towards newer, less detectable tools.

• Constant innovation: The category of "other" malicious tools saw a significant increase in detections, up by 30%, and a notable increase in its proportional contribution variance by 6.00%. This increase underscores the constant innovation and adaptation among threat actors, as they explore new tools and techniques to evade detection and achieve their objectives.

The evolving preferences in malicious tool usage signify the adaptive nature of cyber threat actors in response to cybersecurity developments.

The shift towards a broader range of tools, as indicated by the increase in "Other" detections, highlights the necessity for continuous research, threat intelligence, and adaptive defense strategies to mitigate the risk posed by these evolving cyber threats.

Non-malicious tools

The use of non-malicious tools in cyber operations by APT groups from Q4 2023 to Q1 2024 highlights an important aspect of modern cyber threats: the leveraging of legitimate system tools for malicious purposes. This practice, known as "living off the land," complicates detection efforts and underscores the sophistication of these threat actors. The statistics reveal significant variances in the usage of these tools, reflecting their strategic importance in cyber operations.

• Versatility: PowerShell has seen a dramatic increase in detections, up by 105%, with a proportional contribution variance of 1%. This surge underscores its versatility and power in automating a wide range of malicious activities, from reconnaissance to payload delivery.

• Focus on network manipulation: Netsh and IPRoyal Pawns have both seen significant increases in detections, by 99% and 102%, respectively. These tools are often used for network configuration and proxy traffic, indicating a strategic focus on network manipulation and evasion techniques.

• Automation to scale: Schtasks.exe has experienced the highest percentage variance among the tools listed, at 138%. This reflects the growing reliance on scheduled tasks for persistence and execution of malicious payloads without direct user intervention.

• Tactical shifts: Conversely, Rundll32 and WMIC have seen increases in their use but faced decreases in proportional contribution variances, indicating a shift in the tactical preferences of APT groups despite these tools' continued utility.

• Tool diversification: Cmd, the good old  command-line interpreter on Windows systems also experienced a substantial increase in usage, with detections up by 65%. Despite its increased use, its proportional contribution variance has decreased by -2.5%, suggesting a broader diversification in tool usage among APT groups.

  The "Other" category, representing a variety of less commonly used or more specialized tools, saw a 42% increase in detections. However, it experienced a significant decrease in proportional contribution variance (-21%), highlighting the expanding arsenal of tools at the disposal of cyber threat actors.

The evolving landscape of non-malicious tool usage by APT groups illustrates the complexity of detecting and defending against sophisticated cyber threats. The strategic selection and application of these tools reveal a deep understanding of the targeted environments and the efforts to remain undetected.

CISO TIP: Cybersecurity defenses must, therefore, advance beyond traditional malware detection to include behavioral analysis and anomaly detection to counteract the misuse of legitimate tools in cyber operations.

Data collected through the Trellix ATLAS global sensors, coupled with strategic Insights from industry vetted reporting, delivered by the Trellix Advanced Research Center allows our customers to identify threat actors targeting their respective sectors and use our behavioral analysis to detect anomalous behavior within their environment.

Conclusion

The analysis of Advanced Persistent Threat (APT) activities from Q4 2023 to Q1 2024 has illuminated the dynamic and increasingly complex nature of the cyber threat landscape. Our examination of the statistics related to APT group origins, targeted countries, malicious and non-malicious tool usage reveals several key trends that underscore the evolving strategies of cyber threat actors.

APT groups continue to demonstrate high degrees of

1. Adaptability and sophistication

2. Leveraging a mix of malicious tools

3. Exploiting legitimate system utilities to conduct espionage, disrupt operations, and steal sensitive information.

The significant variances observed in the targeting and operational tactics of these groups reflect not only their strategic objectives but also their response to global cybersecurity developments and defensive measures.

The dramatic shifts in targeting practices, with certain countries experiencing substantial increases in APT-related activities, highlight the geopolitical motivations driving these cyber operations. Similarly, the changes in tool usage, including the notable rise in "living off the land" tactics, emphasize the ongoing challenge of detecting and countering APT threats within a landscape where legitimate and malicious activities are increasingly intertwined.

Moreover, the diversification in APT origins and the broadening of their targeting strategies indicate a global proliferation of cyber capabilities and the need for a unified and collaborative approach to cybersecurity.

Tactics, techniques and procedures (TTPs)

Our detection data suggest that since returning to operations in mid-January 2024, Volt Typhoon has consistently leveraged a number of native Windows tools and functionality to execute commands for malicious reasons. These tools, known as living-off-the-land (LOTL) tools—which are dual-use tools that are legitimate software and functions available in the system—have become increasingly popular among China-based nation-state actor groups, including Volt Typhoon. Netsh.exe is one of these tools that can be used for various malicious purposes, such as disabling firewall settings or setting up a proxy tunnel to allow remote host access to an infected host. Ldifde is another tool leveraged by Volt Typhoon threat actors for information collection.

After gaining access to a domain controller, attackers may use Ldifde.exe to export sensitive data or perform authorized changes to the directory. Similarly, Volt Typhoon threat actors also use ntdsutil for malicious attempts. Ntdsutil is a legitimate tool that allows administrators to perform database maintenance; however, it can also be used to create a dump of the Active Directory to harvest credentials and exfiltrate sensitive data.

The Volt Typhoon threat actor continued to use open-source tools, such as FRP, Impacket, and Mimikatz, in their threat operations. Trellix telemetry also detected Volt Typhoon using the following LOTL tools and commands between February and March 2023:

• Comsvcs

• Dnscmd

• Ldifde

• MiniDump 

• Net

• Netsh

• NTDSUtil

• Reg

• ping

• Powershell

• PsExec

The top MITRE ATT&CK tools leveraged by Volt Typhoon observed in our telemetry are as follows:

• Initial Access – T1190: Exploit Public-Facing Application

• Execution – T1106: Native API

• Persistence – T1546: Event Triggered Execution

• Privilege Escalation - T1546: Event Triggered Execution

• Defense Evasion – T1070.001:  Clear Windows Event Logs

• Defense Evasion – T1070: File Deletion

• Defense Evasion – T1027: Obfuscate Files or Information

• Credential Access – T1003.003: NTDS

• Credential Access – T1003: OS Credential Dumping

• Credential Access – T1110: Brute Force

• Credential Access – T1555: Credentials from Password Stores

• Discovery – T1069.002: Domain Groups

• Discovery – T1069.001: Local Groups

• Discovery – T1083: File and Directory Discovery

• Discovery – T1057: Process Discovery

• Discovery – T1010: Application Window Discovery 

• Collection – T1560: Archive Collected Data

• Collection – T1560.001: Archive via Utility

• Command and Control – T1090.002: External Proxy

• Command and Control – T1105: Ingress Tool Transfer

• Command and Control – T1132: Data Encoding

Last year, our February report identified LockBit as the most aggressive with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018. Through 2023, LockBit consistently remained the most prevalent ransomware group with the largest number of victims posted on their name-and-shame site. They primarily targeted North American and European organizations across various sectors, impacting the Industrial Goods & Services sector the most. In 2023 LockBit kept continuously evolving and introducing new tools and methods to their ransomware program. Notable events include LockBit working on development of LockBit Green encryptor based on the leaked code of Conti ransomware as well as LockBit variants targeting MacOS. Furthermore, we witnessed LockBit RaaS offering in 2023 a new home for affiliates of other RaaS programs such as ALPHV and NoEscape whose operations got shut down.

In the aftermath of the disruptive actions, we witnessed LockBit frantically trying to save face and restore the lucrative operation. This was to be expected given the publicity of LockBit’s criminal activities, however in the cybercriminal underground, a server is easier restored than years of trust. It remains to be seen how much information law enforcement has obtained on LockBit’s operation, persona and its affiliates.

It became very clear after the law enforcement actions that it is a dog-eat-dog world amongst criminals. The Trellix Advanced Research Center observed other actors using the leaked LockBit Black version to impersonate the well-known brand for their own financial gain.

Imposters or not, the victims they made were real, all these events made the last two quarters definitely fit for a movie script.

A global look at ransomware

During our research into ransomware activity in the first quarter of 2024, we investigated multiple sources: leak sites, telemetry, and public reporting. A few words about each of the categories.

• Leak sites: These sites are designed to show proof of extorted victims who have not paid the demanded ransom, allowing for a look into the criminal gang’s activity. Additionally, it is important to note that the leak sites do not necessarily accurately reflect the landscape. Given that they are operated by criminals, not all statements are truthful nor correct. Further, if the gangs keep their word, the victims who pay the ransom are not listed, thus giving an incomplete picture. The data used in this report refers to overall trends from leak sites and does paint a meaningful picture.

• Telemetry: Telemetry is derived from the Trellix sensor ecosystem and detections denote when a file, URL, IP address, or other indicator is detected by one of our products and reported back to us. This is not to say that every detection is an infection, as customers test the detection of certain files to fine tune their internal rules, which also show up in the aggregated logging. As such, this data remains useful when looking at the bigger picture, as trends still show.

• Public reports: Reports from vendors and individuals have been processed by our Advanced Research Center to analyze features and distill trends. There is an inherent bias for each report, an example of which can be the dominant geographical presence of a vendor compared to another vendor. This difference might cause one reporting entity to report on something while another entity might report on something else. Given the variety of biases for the included reports, we do not apply a specific filter.

Active ransomware groups

When looking at the aggregated leak site posts from Q1 2024, many show signs of activity. On occasion, we see leak sites post general announcements, but the majority are “proof” of extortion or leaks of victim data. They’ll also often post one victim multiple times which can cause inflation due to a victim being counted more than once in data.

Targeted countries and regions

Building on the continuous activity of ransomware gangs, we can see ransomware detections within Trellix telemetry. The United States generates the most detections, followed by Turkey, Hong Kong, India and Brazil.

Given that ransomware is a threat for all sectors in nearly every geography, the detection metrics make sense with respect to the population of customers.

In the quarter prior, telemetry looks rather similar, barring the increase of detections in India and China. We have no indication that there was a specific campaign against these regions and suspect malware testing was done and caused a higher number of detections in said regions.

Targeted sectors

The aggregation of global telemetry per sector shows that half of the detections come from the transportation and shipping industry, and just over a quarter comes from the financial services. These two sectors make up more than 72% of all detections, which is logical: the availability of their services is of the utmost importance. If a transportation company cannot move goods around due to a ransomware attack, their operational process cannot continue, causing a huge financial burden. Likewise, the financial industry is built on trust, while the leakage of sensitive data and/or downtime of the company due to a ransomware attack, hurts financial companies in their core.

In the last quarter of 2023, the top targeted sectors were slightly different, albeit without differences in the top two sectors. Those two were responsible for an even larger share, totalling at a combined 78% of all detections for the given period. The technology and healthcare sectors decreased in the first quarter of 2024, compared to the prior quarter, but the difference itself cannot be attributed to one or more specific events.

Tools and techniques

The last of the three mentioned sources are public reports. Based on the collected reports, MITRE techniques, associated tools, and command lines can be distilled.

CISO TIP: These can be used by organization blue teams from a detection perspective: by focusing on the most used techniques  and tools, multiple types of attacks from different actors can be mitigated, starting by the most effective. Additionally, red and purple teaming exercises can focus on these techniques to test what detection measures are in-place.

This table shows the most frequent techniques, listed in descending order.

Given ransomware’s objective, the data encryption and file and directory discovery techniques unsurprisingly rank at the very top. When comparing these techniques with the most prevalent techniques from the fourth quarter of 2023, one will notice that most of the top techniques in the list are similar, although their specific place might differ.

Much like in the above section on APTs, attackers continue to leverage legitimate tools for crime. The used tools influence the observed techniques, as a tool is a means to an end, which is a technique in this case. For example, PowerShell and the Windows Command Shell are often used to execute additional commands on the system, such as the removal of the shadow copies, which is the main contributor to the “Inhibit System Recovery “ Technique. This is also the reason as to why they are the top used tools, as shown in the image below.

The usage of VSSAdmin, BCDEdit, and wevutil are signs that the ransomware is ensuring the victim’s system cannot recover to a normal state, as it would be in prior to the attack. The usage of reg shows the changes to the registry, which can be done for a variety of reasons. Malware often uses the registry for persistence, but ransomware isn’t keen on persistence, as it has no purpose once the encryption finishes. Instead, it can alter other settings, to allow certain actions which normally wouldn’t be possible. Rundll32 is often used to either load and run a dynamic link library, but often it is also the target of process injection.

Much like the quarter prior to the one above, PowerShell and the command prompt top the list for the exact same reason. VSSAdmin and BCDEdit are present as well, though the Windows Event Util (wevtutil) is not present in the top tools list. Given the few occurrences of all mentioned tools, with the highest frequency being 13 in either of the quarters, it is no surprise that not all campaigns use the same tools. A small deviation can lead to the exclusion of such tools.

January campaign using Spyboy’s EDR Terminator tool

One common technique is by exploiting vulnerable drivers to achieve privileged code execution is referred to as a Bring Your Own Vulnerable Driver (BYOVD) attack.

An example of this method is the EDR “Terminator” tool that was offered by a threat actor called Spyboy. The Terminator tool leverages a legitimate but vulnerable Windows driver belonging to the Zemana anti-malware tool to execute arbitrary code from within the Windows Kernel likely exploiting CVE-2021-31728. Terminator appeared online in mid-2023 and Trellix issued a detailed knowledge base article around product coverage which can be found here.

From January 11 - 17, 2024, the Trellix Advanced Research Center noticed an unusual set of detections of Spyboy’s Terminator in Trellix telemetry – a new campaign. This Terminator campaign spiked for three days during the six day period and was detected multiple times at a single government organization, a national utilities company and a satellite communications company. Given the specific targets Trellix assesses with a high level of confidence that the attack was related to the Russian-Ukrainian conflict.

Top 3 sectors targeted in January EDR termination attack:

More EDR killers observed

Earlier in 2023, a tool with a similar purpose was described by Sophos – AuKill. It also used a vulnerable driver it brought (BYOVD). The drivers used in the EDR Terminator  and AuKill cases are different, but both are benign drivers. In contrast, some campaigns in 2022 saw similar tooling use custom malicious drivers which were loaded.

Abusing benign drivers for such a purpose makes it harder to detect such attacks, and coincides with the aforementioned LOLBin usage. Although a binary and a driver differ technically, the intent and motive are similar, if not identical. The HermeticWiper from 2022 also comes to mind with regards to using a benign driver. In that case, the driver was used to wipe a machine, rather than disabling the antivirus. A further overlap with the usage of the EDR Terminator mentioned above, and the attribution of the HermeticWiper, is the usage by a pro-Russian actor.

We’ve also seen an example of the Discord CDN being used for malware distribution at one of our LATAM customers. Our team has observed Discord continue to be used in malware attacks in this way.

CISO TIP: It is absolutely essential every SOC is monitoring their EDR closely. Alert and logging needs to be set up so if EDR tools are turned off, the SOC is notified immediately and appropriate action can be taken. Shutting down of EDR tools can be an indicator of tampering, and moving quickly is critical to limiting an attacker's access to your network. It is also critically important to use a defense-in-depth strategy, allowing other tools like your Network Detection and Response (NDR) platform to detect potential incidents. and moving quickly is critical to limit the access an attacker gets to your network.

Taxation phishing

In the context of taxation, phishing attacks are particularly concerning. Scammers pose as government agencies, tax authorities, or reputable tax preparation services to trick individuals into divulging personal information. They may claim that you owe back taxes, have unfiled returns, or are eligible for a tax refund. Their ultimate goal is to obtain your Social Security number, bank account details, or other valuable data. The email contains links that appear to lead to official government or tax service websites but instead redirect you to fraudulent sites designed to steal data.

Trellix also observed a surge in such emails pretending to be from the Australian Tax Authority in the first quarter of 2024 and successfully detected them.

Below is one sample from the campaign where we see clearly that attackers are creating urgency to click the link relating to taxation refund.

On January 31, 2024, xatab offered $2,000 for their ‘ChatGPT in Jabber’ project on the XSS forum. Based on the recent XSS complaint raised by an actor germans who built the requested bot and got ignored by xatab at first, it seems that germans agreed to develop the ChatGPT bot in Jabber for $1500. The bot was created for both Exploit forum (@exploit[.]im) and XSS (@thesecure[.]biz) Jabber servers and xatab posted it on both Exploit and XSS darknet forums supposedly to test it and get feedback from the forum members. The bot may be based on the xmppgpt project.

The xatab actor has multiple posts on Exploit/XSS forums where they advise they are an APT team (known in certain circles experienced pentesters) interested in hiring a broker of corp accesses of US/UK/Canada/Australia organizations for fruitful cooperation. They offered 20% of the revenue share for every access and they deposited one BTC to both Exploit and XSS forums to show their intention/seriousness of their offer.

By providing free ChatGPT 4.0 to cybercriminal community xatab is achieving two things:

1. Serving  facilitator and enabler who is eager to help threat actors to innovate and adopt GenAI in their operations

2. Attempt to create a GenAI knowledge base/pool to learn from other cyber criminals or even steal their innovative ideas and tools

Trellix has tested the “ChatGPT in Jabber” project as per the given instructions and it seems to work as advised by the threat actor.

GenAI adoption in InfoStealers

On February 21, 2024 our researchers observed a threat actor MetaStealer advertising a new, revamped version of MetaStealer on XSS forum. MetaStealer is an infostealer which first appeared in 2021 and is believed to be a spinoff of well-known infostealer Redline. There have been multiple versions of MetaStealer seen in the wild, however the recent version spotted by Trellix has a GenAI-based feature to further avoid detection.

In the below screenshot, the orange text under 35) translates as “Generation of unique signatures for every build, AI is used here, the build remains clear (or undetected) for a longer time,” suggesting the developers of MetaStealer embedded a new GenAI based feature into their stealer which allows them to create unique builds of MetaStealer to evade detection and stay under the radar of AV/EDR systems for a longer period of time than before.

Another example is a well-established infostealer called LummaStealer. Since August 2023, we’ve observed the LummaStealer team testing an AI-based feature which enables their infostealer users to detect bots among the list of logs. The AI-based system embedded into LummaStealer is potentially a custom neural network which is trained to detect if a suspicious user log is a bot or not. LummaStealer uses a label AI!Bot.<number> to categorize the detected log as a bot, where <number> seems to be in a range of 0-100, representing the bot detection certainly:

LummaStealer advised its users the neural network was still being trained and it will take some time for it to improve the detection accuracy. Moreover, in January 2024, LummaStealer advised the GenAI based feature by default is disabled as it slows down the work of the LummaStealer panel.

‘Telegram Pro Poster’ bot project

In early March 2024 Trellix observed a threat actor pepe posting their “Telegram Pro Poster’ project on the XSS forum as a part of an underground competition of malicious tools/software. Telegram Pro Poster is a bot for “deep automation of Telegram posts.” This Python-based bot allows users to manage multiple (unlimited amount of) Telegram channels in an autonomous way by automatically copying the posts from “donor” Telegram channels into the target channels. Amongst numerous post filtering features, this bot has two GenAI embedded features for translating telegram messages and paraphrasing a given post using ChatGPT.

Trellix has obtained the source code of the Telegram Pro Poster and identified the following pieces of code which are responsible for translating copied posts from the donor channels via ChatGPT API into eight following languages prior to sending it to the target Telegram channels:

The second feature called “unique-alization” by default is disabled, however when it is turned on, it uses OPEN_AI_KEY to request ChatGPT to paraphrase the given text into a desired language and optionally add an emoji.

The XSS community of cybercriminals are already sharing their positive feedback on the “Telegram Pro Poster project” saying it is an interesting project and in competent hands this tool will certainly be useful. Another threat actor advised in the XSS forum thread that they are seeing this bot already being adopted in practice by various Telegram channels.

Afterword

The race is on

Operational threat intelligence provides insights into the nature, intent, and timing of specific cyber threats. It's more detailed and contextual than tactical intelligence, including information about threat actors' tactics, techniques, and procedures (TTPs).

Organizations can use operational intelligence to understand the broader context of cyber attacks, such as the motivations behind them or the methods used, helping security teams anticipate and prepare for specific types of attacks.

In my work with customers, I know that the most important objective of every CISO is to limit risk to their organization. Applying operational threat intelligence is a tangible way to limit that risk as it allows CISOs and their SecOps teams to look ahead and get their footing. It empowers them to identify gaps in their security measures across their entire surface of the organization and get in the minds of their opponents, looking to knock them off track.

We share our threat intelligence to give you a solid, fact-based platform supporting some of the most important decisions you’ll make. Our purpose is to help you substantially improve your cyber defense and beat attackers to the next leg of the race - however you choose to.

Let’s go!

Ashok Banerjee
Chief Technologist, Trellix