Before being implicated in Warlock ransomware attacks exploiting the Microsoft SharePoint zero-day flaws dubbed "ToolShell", China-backed hacking group Storm-2603 has targeted organizations across Latin America with intrusions involving the AK47 C2 command-and-control infrastructure, The Hacker News reports.
Multiple open-source and Windows utilities have been tapped by Storm-2603 in addition to a custom backdoor part of the AK47 C2 framework to enable initial data compromise, according to an analysis from Check Point Research. AK47 C2 has also been used to facilitate the deployment of the 7z.exe and 7z.dll payloads, which launch the Warlock ransomware, as well as the bbb.msi installer, which triggers the LockBit Black ransomware. "Storm-2603 leverages BYOVD techniques to disable endpoint defenses and DLL hijacking to deploy multiple ransomware families blurring the lines between APT and criminal ransomware operations," said Check Point researchers, who noted the operation's open-source tool usage to be on-trend with the growing prevalence of hybrid tactics in cyberattacks.
Multiple open-source and Windows utilities have been tapped by Storm-2603 in addition to a custom backdoor part of the AK47 C2 framework to enable initial data compromise, according to an analysis from Check Point Research. AK47 C2 has also been used to facilitate the deployment of the 7z.exe and 7z.dll payloads, which launch the Warlock ransomware, as well as the bbb.msi installer, which triggers the LockBit Black ransomware. "Storm-2603 leverages BYOVD techniques to disable endpoint defenses and DLL hijacking to deploy multiple ransomware families blurring the lines between APT and criminal ransomware operations," said Check Point researchers, who noted the operation's open-source tool usage to be on-trend with the growing prevalence of hybrid tactics in cyberattacks.
