Key highlights
- 🔐 Interlock Ransomware & NaiLaoLocker: Interlock Ransomware exhibits unexpected file encryption patterns—such as anomalous PowerShell or CMD processes spawned from Office apps—and large-scale file renaming, while NaiLaoLocker employs multi-threaded AES-256-CBC encryption with SM2 key wrapping via DLL side-loading and mutex creation to evade re-execution; we mapped all existing detections to both malware and updated the ransomware extensions and notes lookup files.
- 🐀 Interlock RAT: Interlock RAT is a modular, stealthy backdoor first observed in mid-2024 that uses encrypted C2 communications and fake browser-update installers to gain persistence, capture keystrokes, and exfiltrate data; we mapped existing detections to this RAT to surface indicators like anomalous network beaconing, persistence artifacts, and credential-theft behaviors.
- Scattered Spider (UNC3944/Scatter Swine/Oktapus/Octo Tempest/Storm-0875/Muddled Libra): Scattered Spider is an extortion-focused group using SIM-swap attacks, push-bombing MFA fatigue, and social engineering to deploy legitimate remote-access tools (e.g., TeamViewer, AnyDesk, Ngrok) for data theft and ransomware deployment; we mapped existing detections to this actor, covering behaviors such as MFA bombing prompts, unauthorized remote-access tool execution, and cloud API abuse.
New Analytic Stories - [4]
New Analytics - [2]
Updated Analytics - [3]
- Cobalt Strike Named Pipes (External Contributor : @atgithub11)
- O365 BEC Email Hiding Rule Created (External Contributor : @0xC0FFEEEE)
- Azure AD Multiple Denied MFA Requests For User (External Contributor : @jakeenea51)
Contributors
atgithub11, jakeenea51, and 0xC0FFEEEE