Malicious programmers are turning to code that attacks multiple operating systems; and thanks to vulnerability disclosures, can create more ‘1-day exploits’

This year, a new cyber trend was discovered, whereby ransomware groups started the prolific use of cross-platform amenities to attack as many types of systems as possible, by adapting their malware code to several operating systems.

Threat groups such as Luna or BlackCat are using multi-platform programming languages such as Rust or Golang to achieve their heinous aims.

Now, the latest findings by Kaspersky threat researchers show that ransomware groups do not always need to use cross-platform languages even if they want to target multiplatform systems. One group, RedAlert, employs malware written in plain C—as detected in a Linux malware sample that does not explicitly attack ESXi environments. Another unique characteristic of the group is that they accept ransoms only in Monero cryptocurrency—making the money harder to trace and problematic for victims living in places where the cryptocurrency is not readily accessible.

Similarly, the Monster ransomware group detected in July 2022 in attacks on Singapore, Indonesia, and Bolivia users, applies Delphi, a general-purpose rapid application development programming language that expands on different systems. What makes this group especially peculiar is that it has a component never seen implemented by ransomware groups before: a graphical user interface as an optional command line parameter.

What a typical Monster malware optional graphical interface looks like

A trend to prey on patches
Another new approach spotted in the wild is that of the ‘1-day exploit’ for Windows 7 to Windows 11 systems.

The 1-day exploit usually refers to threat groups jumping on a publicly-disclosed vulnerability, such as CVE-2022-24521 (allowing an attacker to gain system privileges on infected devices) and spending just one day (or any short time window) to reverse-engineer an exploit not addressed by any software patch. Since many organizations cannot patch their system instantly or even in the proper manner, they will still be vulnerable to the CVE—in fact, more so because the public disclosure has given threat groups a new window of attack opportunity.

In the case of CVE-2022-24521 disclosed in April 2022, threat groups took just two weeks after disclosure to developed two exploits—both of which can support a variety of Windows versions. This usually indicates that the attackers are aiming at commercial organizations. Also, both exploits share many debug messages.

No extra data could reveal what the cybercriminals were trying to achieve, but according to Senior Security Researcher Jornt van der Wiel, Kaspersky Global Research and Analysis Team: “These days cybercriminals have learned to adjust their malicious code written in plain programming languages for joint attacks. Also, we draw attention to the importance of constant reviewing and vulnerability updating policies that are applied by organizations.”