Categories: Ransomware

Hackers Abuses SonicWall Zero-day to Deploy New Ransomware

The cybersecurity research team at FireEye has recently detected back to back three vulnerability in Sonicwall’s email security software.

In a regular analysis, the experts have again detected that a threat group, UNC2447, is financially very motivated is continuously exploiting SonicWall VPN zero-day (CVE-2021-20016) vulnerability.

According to the report from FireEye, this vulnerability is prior to a currently available patch and is continuously deploying the sophisticated ransomware.

The experts, after detecting the ransomware they named it as FiveHands and pronounced that this is quite similar to the malware that is designated as HelloKitty.

Surreptitious HelloKitty

However, the attack in which the threat actors have implemented FiveHands was initially detected in October 2020. As we said above that FiveHands is very similar to the HelloKitty malware.

HelloKitty was discovered as it has attacked video game development studio CD Projekt Red, it has encrypted the game system. 

Once the encryption is done, the threat actors have stolen the source code for Cyberpunk 2077, Gwent, Witcher 3, and not only this, but they also attacked an unreleased version of Witcher 3.

The attack rate of HelloKitty decreased as the use of the FiveHands attack increased. Rather than similar feature and functionality, both of them were also linked by Mandiant.

The specialists came to know about the link after a month of observing the FiveHands ransomware Tor chat using a HelloKitty favicon.

UNC2447 affiliates also deployed “Ragnar Locker”

The threat actors keep an eye upon their victims through the FiveHands ransomware; after that, the hackers violently applied pressure upon the victims with media attention threats.

The threat actors also offer victim data for sale on hacker forums, and according to the cybersecurity researchers, the UNC2447 associates have observed many sources so that they can easily implement Ragnar Locker ransomware activity.

However, the similarities of HelloKitty and FiveHands, are quite visible, but ransomware may be utilized by different groups via underground affiliate programs. 

Unlike, HelloKitty, FiveHands has improved ad worked on its predecessors by utilizing a new, memory-only dropper. Later, the threat actors have applied encryption to a larger array of file types.

Moreover, the zero-day has again being exploited by some other group named UNC2682 to backdoor systems. But, still, this group has used BEHINDER web shells to move safely through the victims’ networks and quickly gain access to the emails and all other files.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Fortinet Warns of Critical Vulnerabilitiy Allows Command Injection & File Read

Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…

4 minutes ago

Critical Chrome Vulnerabilities lets Attackers Execute Arbitrary Code Remotely

Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…

1 hour ago

CISA Released Secure Mobile Communication Best Practices – 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has released new best practice guidance to safeguard…

2 hours ago

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

19 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

19 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

20 hours ago