Main highlights
- IntensePredator has emerged as a notable ransomware menace, focusing specifically on Taiwanese entities, primarily within healthcare, academia, and industrial domains. Breaches in these crucial sectors might disrupt the provision of essential services.
- IntensePredator utilizes advanced tactics, notably employing the Bring Your Own Vulnerable Driver (BYOVD) technique, enabling them to effectively bypass security safeguards.
- The group has expanded its arsenal by integrating open-source tools from GitHub, including the Prince Ransomware Builder and ZammoCide, to enhance their operational capabilities further.
- Approximately 80% of IntensePredator’s toolkit comprises open-source resources. It is crucial to monitor and secure these assets to prevent their malicious exploitation.
- Trend Vision Oneâ„¢ identifies and blocks the malicious elements utilized in the IntensePredator campaign. Trend Vision One customers have access to hunting queries, threat insights, and intelligence reports for a comprehensive understanding of the latest IntensePredator IoCs. Refer to the security tips below for additional best practices.
IntensePredator has swiftly become a significant ransomware threat. The group entered the scene last month with the unveiling of their data leak site, showcasing ten victims – all based in Taiwan. We have closely monitored some of their activities internally since the beginning of January and have observed a clear pattern of targeting organizations specifically in Taiwan. The group’s victims mainly include hospitals, educational institutions, manufacturing firms, and industrial entities, indicating a deliberate focus on organizations with valuable data and sensitive operations.
This report delves into the strategies, methods, and procedures adopted by IntensePredator. It emphasizes the utilization of Bring Your Own Vulnerable Driver (BYOVD) and open-source tools available on the GitHub platform, such as the Prince ransomware builder. Recent discoveries indicate the expansion of IntensePredator’s toolkit, modifications to their initial tools, and enhanced capabilities.
During our internal telemetry analysis, we encountered malicious artifacts comprising intriguing items including a hacking tool leveraging Group Policy Object (GPO) policies, exploits of vulnerable drivers in the form of a process terminator, and executable files compiled using the Go programming language.
Significant discoveries from IntensePredator’s operations
The integration of the Prince ransomware builder into their toolkit raises notable concerns. This tool, easily accessible from GitHub, further reduces the entry barriers for cybercriminals by providing a user-friendly method to create ransomware variants. Their BYOVD technique for evading security demonstrates their advanced approaches. Enhancements to newly shared utilities from SharpGPOAbuse, better AV/EDR capabilities, and Go-compiled executables have amplified the prevalence of IntensePredator’s activities.
IntensePredator’s emergence poses a substantial threat to critical sectors in Taiwan, especially in fields like healthcare and education. Disruptions in these areas could impact the delivery of essential services.
Throughout our investigation, we pinpointed three primary areas of interest:
- Utilization of open-source software sourced from GitHub.
- An expanded toolkit and tools for deployment.
- Focused attacks predominantly on Taiwan.
Our analysis revealed that the attackers deliberately and tactically directed their efforts towards Taiwan, indicating a campaign specifically tailored for the region. They leveraged open-source tools from GitHub and diversified their array of tools and tactics to enhance the sophistication of their operations.
Employment of open-sourced tools from GitHub
Around 80% of IntensePredator’s toolkit comprises open-source tools from GitHub. Our observations suggest that they adapt these freely available source codes to suit their specific requirements, significantly boosting their capabilities.
We’ve identified three open-sourced tools sourced from GitHub, each serving a distinct purpose:
Bypassing Defensive Measures
The group utilizes a customized version of an open-source process terminator tool called ZammoCide and modifies it to function as an AV/EDR disruptor capable of halting processes associated with EDR products through a BYOVD method exploiting the vulnerable driver zam64.sys.
About Author
