The November Edition of Trellix’s Cyber Threat Intelligence Briefing for South Africa has shown a dip from around 2,6-million total files detected in August, to 2,4-million in September, before shooting back up, past the 2,7-million mark, in October.

This top line data measured all files, including malicious and innocuous files, with public utilities, education institutions and financial services organisations recording the highest incidences.

On closer inspection, the volume of malicious threat campaigns saw a spike, from just over 5 000 files to over 20 000 in September and back down to over 10 000 in October. By far, the highest detected threat was of the MyKings Botnet Clipboard Stealer.

“With South African investors entering the cryptocurrency market at a faster pace than ever, we are becoming a more attractive target for global cybercriminals as crypto has become their biggest target,” says Carlo Bolzonello, country manager at Trellix South Africa. “Alarmingly, the MyKings malware is aggressively used to install itself on machines to download crypto wallets and addresses, allowing hacking groups to clear out users’ crypto wallets.”

Other common threats over the period include:
• An offspring of the Vega Stealer, the Zeppelin (Buran) ransomware group, which originated out of the United States and has proliferated globally, predominantly targeting the financial services and communications sectors.

• Vice Society ransomware group is predominantly known for exploiting system vulnerabilities, especially where organisations may be slow to institute patches for prior threats. Threat actors will typically leverage access brokers, who sell the relevant tool on the dark web.

• Crackonosh Malware, which is distributed in cracked software, as well as the Telerik UI Exploitation, which leads to malware infection by exploiting the patch last updated in 2019.

Long-term trends

Two of the leading threat actors that have emerged in the South African landscape since the beginning of 2022 are the MuddyWaters Group and UNC1945, which target the banking, finance outsourcing, and hosting services, as well as utilities.
Using similar techniques and some of the same tools (like Ligolo and impacket), these infiltrate environments to steal credentials. MuddyWaters might also go further, leaving ransomware in environments, while selling credentials on to third-parties, once acquired.

“South Africa has seen a growing emergence of threat actors, using tools like CrackMapExec and BadPotato, which are quite openly available and conduct surreptitious vulnerability assessments of systems to access privileges,” Bolzonello says. “Other Threat Actors, like APT28 will go after cloud accounts and infrastructure, moving laterally on systems with minimal detection.

“Staying abreast of some of these evolving threats will require a comprehensive strategy for cloud-hosted and on-premise threat detection using live data from security operations centres (SOC),” he adds.