Cyber threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware designed to capture sensitive data from infected hosts. The threat actor behind this Ransomware-as-a-Service (RaaS) promotes its offering on forums where it requests a share of profits from those engaging in malicious activities using its malware.
Cyclops ransomware is notable for targeting all major desktop operating systems, including Windows, macOS, and Linux. It is also designed to terminate any potential processes that could interfere with encryption. The macOS and Linux versions of Cyclops ransomware are written in Golang. The ransomware further employs a complex encryption scheme that's a mix of asymmetric and symmetric encryption.
The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number of processes, and files of interest matching specific extensions. The harvested data, which comprises .TXT, .DOC, .XLS, .PDF, .JPEG, .JPG, and .PNG files, is then uploaded to a remote server. The stealer component can be accessed by a customer from an admin panel.[1]
Go (aka Golang) is an open-source programming language that is still relatively new. It was developed by Robert Griesemer, Rob Pike, and Ken Thompson at Google in 2007, although it was only officially introduced to the public in 2009. It was developed as an alternative to C++ and Java. The goal was to create something that is straightforward to work with and easy to read for developers.
There are thousands of Golang-based malware in use today. Both state-sponsored and non-state-sponsored hacking gangs have been using it to produce a host of strains, including Remote Access Trojans (RATs), stealers, coin miners, and botnets, among many others.
This type of malware is more potent because it can target Windows, macOS, and Linux using the same codebase. This means a malware developer can write code once and then use this single code base to compile binaries for multiple platforms. Using static linking, code written by a developer for Linux can run on Mac or Windows.
The development comes as researchers detailed a new strain of information stealer called Dot Net Stealer to siphon information from web browsers, VPNs, installed apps, and cryptocurrency wallets in a further evolution of the cybercrime ecosystem into a more lethal threat.
These capabilities provide attackers to obtain valuable information from the victim's systems that can lead to big financial frauds which can make huge financial losses to victims.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://thehackernews.com/2023/06/cyclops-ransomware-gang-offers-go-based.html
Comments