⚠️ THREAT ALERT: INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests
The operation targeted a sophisticated threat‑actor ecosystem operating across the MENA region that leveraged a hybrid of exploit‑as‑a‑service and credential‑harvesting infrastructures to monetize ransomware and data‑theft services. Investigators uncovered a modular malware suite, dubbed “Ramz,” which combined a multi‑stage delivery chain: initial spear‑phishing emails with malicious Microsoft Office documents embedding CVE‑2023‑23397 (Windows MSHTML Remote Code Execution) and CVE‑2022‑22965 (Spring4Shell) payloads, followed by a downloader that fetched a customized version of the Emotet botnet with added LNK‑based droppers. Once on the host, the payload executed a lazy‑loading JScript engine that leveraged CVE‑2024‑21326 (Windows Print Spooler Elevation of Privilege) to gain SYSTEM, subsequently installing a persistence mechanism via the Registry “RunOnce” key and deploying a C2 back‑door built on the open‑source MySQL‑Proxy framework, which communicated over TLS 1.2 on port 443, masquerading as legitimate traffic.
Further forensic analysis revealed that the actors employed credential‑stuffing attacks against VPN and remote desktop gateways, exploiting unpatched CVE‑2023‑38831 (FortiOS Authentication Bypass) to exfiltrate high‑value credentials. These credentials were then used to pivot laterally across enterprise networks using Pass-the-Hash techniques, facilitated by a custom PowerShell module that invoked the “Invoke‑Mimikatz” function, leveraging CVE‑2022‑30190 (FreeFloat Remote Code Execution) to bypass AppLocker. The final stage involved automated encryption of high‑value data assets using a variant of the “LockBit” ransomware, which incorporated a new cryptographic routine that utilizes ChaCha20‑Poly1305, rendering traditional decryption key recovery infeasible without the attacker’s private key.
Mitigation requires a defense‑in‑depth approach: immediate patching of the identified CVEs across all Windows, Microsoft Office, Spring, and FortiOS assets, coupled with the deployment of an application‑control whitelist to block the execution of unsigned Office macros and LNK files. Network segmentation should be enforced to isolate critical assets, and outbound TLS traffic must be inspected using a decryption proxy to detect anomalous MySQL‑Proxy‑style beaconing. Organizations should rotate privileged credentials weekly, enforce multi‑factor authentication on VPN and RDP portals, and deploy credential‑hardening tools such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) replacements to block Pass‑the‑Hash. Finally, continuous endpoint detection and response (EDR) solutions must be tuned to flag PowerShell‑based “Invoke‑Mimikatz” activity and monitor for abnormal registry persistence entries, while incident response teams should retain immutable logs for at least 90 days to support attribution and legal proceedings.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments