Monster, Zeppelin, and Monti: What links these malware variants? See what the BlackBerry threat research team found out in the latest episode of the BlackBerry LIVE series, hosted by BlackBerry Vice President for Threat Research & Intelligence Ismael Valenzuela. This episode’s special guests include Threat Researcher Claudia Preciado, and Principal Threat Research Publisher Natasha Rohner.
Monster RaaS: Revival of Delphi and New Trend in Malware Developer Behavior? (Video)
Watch the latest BlackBerry LIVE Broadcast, below.
Designated as both high-impact and high-risk by the researchers, ransomware-as-a-service (RaaS) named “Monster” was first seen in March 2022. Researchers identified it largely due to its similarities with Zeppelin RaaS, which also uses the Delphi programming language. Zeppelin was notable for attacking tech and healthcare companies in Europe and the U.S. As Rohner notes, “The Zeppelin variant was visibly distinct. Its binaries are designed to quit running on machines that are based in Russia and some other ex-USSR countries. This is similar to Monster, which also quits if it finds out the host machine is located in one of the twelve Commonwealth of Independent States.”
As researchers dug deeper, they noticed the developers of Monster seemed to have included indicators of compromise (IoCs) in the malware’s makeup that pointed the finger at other threat groups. This might be a tactic to slow attribution by research organizations and law enforcement. The use of other threat groups’ IoCs was also seen in Monti ransomware, and researchers are watching to see if this is a new trend in malware developer behavior.
Monster is yet another sign that organizations should anticipate further adoption of a RaaS business model among threat actors. According to Preciado, the allure of this model, when coupled with an initial access broker (IAB), is that it effectively eliminates the most challenging parts of orchestrating a cyberattack: writing code, and performing initial intrusions of victims' machines.
Preciado explains another concern around Monster, “We are seeing a growing trend in uncommon programming languages being used in malware. Delphi is one of them. We've seen some in Rust and Go as well.” BlackBerry research indicates two main reasons threat actors use exotic languages:
- Thwarting detection. Using lesser-known programming languages makes malware less susceptible to exploitation by defenders and helps foil attempts to detect and defend against them.
- An added layer of obfuscation. Lesser-known languages are relatively new, so analysts often don’t have the support tools needed to identify them. This also makes efforts to reverse-engineer exotic program languages more difficult.
To learn more about the use of lesser-known program languages being utilized in malware, download the free report: Old Dogs, New Tricks: Attackers Adopt Exotic Programming Languages.
BlackBerry Assistance
The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.
Relating Reading
- Some Kind of Monster: RaaS Hides Itself Using Traits From Other Malware
- The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
- Zeppelin: Russian Ransomware Targets High-Profile Users in the U.S. and Europe
- Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
- Hunter Becomes Hunted: Zebra 2104 Hides a Herd of Malware
