Twelve is a malware identified by ESET researchers, which has been used in twelve different Android espionage apps. Six of these apps were available on Google Play and the other six were found on VirusTotal. The malware has been active since at least April 2023 and was formed amidst the conflict between Russia and Ukraine. Over the last year, SentinelLabs noted an increase in targeting of multiple platforms by individual ransomware operators or variants, including Twelve. The hacktivist group known as Twelve was temporarily inactive but reemerged in June 2024, as observed by Kaspersky, indicating that they are still active and likely to resurface soon.
The group's primary motivation appears to be hacktivism rather than financial gain, as evidenced by their modus operandi. Instead of demanding a ransom for decrypting data, Twelve encrypts victims' data and then employs a wiper to destroy their infrastructure, preventing recovery. They deploy web shells to compromised web servers to carry out malicious activities, which include executing arbitrary commands, lateral movements, data exfiltration, and creating and sending emails. This approach targets Russian entities with the aim of destroying critical assets and disrupting operations.
Despite the threat posed by the Twelve group, there are effective ways to detect and prevent their attacks. The group relies on publicly available tools and malware, making it easier for cybersecurity firms to anticipate and counteract their tactics. However, vigilance remains key, as the group has shown its ability to adapt and persist despite setbacks, such as when the Telegram channel -=TWELVE=- was blocked in spring 2024 for posting personal data in violation of Telegram’s terms.
Description last updated: 2024-10-15T09:17:53.779Z