Ransomware attacks have grown in popularity over the recent years, with names such as MazeSodinokibiRyuk and others often being in the spotlight. The increased attention on data privacy as well as the ongoing Coronavirus health crisis have emboldened ransomware operators who have started exfiltrating sensitive data prior to encryption to increase their chances of success. 

This week’s newsletter will cover:  

  • Ransomware attacks
  • Information-stealing campaigns and tools 
  • Web-skimming attempts 

Ransomware attacks


  • LockBit is a new ransomware that uses brute-force techniques and evasion tactics to perform targeted attacks. In one of those attacks, a web server with an outdated VPN software had been compromised and used as launchpad for other malicious activityAfter gaining “Administrator” access, the perpetrator had performed network reconnaissance, abusing the Server Message Block (SMB) protocol to hijack other systems. With the help of PowerShell, the attacker had automated the ransomware distribution process. To minimize the level of interaction during the attack, User Account Controls (UAC) had been bypassed. To stay below the radar of static analysis engines, while killing select processes and deleting volume shadow copies, the malware had been loaded dynamically in memory.  
  • A series of cyberattacks have infected numerous businesses with the Snake ransomware. One of the victims is Fresenius Group – Europe’s largest private hospital operator and a major provider of dialysis products, which are in high demand during the COVID pandemic. 
  • Security researchers have discovered a new ransomware attack, dubbed ColdLock. Although this malware family is not in widespread use, currently observed in Taiwan only, it has great potential to be destructive as it encrypts databases and email servers. ColdLock uses the AES encryption algorithm, appends encrypted files with the “.locked” extension and bears similarities with Lockergoga, Freeing, and EDA2 ransomware. 

Information stealing campaigns and tools


 

  • Security professionals have discovered a new credential harvesting campaign targeting Office 365 users, purporting to be an automated message from DocuSign and carrying a malicious link to a COVID-related document. The campaign relies on a combination of trust in DocuSign, the increased use of the service by remote workers, and a three-level redirect to obfuscate the destination — a page that looks like a DocuSign login page.



  • Another recent campaign has targeted executives and others to steal their login credentials and bank account details by posing as their smartphone providers. The messages, which come with the vague subject “View Bill – Error – Message”, are notifying unsuspecting users that the company is working on fixing an unspecified problem and instructing them to update their account details. According to researchers, the sender’s actual email address is linked to a domain in the Netherlands and not to a domain owned by the impersonated company. The embedded URL is suspicious, featuring the words “fly-guyz”. Victims that decide to follow the web link, despite the obvious red flags, are taken to a login page that closely resembles the real thing, including a trusted SSL certificate. 
  • Although not as widely spread as other malware such as Agent Tesla, AZOrult, and Remcos, the Poulight one has caught the attention of the security community with its potential to steal sensitive information. The malware appears to be in its early stages of development as it lacks code obfuscation and data protection mechanisms. It uses classic evasion techniques and the Windows Management Instrumentation (WMI) to check for virtualization and AV software as well as to test the strength of sandbox environments. Several features make this malware more interesting. One of them searches for files with specific file extensions such as RDP, TXT, SQL, LOG and DOC. Another leverages a predefined list of key words to search within the files for valuable information before exfiltrating the content to a Command and Control server.

Web skimming attempts


In traditional web-skimming, also known as e-skimming or Magecart attacks, threat actors breach web sites to hide malicious code that would steal payment card details during product purchases. 

In complex and quite innovative hacking campaigninstead of breaching the websites, hackers have been secretly switching their favicons (i.e. the tiny images displayed in the browser tabs of the visited websites) with malicious JavaScript files that would create fake checkout forms. To disguise their web skimming operation, the cybercrime group has created a fully working clone, named MyIcons.net, of the legitimate favicon hosting portal IconArchive.comMyIcons.net served a legitimate favicon file for each page within a website, except for those with checkout forms.

As always – be vigilant, stay alert, think twice.  

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.

 

Sources

Amatas, CywareBleeping ComputerID Ransomware, Brian Krebs, Trend Micro, MalwareHunterTeamDark Reading, Abnormal Security, IBM Security Intelligence, McAfee LabsNorthwave Security, ZDNet, CofenseMalwarebytes, Security Affairs, Sucuri