Highlights


As one would expect, nefarious parties have speedily repurposed some of their activities to capitalize on recent global events. This time it has to do with “Black Lives Matter”.

This week’s newsletter will cover:

  • Spear phishing and malware spreading campaigns
  • Industry-specific cyber attacks
  • Cryptocurrency mining operations

Spear phishing and malware spreading campaigns


Security researchers have seen malware to be circulated using “Black Lives Matter” as a cover.

  • The crooks are not relying on pressure and emotions to draw victims in as it is often the case with phishing. The messages appear short and objective, inviting recipients to comment anonymously on the issue.
  • The reviewed samples contain the strings “Black Lives Matter” or “Whose Lives Matter” in the subject lines as well as in the first lines of the email body. The filenames of the attachments start with “e_vote_form”.
  • Once the attachments are opened, the targeted individuals are sneakily prompted to download new Office updates. The unsuspecting users (1) are notified that the downloads would be done in the background without interrupting their work, and (2) are cautioned that charges may be incurred in case of limited internet connections.
  • The infection chain includes the enabling of an Office document macro, the display of a fake Windows error message, the deobfuscation and execution of an embedded script which downloads and installs the popular Trickbot banking trojan.

On a separate occasion, cyber experts have discovered a spearphishing campaign targeting over 100 high ranking executives in operations, finance and procurement roles within a German multinational corporation and its supply chain. The German MNC is part of a task force commissioned to secure personal protective equipment for various German ministries. The phishing URLs, a portion of which relate to the Russian-based IP address 178.159.36.183, redirect end-users to a fake Microsoft login page designed to capture and exfiltrate their credentials to several Yandex emails.

Recommendation: Educate employees on the risks of phishing emails and frequently test their understanding.

 

Industry-specific cyber attacks


Retail | Ecommerce

  • The GreenWorks website has been compromised by a highly sophisticated skimmer designed to steal payment card details, and to redirect those to a cybercriminal-controlled server at “congolo.pro”. To evade some automated security tools, the rogue script is triggered when customers hover over any section of the checkout page. To challenge investigative efforts, the code is not visible when someone tries to review it using a browser's developer console. Furthermore, the malware self-destructs upon tampering.

Recommendation: Educate software engineering staff on the most common as well as on the latest application security risks. Conduct regular static and dynamic analysis of high-risk application components.  Run independent penetration tests.

 

Banking | Financial Services

  • The National Bank of Greece has been impersonated lately to distribute the NanoCore RAT. “Busonard.com” along with IP addresses “45.95.169.17” and “185.140.53.11” have been linked to it.

Recommendation: Educate employees on the risks of phishing emails and frequently test their understanding.

 

Utilities:

  • The Italian multinational energy company Enel Group has had its internal network infected with the “Snake” ransomware. According to researchers, the perpetrators have leveraged exposed RDP connections.
  • Security experts have conducted an experiment by setting up a fake electricity company with operations in Europe and North America. The infrastructure had been built with common security issues such as internet-facing remote desktop ports, medium-complexity passwords, and others. Within three days malicious parties had discovered and infiltrated the “honeypot”.

Recommendation: Assess the need to continue using the RDP protocol for remote access. Consider alternative options. Monitor open RDP connections.

 

Cryptocurrency mining operations


Threat analysts have spotted a new KingMiner botnet operation targeting Microsoft SQL Server databases with brute-force techniques. Once they have gained administrative access, the hackers create a new database account called “dbhelp” and install a cryptocurrency miner to abuse the server’s computational power.

  • Besides being more persistent and capable of gaining root access to the underlying Windows servers, the attackers are surprisingly disabling (where relevant) RDP access to the compromised databases to prevent other crypto operations from kicking in.
  • Furthermore, the threat actors are attempting to expand their activities across the internal network by exploiting weak SMB protocol implementations or by using various tools such as the Mimikatz password dumper, the Gh0st RAT, and the Gates backdoor.

A second cryptocurrency mining operation recently observed is that of the notorious Tor2Mine group.

  • To diversify its revenue stream, Tor2Mine is now deploying additional malware to harvest credentials and to steal money, including the info-stealer AZORult, the Remcos RAT, the DarkVNC backdoor, and a clipboard cryptocurrency stealer.
  • Executing PowerShell commands to download files, running Microsoft HTML Applications with the help of the “Mshta” utility and using the Tor2web service as part of its Command & Control infrastructure are amongst the group’s core TTPs.
  • Some of the more notable domain names and IP addresses associated with the operation are “res1.myrms.pw”, “eu1.minerpool.pw”, “v1.fym5gserobhh.pw”, “eu1.ax33y1mph.pw”, “asq.r77vh0.pw”, “asq.d6shiiwz.pw”, “res1.myrms.pw”, “107.181.187.132”, “185.10.68.147”, and “195.123.234.33”.

A third operation is linked to misconfigured nodes hosted in the Microsoft Azure cloud. The attack is against internet-exposed dashboards that are used to control the machine learning toolkit Kubeflow. By default, these dashboards are accessible from within the respective nodes, requiring users to tunnel in via the Kubernetes API.

 

As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website  www.amatas.com or by e-mailing office@amatas.com.

 

Sources


Amatas, Microsoft, Security Intelligence, IBM X-Force, SophosLabs, ZDNet, Abuse.ch, Cisco Talos, Cointelegraph, Tripwire, Bleeping Computer, Cybereason, RapidSpike, Creative Commons