Nefarious parties are constantly adapting their tactics, tools, and techniques to changing organizational and other circumstances for maximum success. From perfectly mimicking Microsoft’s new Azure Active Directory and Office 365 sign-in pages, to using less common malware building technologies such as Node.js, to recruiting top talent for breaching networks and deploying ransomware, attackers are keen on maximizing what they reap, while continuing to search for appealing new opportunities.
This week’s newsletter will cover:
- Stealthy attack vectors
- Insightful ransomware operators
- Malicious campaigns against industrial and critical targets
Stealthy Attack Vectors
- Hackers have also seen YouTube as an opportunity to stay below the radar of traditional detection sensors, given the popularity as well as the “whitelist” classification of the video streaming service. In addition to hiding crypto-mining malware (ex. Stantiko botnet) inside the video descriptions, malicious parties have abused the YouTube channel descriptions for encoded and encrypted communication with their Command and Control infrastructure.
Insightful Ransomware Operators
- With ransomware attacks being immensely profitable, it is not surprising that malicious actors are becoming more organized and selective as they build a strong affiliate program to breach networks and deploy ransomware. The Netwalker operation, for instance, is recruiting best talent by promising million-dollar payouts and by promoting an auto-publishing feature for stolen data to help drive successful ransom payments.
Malicious Campaigns Against Industrial and Critical Targets
- Security researchers have observed targeted campaigns, including COVID-19 related, by the hacking group RATicate against industrial companies across Europe, Middle East, and Asia. Two things are particularly interesting. Firstly, the campaign operators have leveraged the Nullsoft Scriptable Install System (NSIS) – open source tool for creating Windows installers – to disguise and deploy information stealers and Remote Access Trojans such as Lokibot, Formbook, Remcos, and AgentTesla. Secondly, the NSIS installers had been designed to drop a collection of junk files — images, source code, shell scripts, Python binaries and others — to conceal the dropped malware.
- Romania's Directorate for Investigating Organized Crime and Terrorism (DIICOT) in collaboration with Romania’s Secret Service Agency (SRI) have arrested four members of a hacking group, called PentaGuard, which had been planning a ransomware attack to disrupt hospital operations as a form of protest against the country's COVID-19 quarantine measures.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Microsoft, Cyware, Cisco Talos, Sucuri, Sophos, Advanced Intelligence, Security Intelligence, Bleeping Computer, Help Net Security, ZDNET, and Forbes.