Nefarious parties are constantly adapting their tactics, tools, and techniques to changing organizational and other circumstances for maximum success. From perfectly mimicking Microsoft’s new Azure Active Directory and Office 365 sign-in pages, to using less common malware building technologies such as Node.js, to recruiting top talent for breaching networks and deploying ransomware, attackers are keen on maximizing what they reap, while continuing to search for appealing new opportunities.

This week’s newsletter will cover: 

  • Stealthy attack vectors 
  • Insightful ransomware operators 
  • Malicious campaigns against industrial and critical targets 

Stealthy Attack Vectors

  • Security experts have recently come across a Java downloader whose name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, indicates that it may have been used in Coronavirus-themed phishing attack. Analysis of the file has revealed a malware sample, a Trojan named “QNodeServicewritten using the Node.js JavaScript runtime environment. It is suspected that the use of Node.js, mainly relied upon for server-side scripting and uncommon for many computers, has likely been done to evade detection.  

  • Hackers have also seen YouTube as an opportunity to stay below the radar of traditional detection sensors, given the popularity as well as the “whitelist” classification of the video streaming service. In addition to hiding crypto-mining malware (ex. Stantiko botnet) inside the video descriptions, malicious parties have abused the YouTube channel descriptions for encoded and encrypted communication with their Command and Control infrastructure.

Insightful Ransomware Operators

  • With ransomware attacks being immensely profitableit is not surprising that malicious actors are becoming more organized and selective as they build a strong affiliate program to breach networks and deploy ransomware. The Netwalker operation, for instance, is recruiting best talent by promising million-dollar payouts and by promoting aauto-publishing feature for stolen data to help drive successful ransom payments.  

Malicious Campaigns Against Industrial and Critical Targets

  • Security researchers have observed targeted campaigns, including COVID-19 related, by the hacking group RATicate against industrial companies across Europe, Middle East, and AsiaTwo things are particularly interesting. Firstly, the campaign operators have leveraged the Nullsoft Scriptable Install System (NSIS) – open source tool for creating Windows installers – to disguise and deploy information stealers and Remote Access Trojans such as Lokibot, Formbook, Remcos, and AgentTeslaSecondly, the NSIS installers had been designed to drop a collection of junk files — imagessource code, shell scriptsPython binaries and others — to conceal the dropped malware.

  • Romania's Directorate for Investigating Organized Crime and Terrorism (DIICOT) in collaboration with Romania’s Secret Service Agency (SRI) have arrested four members of a hacking group, called PentaGuardwhich had been planning a ransomware attack to disrupt hospital operations as a form of protest against the country's COVID-19 quarantine measures. 


As always – be vigilant, stay alert, think twice. 

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com 


Amatas, Microsoft, CywareCisco TalosSucuri, Sophos, Advanced Intelligence, Security Intelligence, Bleeping Computer, Help Net Security, ZDNET, and Forbes