Reading Time: 5 minutes

Weekly Intelligence Report – 30 May 2021

Highlights on Ransomware and Malware

This week’s report brings to light significant shifts in some prominent ransomware cybercriminals’ modus operandi.

As a result of the recent attack on the Colonial Pipeline, orchestrated by threat actors and ransomware operators, and response from law enforcement agencies, the underground cybercrime ecosystems have seen major re-shuffling. From underground hacking forums prohibiting posts related to ransomware gangs allegedly abandoning their operations – several changes have been noticed by researchers. It is, however, unclear if authorities have succeeded in effectively taking down DarkSide infrastructure or the group has performed an “exit scam”.

Regardless of the speculations, a positive development has been observed from the overall incidents as other ransomware operators REvil and Avaddon announced major changes to their operations. To avoid trouble from law enforcement, the Avaddon ransomware group, in particular, has imposed “rules”. One such rule directs affiliates to exclude targets from industries namely the public sector, health care, educational institute, and charitable organizations.

The Avaddon ransomware gang traditionally adopts a three-pronged approach to spearhead their ransomware operation to extort money from the affected victims. Apart from exfiltrating and encrypting the data, once the victim is compromised, the gang keeps them under DDoS attack until they “communicate and cooperate” with the ransomware gang. The victims are also provided a maximum of 10 days after which the data is leaked into their dark web portal.

Initially spotted earlier this year, FluBot was tracked under the name Cabassous. The malware is propagated via SMS messages that impersonate popular delivery logistics brands (such as FedEx, DHL, and Correos) containing a link to another app that has FluBot embedded. Once falling victim to the malware, the entire device becomes accessible to the attacker – going one step further – the attackers have deployed a mechanism to stop Android built-in protection and prevent the installation of third-party security software.

A fairly recent malware, STRRAT, is designed to steal data from victims while masquerading as a ransomware attack. Without actually encrypting files, the malware shows ransomware-like behavior by appending the file name extension with “.crimson”. The campaign centers around the gullibility of victims who would potentially get fooled by seeing the changed file formats and understanding that files are encrypted & inaccessible which may end up fulfilling the attackers’ ransom demand.

Threat Actor in Focus

Microsoft’s Digital Signature Abuse in Targeted Attack by “Cobalt Strike loader”

Suspected Threat Actors: MISSION2025

  • Attack Type: Malware Implant
  • Target Industry: Multiple
  • Target Geography: Global
  • Target Technology: Dynamic-Link Library (DLL) Files
  • Ransomware / Malware: Cobalt Strike loader, Sigloader
  • Objective: Unauthorized Access
  • Business Impact: Data Loss, Financial Loss

Researchers have identified multiple malware “that exploits Microsoft’s digitally signed DLL files” while investigating attacks that exploit Sigloader. Researchers also discovered the relationship between the Cobalt Strike loader and threat actor group MISSION2025. In the investigation, they identified two similar traces.

  • Installation script – Researchers noted similarities between the new sample and previously reported samples which they had attributed to MISSION2025.
  • Cobalt Strike loader Windows API address resolution and exported DLL files – Similarities were noticed in the code that calls the address resolution of the Windows API. The file names of the exported DLLs also appeared to have similar naming conventions.

Due to these similarities researchers highlight – The Cobalt Strike loader, which exploits Microsoft’s digitally signed DLL files, is suspected to be used by MISSION2025.

YARA Rule

rule apt41_ms_codesign_cobalt_strike_loader {

meta:

author = “CYFIRMA”

strings:

$ str1 = “sysinfotool” fullword wide

$ str2 = “Microsoft system info” fullword wide

$ str3 = “ComSpec” fullword wide

$ str4 = “>> NUL ” fullword wide

$ str5 = ” system ” fullword ascii

condition: ”

uint16 ( 0 ) == 0x5A4D and

( All Of ( $ Str *)) And Filesize < 100KB }

Insights:

  • This is the second time researchers observed the exploitation of Microsoft’s digitally signed files after the malware called “Sigloader” (aka DESLoader, Ecipekac) used by APT10 in a campaign dubbed A41APT which also leveraged digitally signed DLL.
  • Comparing the two malware, it is noted that Cobalt Strike loader was created in late October 2020 and Sigloader in early October 2020. Therefore, it is suspected that the threat actor groups share technical information, developed malware, know-how among themselves.

Latest Cyberattacks

Ongoing Bitcoin Scams Demonstrate Power of Social Engineering 

  • Attack Type: Scam, Impersonation, Social Engineering
  • Target Industry: Multiple
  • Target Geography: Global
  • Target Technology: Cryptocurrency
  • Business Impact: Financial Loss, Reputational Damage, Customer Base Erosion

The Federal Trade Commission recently announced that Bitcoin scam reports have skyrocketed, with nearly 7,000 people reporting losses of more than USD 80 million. It describes two scam methods: first, lure victims to a bogus website offering an investment opportunity; second, a celebrity scam where the celebrity promises to double the Bitcoin investments immediately. The later method frequently impersonates Elon Musk due to his interest and business acumen in cryptocurrency. Earlier this month, fake news claimed that“Tesla buys $1.5 billion in bitcoin, plans to give away $750M of it” which was reported in a fake website impersonating as BBC. While the first half of the headline is reportedly true, only the latter part is false.

Security researchers also reported similarly themed email campaigns where fraudulent Tesla-related emails were sent in two separate campaigns. The first campaign used a non-malicious attached PDF which included bogus details of a “special giveaway” impersonating Elon Musk. The second campaign involved a simple mail, providing information on a fraudulent giveaway including Bitcoin Address QR Code. Researchers highlight over 30,000 users across the globe have received scam campaigns. While the success rate of this scam is unclear, one of the crypto wallets used by the scammers showed 31 transactions.

Cryptocurrency scams hosted on Twitter, especially tagging Elon Musk, are not a new concept. Back in 2018, scammers brought in USD180,000 using the same tactics as explained above. Bitcoin is particularly preferred because it is fast, verifiable, and reliable. The hackers can tap into the public blockchain to confirm ransom payments and decrypt the corresponding files without much personal risk. Such clever social engineering tactics prey on the potential victim’s psychological biases, staunch domain interest yet limited knowledge about digital currencies.

The value of cryptocurrency is entirely driven by supply and demand. It is capable of wild swings that promise big gains to investors. The lack of transparency and regulations over cryptocurrency is a big motivator for scammers to launch a campaign targeting gullible crypto users.

Vulnerabilities and Exploits

Vulnerability in WP Statistics Impacts More than 600,000 websites

  • Target Geography: Global
  • Target Technology: WP Statistics
  • Vulnerabilities: CVE-2021-24340 (CVSS Base Score: 7.5)
  • Vulnerability Type: Unauthenticated Time-Based Blind SQL Injection
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Researchers have disclosed a vulnerability in WP Statistics’ open-source plug-in for WordPress expected to be installed on over 600,000 websites. The vulnerability allows an attacker to extract sensitive information from a website’s database. Initial indications suggested the attacker needed to be authenticated, however, the researcher further discovered the vulnerability can also be exploited by unauthenticated attackers. WP Statistics plugin allows site owners to see detailed statistics about visitors and intended for administrators. An administrator, accessing the WP Statistics “Pages” menu item generates a SQL query to display statistics. Researchers highlight since the SQL query ran in the constructor for the “Pages” page, any unauthenticated visitor, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.

It is suspected that since vulnerability is Time-based Blind SQLi, the data exfiltration would be relatively time consuming and may be impractical to bulk records for an attacker. However, high-value data such as user email address, password, encryption keys, and salts may be exfiltrated within hours by automated tools such as sqlmap – an automatic SQL injection and database takeover tool.

Attackers are constantly on the lookout for newly disclosed vulnerabilities. Public disclosure of vulnerabilities from the security community is usually an important first step towards attackers experimenting and eventually, extending the existing work to come up with a workable exploit that helps them achieve their malicious objective.

Don't forget to share this post!

Share on facebook
Share on twitter
Share on linkedin

Related Articles