Cyber Hub

This week, researchers detected a new phishing campaign targeting corporate users impersonating popular brands such as Microsoft and claiming that a password reset is needed. In addition, a new malspam campaign dropping a new TrickBot variation - which uses HTML smuggling - was detected.

Over the past week, researchers observed that the Squirrelwaffle campaign is hijacking legitimate email chains via ProxyShell and ProxyLogon. In addition, security researchers discovered evidence of the TrickBot malware dropping a loader for the Emotet malware on infected devices.

This week, security researchers identified a malware named SquirrelWaffle, which utilizes an unpatched vulnerability in Microsoft Exchange servers to distribute emails containing weaponized Microsoft Office documents and Excel sheets. In addition, a recent BazarLoader campaign was seen abusing Windows 10 App feature.

This week, researchers revealed three new phishing campaigns, focusing on their techniques to evade detection. The first is a campaign that uses a compromised, legitimate Amazon SES token and AWS infrastructure, which allows attackers to send malicious emails and bypass anti-phishing systems. Additionally, a new phishing campaign is distributing the Mekotio banking trojan, which has been enhanced with three new modules that make it stealthier. Lastly, researchers reported on a new phishing campaign that is impersonating supplies lists and infecting users with the MirCop ransomware - which encrypts a target system in under 15 minutes.

Over the past week, a new Proof of Concept (PoC) was published for a zero-day vulnerability affecting all Windows versions, which would allow an attacker to gain SYSTEM privileges under certain conditions. Furthermore, a new macOS vulnerability named “Shrootless” was observed by researchers. With this vulnerability, exploitation would allow an attacker to perform arbitrary operations, elevate privileges to root an affected device, and install rootkits on vulnerable devices. Finally, Google has released a new Google Chrome version to fix eight vulnerabilities - two of which are zero-day vulnerabilities that are being actively exploited in the wild.

During the past week, Microsoft published the details of a large-scale phishing campaign aimed at stealing users’ passwords. The campaign uses a phishing kit that is built using pieces of code copied from other hackers' work. In addition, security researchers reported an increase in the activity of the threat actor TA505, who has returned to distributing large volumes of malicious emails targeting most industries. Furthermore, the Federal Bureau of Investigation (FBI) recently warned the US public of a phishing campaign that leverages spoofed unemployment benefit websites to steal personal and financial information.

Recently, researchers discovered a new vulnerability in the Windows SAM database called HiveNightmare (aka SeriousSAM). Exploitation of this vulnerability could allow non-admin users to access the SAM database, which is a storage of local passwords and users. Essentially, an attacker could run arbitrary code with SYSTEM privileges, and then install programs; view, change, or delete data - or create new accounts with full admin rights. The vulnerability affects Windows 10 version 1809 and newer operating systems. Additionally, an exploit is publicly available. After this discovery, Microsoft addressed the vulnerability and assigned it the following CVE ID: CVE-2021-36934. Microsoft has not yet published an official patch for the vulnerability; however, several mitigations and workarounds are suggested.

Read the full Threat Hunting report to learn more.

BazarLoader is known to spread via phishing emails that purport to stem from legitimate sources. For instance, a malicious email could be disguised as payroll reports or lists of terminated employees. Clicking on the malicious link to documents can redirect the targeted victim to malicious landing pages resembling Excel sheets, PDFs, or Word documents. BazarLoader has continued to be one of the preeminent initial access brokers for ransomware threat actor access. In July, we witnessed a BazarLoader campaign that deployed Cobalt Strike and ended with domain-wide encryption using Conti ransomware.

Read the full Threat Hunting report to learn more.

This week, security researchers published a report explaining the technique that allowed the MyKings botnet to become the world's largest botnet dedicated to mining crypto currencies. In addition, a new Python-based malware attributed to Keksec has been analyzed. The malware has several vulnerability exploits in its arsenal, including an exploit of the recently disclosed Confluence RCE vulnerability. Also, a new campaign named MirrorBlast - linked to the threat actor TA505 - was discovered targeting mainly financial institutions worldwide. Lastly, a Google Chrome adblocker extension was found to be injecting affiliate links that generate commissions for its developers.

Over the past week, security researchers performed malware analysis on two main malware files: FontOnLake and ShellClient. The first is a new malware strain targeting Linux OS to harvest credentials. The malware is interestingly engineered, with the main components constantly communicating with each other to allow silent malicious stealth from the host. The second is named ShellClient a seemingly state-sponsored Iranian-operated malware strain that has undergone significant evolution after first emerging during late 2018.