Cyber Hub

Two major malware families known for their powerful phishing campaigns saw an upgrade in their distribution vectors this past week. Emotet released a new template for malicious attachments, and Qbot Trojan acquired the capability of hijacking legitimate email threads to propagate further.

Over the past week, new developments in the ransomware landscape were observed. Since ransomware is one of the most significant threats that organizations need to prevent, the CyberProof CTI team constantly reviews reports about new strains of ransomware and enhancements of types of ransomware that are already known. This week, a new type of ransomware called SunCrypt joined the cartel of Maze ransomware, for assisting the Maze group with running their operations. In addition, a script kiddies group from Iran deployed Dharma ransomware – in order to earn money. This is unusual behavior for Iranian threat actors as usually the Iranian groups are focused on espionage or sabotage operations. Furthermore, Conti ransomware, a successor of Ryuk, joined the trend of establishing data leak sites, which are designed to put pressure on their victims.

This week, researchers observed two major campaigns that deliver advanced malware variants. In both cases, the payload in use is not new; rather, in one case researchers have been able to identify features that may be associated with malware samples from 2012. The two campaigns demonstrate how attackers use and rely on a known, well-built framework, and work to maintain and improve it. One campaign portrays how decade-old techniques can be adjusted to meet the needs of an ongoing malspam campaign. The other uses a cryptominer variant updated with a new capability to target Linux-based systems.

In the past week, several botnets have been identified being used mainly for cryptomining and DDoS. The botnets show sophistication in their model of operation and new capabilities added to enhance their footprint. A relatively new botnet associated with the TeamTNT group is the first ever botnet that is capable of collecting AWS credentials while the Lucifer botnet has begun targeting Linux systems and adds new Windows-related capabilities. Another newly discovered P2P botnet named FritzFrog has breached more than 500 SSH servers using its powerful P2P implementation.

As ransomware continues to grow in popularity amongst the cybercrime community, the malware utilized is evolving as more powerful, effective and devastating During the last week, the CyberProof CTI team noticed an uptick in two sophisticated ransomware campaigns: Dharma and DarkSide ransomware. Dharma has been around since mid-2016, however, it continues to be upgraded, and makes the news on a weekly basis. On the other hand, DarkSide is a new strain of ransomware that was first detected earlier this month. The developers behind it have lots of experience from operating on other prominent ransomware gangs and has therefore already gained a serious reputation.

New substantial phishing campaigns have been detected over the past week. Among them, Qbot introduced two new techniques, a new Dridex variant being leveraged in invoice-themed files in recent malspam campaigns, a major wave of phishing attacks targeting remote workers, and a loan relief phishing scam targeting SBA.

This week, the CyberProof CTI team focused on two new, major phishing campaigns: an Emotet spam campaign targeting businesses in the US, and a phishing campaign impersonating Outlook – abusing Google and Microsoft’s cloud platforms. In addition, this week it was disclosed that researchers detected a vulnerability in Emotet’s code and created a dedicated exploit known as EmoCrash. These recent events show the duality that exists in the cybersecurity world: attackers and defenders often use similar techniques, tools, and services, each for their own benefit, trying to gain advantage in this everlasting arms race.

In the past week, many cases of malware attack have been observed. While part of them are based on new variants of previous malware such as Agent Tesla and KONNI, others shed light on previously unseen malware that are considered to be both sophisticated and dangerous. This week, security researchers warned about a new Linux malware developed with the aim of conducting cyber-espionage operations. In addition, a new Russian APT group named RedCurl was discovered.

Over the past week, security researchers published an extensive analysis of Operation Powerful – a targeted attack on a South Korean company that occurred in May 2020. The operation – attributed to the well-resourced DarkHotel APT – used a new attack chain that exploited two zero-day vulnerabilities: CVE-2020-0986 (as a vector of initial access) and CVE-2020-1380 (for the elevation of privilege).

As ransomware attacks continue proving themselves one of the most profitable TTPs for cybercriminals today, their sophistication and frequency increases as well. This week, security researchers published their analysis of the WastedLocker ransomware, which became notorious worldwide after attacking the Garmin, the technology giant known for its wearable GPS products, last month. In addition, the Interpol warned about an ongoing wave of LockBit attacks throughout the US.