Cyber Hub

During the past week, security researchers identified new campaigns that deliver some of the most common malware families today. Buer Loader was seen being delivered in a phishing campaign that includes the usage of XLL files. Furthermore, the Remcos Remote Access Trojan (RAT) was seen being delivered in phishing emails with ZIP archive attachments that contain Visual Basic scripts.

Over the past week, the ransomware scene has shown some notable developments. Several sources have been reporting the prevalence of a new ransomware strain called AvosLocker, which is targeting law firms and manufacturers worldwide. In addition, malware analysis of a ransomware strain called Mespinosa revealed that it uses two external open-source tools, thus lowering the overall costs and resources spent by threat actors when crafting targeted ransomware campaigns. Lastly, the recent Kaseya infection with ransomware reveals how the REvil attack group is using DLL side-loading as a main technique within the payload’s modus operandi on the host. Finally, the HelloKitty ransomware introduced some dramatic and active developments in its recent operations – and now targets both ESXi servers and vulnerable SonicWall products.

Cuba ransomware is written in C++ and is used as the final-stage payload in double extortion campaigns. Operators use Cuba ransomware in conjunction with a leak site that publishes data extracted from compromised systems prior to encryption. Cuba has affected organizations in North America, South America, and Europe. It has also affected various sectors, including pharmaceutical, manufacturing, and logistics. Recently, it has been delivered by the Hancitor downloader in spam email campaigns. While Cuba ransomware has purportedly been active for a few years, they have only recently gained notoriety, primarily for publishing leaked documents from infected companies that resisted their blackmail attempts. Read the full Threat Hunting report to learn more.

Microsoft reported about CVE-2021-1675 (now termed CVE-2021-34527), on June 21; PrintNightmare was updated to critical severity as the potential for remote code execution was uncovered. Microsoft's patch did not successfully resolve the issue for CVE-2021-34527 PrintNightmare, but it did resolve CVE-2021-1675. PrintNightmare allows the attacker to run any code with SYSTEM privileges(Local Privileges Escalation & Remote Code Execution). The PrintNightmare vulnerability affects the Windows Print Spooler in all versions of Windows, including the versions installed on personal computers, enterprise networks, Windows servers, and domain controllers. Read the full Threat Hunting report to learn more.

During the past week, researchers have uncovered a few new phishing campaigns affecting individuals and companies around the world. One of these campaigns delivers XLL files in emails that impersonate DocuSign to infect recipients with Hancitor infostealing malware. Another campaign leverages the legitimacy of Microsoft’s OneDrive to send phishing emails that redirect to a phishing site that displays the victim’s organization’s logo. This site redirects to another phishing website that looks exactly like Microsoft’s login page. The third observed campaign is a spear phishing campaign targeting mainly energy, oil, and gas organizations with tailored emails that include an attachment that looks like a PDF. In actuality, the attachment is an executable file that deploys different forms of Remote Access Tools (RATs).

During the past week, security researchers have observed an embedded Word document that contains the Hancitor downloader. This attack also combines a command to execute a Cobalt Strike Beacon on another machine. In addition, security researchers observed a new campaign delivering the Buer loader via phishing emails that incorporate high-quality COVID-19 communicationthemed references. Furthermore, researchers shared an interesting analysis of a recent sample of the TrickBot webinject module.

During the past week, security researchers have observed two unique phishing campaigns. As seen below, phishing campaigns are continuously evolving, with threat actors using more creative techniques and well-crafted vectors to reach their malicious goals. The first campaign observed by researchers entails the use of unusual attachment files sent to victims, designed to bypass corporate security mechanisms and filters, engineered to block common patterns of phishing campaigns. The latter is a phishing campaign trying to imitate an Office 365 update notice, requesting that victims insert their corporate credentials in a spoofed domain - crafted as a legitimate Microsoft webpage.

During the past week, researchers have uncovered a few new phishing campaigns affecting individuals and companies around the world. One of these campaigns uses a known technique that consists of using compromised legitimate Office 365 accounts to send documents hosted in SharePoint. These documents then redirect to a phishing page that requests the victim’s credentials. Another campaign leverages the legitimacy of Google Docs to host a phishing site that redirects to a malicious phishing website – one that looks exactly like the signin page for Google Docs. The third observed campaign spoofs legitimate-looking WeTransfer emails urging users to see files that were shared with them. A hyperlink in the email directs to a phishing website that steals the user’s WeTransfer credentials. And finally, an unknown threat actor is impersonating the DarkSide ransomware gang with extorting emails, claiming to successfully gain access to sensitive information and requesting a ransom.

This past week, security researchers analyzed recent samples of two powerful malware strains that were recently observed in the wild. The first is the ever-changing Gootkit banking trojan, which was observed operating in an advanced multi-stage infection chain. The second is the recently discovered Prometheus ransomware, which is believed to be a customized variant of the notorious Thanos ransomware. In addition, researchers have found new threats on Kubernetes: Siloscape – a new malware that targets Windows containers to compromise Kubernetes clusters; and a new campaign targeting Kubernetes clusters running Kubeflow instances, in order to plant malicious TensorFlow pods that are used to mine for cryptocurrency.

This week, security researchers found a malware campaign distributing prevalent Infostealers - such as Redline and Taurus - using pay-per-click (PPC) ads in Google's search results. In addition, an incident response investigation was published presenting how a threat actor installed a cryptominer in a victim's system by exploiting an RCE vulnerability in WebLogic. Lastly, a new piece of malware called SkinnyBoy - which was attributed to the Russian-linked APT28 - was spotted being distributed in spear-phishing campaigns.