Cyber Hub

Phishing continues to be the most common infection vector for launching large-scale cyber campaigns. To keep this attack effective, threat actors come up with new ways to perform phishing or to improve the methods they are utilizing. This past week, hackers launched an Office 365 phishing campaign that validates the stolen credentials in real time. Threat actors also launched a phishing campaign that impersonates the technical support team of the victim’s organization. It uses messages about quarantined emails that include a link to a phishing website, which is uniquely designed to look like it belongs to the employee’s company. In addition, the French government warned its citizens this week against an increase in phishing emails delivering the Emotet Trojan to French targets in the private and public sectors.

Over the past week, the CyberProof CTI team kept track of ongoing developments and modifications of known and new variants of ransomware. Many campaigns of major ransomware operations targeted large companies internationally, such as Equinix and SoftServe, which provide IT services to many companies around the world. Moreover, the ProLock and Zeppelin ransomware have upgraded their capabilities and are demanding an increased ransom rate.

Over the past week, security researchers disclosed a new vulnerability dubbed BLURtooth – which might be used to conduct Man-in-the-Middle (MitM) attacks against Bluetooth-supporting devices. In addition, researchers discovered that a flaw in Windows theme files can be leveraged by threat actors to harvest Windows credentials.

Many new campaigns that leverage phishing as an attack vector have been identified throughout the last week. As reported in the previous weekly report, massive campaigns of Emotet and Qbot have been launched worldwide. Other phishing campaigns used sophisticated techniques to avoid detection in order to spread malware or steal credentials. In a new campaign called Safram, threat actors used the contact forms that appear on organizations’ websites to send links that host obfuscated malware binaries – while another campaign used email quarantine messages, in an attempt to steal credentials.

Over the past week, the CyberProof CTI team kept track of ongoing developments and modifications of known and new variants of ransomware. Several new types of ransomware were discovered, in addition to new variants of known types of ransomware. Moreover, researchers found a new ransomware dubbed Cyrat disguised as a DLL fixer, and a new destructive variant of Thanos ransomware.

Over the past week, several malware campaigns exposed new developments and capabilities, that improve their ability to avoid detection and allow them to cause greater damage to the infected victims. A new operation called Epic Manchego was observed leveraging EPPlus to create malicious Office documents that evade detection. Researchers also identified the notorious Evilnum group using a new Python-based RAT. In addition, researchers analyzed a new evasion technique which abused DNS over HTTPS to retrieve the final payload.

Two major malware families known for their powerful phishing campaigns saw an upgrade in their distribution vectors this past week. Emotet released a new template for malicious attachments, and Qbot Trojan acquired the capability of hijacking legitimate email threads to propagate further.

Over the past week, new developments in the ransomware landscape were observed. Since ransomware is one of the most significant threats that organizations need to prevent, the CyberProof CTI team constantly reviews reports about new strains of ransomware and enhancements of types of ransomware that are already known. This week, a new type of ransomware called SunCrypt joined the cartel of Maze ransomware, for assisting the Maze group with running their operations. In addition, a script kiddies group from Iran deployed Dharma ransomware – in order to earn money. This is unusual behavior for Iranian threat actors as usually the Iranian groups are focused on espionage or sabotage operations. Furthermore, Conti ransomware, a successor of Ryuk, joined the trend of establishing data leak sites, which are designed to put pressure on their victims.

This week, researchers observed two major campaigns that deliver advanced malware variants. In both cases, the payload in use is not new; rather, in one case researchers have been able to identify features that may be associated with malware samples from 2012. The two campaigns demonstrate how attackers use and rely on a known, well-built framework, and work to maintain and improve it. One campaign portrays how decade-old techniques can be adjusted to meet the needs of an ongoing malspam campaign. The other uses a cryptominer variant updated with a new capability to target Linux-based systems.

In the past week, several botnets have been identified being used mainly for cryptomining and DDoS. The botnets show sophistication in their model of operation and new capabilities added to enhance their footprint. A relatively new botnet associated with the TeamTNT group is the first ever botnet that is capable of collecting AWS credentials while the Lucifer botnet has begun targeting Linux systems and adds new Windows-related capabilities. Another newly discovered P2P botnet named FritzFrog has breached more than 500 SSH servers using its powerful P2P implementation.