Cyber Hub

Over the past week, several new phishing campaigns have been detected in the wild. A BEC phishing campaign targeted organizations using a gift card as a lure to steal money. In addition, a widespread campaign was seen targeting organizations from various industries to drop three new malware families. Finally, a new phishing campaign to gather credentials used OneDrive as a lure.

Last week, Passwordstate - the enterprise password manager that was compromised on April 20th - warned its customers of ongoing phishing attacks targeting them with the Moserpass malware. The Passwordstate app's update mechanism was hacked to deliver malware in a supply-chain attack after its networks were breached. In addition, security researchers picked up on a phishing campaign impersonating MS SharePoint. This campaign successfully bypasses security email gateways (SEGs) to steal user credentials. Lastly, a massive spam campaign is distributing the Snake keylogger to users around the world.

Last week, a global phishing campaign was detected impersonating a well-known recruiting firm in order to distribute the Ursnif info-stealing malware. The campaign is targeting users around the world with XLSM files with embedded malicious macros. Also this week, a cyber security researcher demonstrated how it is possible to hide Outlook users. Finally, security researchers reported on a new phishing campaign taking advantage of the tax season to steal credentials and personal information. The phishing emails attempt to impersonate the IRS and notifies of an extra tax refund to lure victims into providing personal information.

Last week, researchers saw a wave of malspam delivering the QBot Trojan instead of IcedID - the malware commonly delivered in these types of malspam campaigns. Another phishing campaign was detected spreading the FormBook malware in PowerPoint attachments, using the .pps file extension. In addition, the BazarLoader operators launched a phishing campaign that leverages workers’ trust in collaboration tools like Slack and BaseCamp to infect organizations.

This past week, researchers shared their insights regarding several ongoing phishing campaigns aimed at spreading malware in the wild. This includes a recent spear phishing campaign that was observed leveraging fake job offers on LinkedIn to distribute the More_eggs backdoor, as well as a new, tricky phishing delivery technique that was utilized in a recent IcedID campaign. Researchers additionally detected this week a new phishing campaign aimed at stealing Office 365 credentials from corporate users via malformed HTML attachments.

This past week, researchers shared their insights regarding several ongoing phishing campaigns aimed at spreading malware in the wild. This includes a recent BazarCall campaign that leverages live call centers in a new Distribution-as-a-Service model to infect victims with various malware types, as well as two phishing campaigns that abuse the tax season to infect American citizens with the TrickBot banking trojan. Researchers additionally shared this week a deep-dive analysis of the Hancitor Infostealer, which was observed being distributed in the wild through fake DocuSign phishing emails.

The past week, a new phishing scheme was discovered using several social engineering techniques to convince victims to grant access to scammers to their computers, in order to extort money.   In addition, Slack has released a new feature that enables users to have conversations with users outside of their organization. Threat actors are already planning on ways to abuse this feature for phishing purposes.

This week, security researchers reported on several new phishing campaigns taking advantage of the tax season to distribute malware. One of them consists of emails sent using a typo squatted IRS domain that includes attachments that download the Dridex malware. The second campaign lures taxpayers into downloading a MS Word document with malicious macros that bring either Remcos or NetWire RATs. Additionally, a new Microsoft 365 spoofing campaign is targeting C-level executives in the financial services, insurance, and retail industries. Also last week, FBI’s Internet Crime Complaint Center (IC3) released the 2020 Internet Crime Report,1 an annual report that, this year, includes information from 791,790 complaints of suspected internet crime. This represents an increase of more than 300,000 complaints from 2019, and reports losses exceeding $4.2 billion. According to the report, the top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. The report also details the influence that COVID-19 had on cybercrime.

This week, security researchers reported on the resurgence of FIN8, the financially motivated threat group, which reappeared with an improved version of their BadHatch backdoor hitting organizations around the world. Also, the zoMiner botnet, first spotted last November, is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero. Additionally, the Bazar loader, associated with the TrickBot family, has brought the Anchor malware, a backdoor used by attackers on selected targets. In the ransomware front, the HelloKitty ransomware, found to be the responsible for the attack on CD Projekt Red, was dissected and its attack chain was described on a new report.

This week, a new wave of phishing emails spreading the IcedID banking trojan was detected. The malware shows new capabilities for avoiding detection and achieving persistence on the targeted machine. In addition, a new phishing campaign related to the tax season was seen in the wild, one where threat actors impersonated the IRS to steal user credentials.