Cyber Hub

This past week, researchers shared their insights regarding several ongoing phishing campaigns aimed at spreading malware in the wild. This includes a recent BazarCall campaign that leverages live call centers in a new Distribution-as-a-Service model to infect victims with various malware types, as well as two phishing campaigns that abuse the tax season to infect American citizens with the TrickBot banking trojan. Researchers additionally shared this week a deep-dive analysis of the Hancitor Infostealer, which was observed being distributed in the wild through fake DocuSign phishing emails.

The past week, a new phishing scheme was discovered using several social engineering techniques to convince victims to grant access to scammers to their computers, in order to extort money.   In addition, Slack has released a new feature that enables users to have conversations with users outside of their organization. Threat actors are already planning on ways to abuse this feature for phishing purposes.

This week, security researchers reported on several new phishing campaigns taking advantage of the tax season to distribute malware. One of them consists of emails sent using a typo squatted IRS domain that includes attachments that download the Dridex malware. The second campaign lures taxpayers into downloading a MS Word document with malicious macros that bring either Remcos or NetWire RATs. Additionally, a new Microsoft 365 spoofing campaign is targeting C-level executives in the financial services, insurance, and retail industries. Also last week, FBI’s Internet Crime Complaint Center (IC3) released the 2020 Internet Crime Report,1 an annual report that, this year, includes information from 791,790 complaints of suspected internet crime. This represents an increase of more than 300,000 complaints from 2019, and reports losses exceeding $4.2 billion. According to the report, the top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. The report also details the influence that COVID-19 had on cybercrime.

This week, security researchers reported on the resurgence of FIN8, the financially motivated threat group, which reappeared with an improved version of their BadHatch backdoor hitting organizations around the world. Also, the zoMiner botnet, first spotted last November, is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero. Additionally, the Bazar loader, associated with the TrickBot family, has brought the Anchor malware, a backdoor used by attackers on selected targets. In the ransomware front, the HelloKitty ransomware, found to be the responsible for the attack on CD Projekt Red, was dissected and its attack chain was described on a new report.

This week, a new wave of phishing emails spreading the IcedID banking trojan was detected. The malware shows new capabilities for avoiding detection and achieving persistence on the targeted machine. In addition, a new phishing campaign related to the tax season was seen in the wild, one where threat actors impersonated the IRS to steal user credentials.

This week, security researchers reported on several new cyber campaigns that leverage phishing as initial access to infect with different malware. Some of these phishing campaigns were attributed to sophisticated APTs and delivered neverbefore- seen malware. This proves that even if organizations invest heavily in phishing detection and prevention, malware is still one of the most popular infection vectors used by both regular and advanced cyber criminals around the world.

Global phishing and malspam campaigns continue to leverage new advanced techniques that make them much trickier and more challenging to detect. This week, researchers observed the DarkComet remote access tool spreading in the wild via macro-less documents, as well as other phishing campaigns aimed at distributing the notorious TrickBot banking trojan and the Masslgger info-stealer. Researchers additionally shed some light on an interesting evasion technique that enables phishing links to efficiently bypass email gateways.

This week, multiple researchers reported on increased activity in the delivery of the BazarLoader trojan. Deeper investigations of the identified samples showed that the trojan has a new variant that has enhanced evasion techniques. Furthermore, several phishing campaigns related to the approaching tax season were reported as being executed in the wild.

Over the past week, many new campaigns that involved various malware have been seen in the wild. Some of the new campaigns that are covered in this report include the reemergence of the DanaBot trojan with a new variant and a new malware named Hildegard that targets Kubernetes. Researchers additionally shared this week a deep-dive analysis of the second and third versions of Agent Tesla, which indicate a continuous evolution of the malware. Other reports from the past week include renewed activity of the BazarBackdoor, as well as a new module of TrickBot used for reconnaissance in infected networks. As both of these tools are attributed to the notorious TrickBot group, these reports may reflect recent efforts made by the group to enlarge and strengthen its arsenal.

This past week, security researchers shed light on several ongoing phishing campaigns with notable capabilities. A new DHL shipping phishing campaign was observed cleverly evading security detection, while the advanced LogoKit phishing kit was discovered to be widely used during the past month.