Neu Cyber Threats – 23rd September 2021
How to avoid phishing attacks…with Neuways
Phishing attacks are a constant threat to businesses, no matter the size or industry they are within. They can be devastating, as we often document on this weekly Neu Threats bulletin.
Read our full blog on the topic, to discover more about how multi-factor authentication can help your business.
Banking trojan returns to attack businesses
A targeted campaign has been discovered to be delivering the ZLoader banking trojan via Google AdWords, as well as disabling all Windows Defender modules on victim machines.
Researchers said that, to lower the rates of detection, the infection chain for the campaign also includes the use of a signed dropper, plus a backdoored version of the Windows utility ‘wextract.exe’, which embeds the ZLoader payload itself.
ZLoader has been around a long time, as one of many malware forks rising from the ashes of the Zeus banking trojan. Researchers said: “It is a typical banking trojan, as it implements web injection to steal cookies, passwords and any sensitive information. It attacks users all over the world and has also been used to deliver ransomware families like Egregor and Ryuk.
“It also provides backdoor capabilities and acts as a generic loader to deliver other forms of malware.”
Victims are hit by malware spread by fake Google advertisements, which are published through Google AdWords, for various software – which is an indirect alternative to the typical social-engineering tactics, such as phishing emails. The lures include Java plug-ins, Microsoft’s TeamViewer and Zoom. This means when someone searches for, “Team Viewer download,” on Google, an advertisement shown by the search engine will re-direct the person to a fake TeamViewer site under the control of cyber criminals. Once there, the user can be tricked into downloading a fake installer.
Researchers explained: “The dropper contains most of the logic to impair the defences of the machine. At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It adds exclusions to hide all the components of the malware from Windows Defender.”
The intensive use of legitimate Windows utilities and functions serves to help the malware avoid filters and cyber security defences and hide itself. A further script can be downloaded, called “nsudo.bat,” which performs multiple operations with the goal of elevating privileges on the system and impairing defences:
- It checks if the current context of execution is privileged by verifying access to the SYSTEM hive.
- It implements an auto-elevation VBScript that aims to run an elevated process in order to make system changes.
- Once the elevation occurs, the script is run with elevated privileges.
- The script performs the steps to disable Windows Defender on a persistent basis by making sure that the “WinDefend” service is deleted at the next boot through the utility NSudo.
- The nsudo.bat script also completely disables Microsoft’s User Account Control (UAC) security.
- It forces the computer to restart, so that the changes can take place.
As some of the malicious file names suggest, the cyber criminal’s infrastructure includes the Tim botnet. The botnet’s structure involves at least 350 different web domains.
Neuways advises businesses and employees to stay wary of any unexpected email communications they receive. Do not open any hyperlinks or attachments you don’t recognise, as these could result in the stealthy download of banking trojans such as ZLoader onto your business systems. Credentials become compromised and then, before you know it, your business and confidential data could fall into the hands of cyber criminals.
BlackMatter ransomware gang strikes globally
The BlackMatter strain of ransomware is being utilised by cyber criminals to launch attacks on businesses around the world.
“Suspicious activity” was detected in early September by technology giant Olympus. As part of the ensuing investigation, they have suspended data transfers in the affected systems and informed the relevant external partners.
Olympus are the latest victim of the BlackMatter ransomware group, one of the cyber criminal organisations that have risen to prominence after purveyors of ransomware like DarkSide, REvil and Ragnarok shut down operations.
The attack began in the early morning of the 8th September, with BlackMatter claiming responsibility in a ransom note left on infected computers. The note said: “Your network is encrypted, and not currently operational. If you pay, we will provide you the programmes for decryption.”
The group also included a hyperlink to a website known to be used by BlackMatter to communicate with victims that’s accessible only through the Tor Browser.
BlackMatter operates as ransomware-as-a-service. The group rose from the ashes of DarkSide, another group well known for the infamous takedown of Colonial Pipeline, which caused a major disruption in the oil industry. It is rumoured, in fact, that BlackMatter is merely a rebranding of the former ransomware gang, rather than an brand new group.
Researchers said: “The adversary’s tactics, techniques, and procedures (TTPs) seem to be very similar for DarkSide and BlackMatter.”
It isn’t the only ransomware group that has been resurrected recently. REvil also had been laying low since a major supply-chain attack on Kaseya, but returned last week with its servers back online and a fresh victim listed on its site.
All of this recent activity is bad news for businesses, because, as we all know, being the target of ransomware attacks, can cost organisations millions of pounds in remediation fees to unlock files. Researchers added: “While it may seem we have had less ransomware attacks over the past couple of months, we expect these types of double extorsion ransomware attacks to continue at full force the remainder of the year.”
Neuways advises businesses to prepare their cyber security defences for the worst. Business Continuity & Disaster Recovery plans are one of the best ways businesses can protect themselves from cyber criminals. Company data saved in three different locations on a regular basis can allow businesses to continue to stay operational, regardless of whether a cyber attack where to occur. This means that cyber criminals lose one of their key bargaining chips: the victim’s data, and the victim can continue to work and keep earning.
Ryuk ransomware gang taking advantage of Microsoft MSHTML flaw
The same cyber criminals behind Ryuk ransomware were some of the early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of patches released by Microsoft.
Collaborative research has revealed campaigns by Ryuk threat actors early on exploited the flaw, which tracked as CVE-2021-40444. The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The flaw can be used to hide a malicious ActiveX control in an Office document in attacks.
Specifically, most of the attacks that researchers analysed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with infrastructure that is associated with multiple cyber criminal campaigns, including human-operated ransomware.
The campaign used a social engineering lure that aligned with the business operations of those businesses that were targeted, which researchers said, “suggested a degree of purposeful targeting”.
“The campaign purported to seek a developer for a mobile application, with multiple application development organisations being targeted,” they wrote. “In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.”
Microsoft first revealed the MSHTML zero-day vulnerability on 7th September, to warn organisations of the bug and urging mitigations in separate alerts released that day.
The vulnerability allows attackers to craft malicious ActiveX controls that can be used by a Microsoft Office document that hosts the browser rendering engine. Someone would have to open the malicious document for an attack to be successful, which is why the attackers are using email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents.
Indeed, at least one of the campaigns Microsoft researchers observed included: emails impersonating contracts and legal agreements to trick victims into opening the documents, which distributes the payload.
While it’s clear that ransomware operators are interested in exploiting the MSHTML flaw, however, at this point, researchers said: “We assume there has been limited deployment of this zero-day”. That means that even if known cyber criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns.
Instead, researchers believe that the goal of the operators behind the zero-day may be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.
Neuways advises businesses to apply and install the patch Microsoft released last week for the vulnerability and update their systems now before more attacks occur. At the time of writing, the patch has successfully corrected the vulnerability.