Internet threat news

Ominously named Lucifer, researchers from Palo Alto Networks' Unit 42 have been tracking the malware since its initial discovery in May 2020, the malware boasts both crypto-miner and DDoS capabilities and has been seen exploiting Windows-specific flaws. From the malware’s code, the attackers seemingly wanted to call the malware Satan, however, a ransomware variant called Satan beat them to it. Researchers have called the malware Lucifer, no less intimidating, as not to cause confusion with the ransomware.

Traditionally hybrid malware is seen as a combination of two separate types of malware. In the past, it was common to see adware combined with a worm-like feature to enable lateral movement across networks which in essence would make the malware act like a bot infecting machines and connecting them to a botnet controlled by the attacker. Put differently, hybrid malware looks to combine traditional roles of viruses and worms in that it looks to alter code like a virus and spread to other machines like a worm. Lucifer, according to a blog post published by Palo Alto Networks' Unit 42, alters code to add a crypto miner and spreads laterally using well-known weaponized exploits. In reality, many different malware strains will have hybrid qualities as malware authors are constantly looking to improve functionality and they are not bound by the definitions security researchers place on the different types of malware to make analysis easier.

In what has now become known as “BlueLeaks” the data belonging to hundreds of US Police Departments and Fusion Centers has been leaked online. An activist group going by DDoSecrets, or Distributed Denial of Secrets to give the group their long-form name, published 269 GB worth of data stolen from US law enforcement agencies and fusion centers. The data was made available via a search engine on June 19, 2020, to perhaps coinciding with the Juneteenth celebrations which commemorate the end of slavery in the US. This year’s observances of the event have gained new meaning against the backdrop of protests against police brutality in the wake of the killing of George Floyd.

The stolen data has been made available via a searchable portal which according to the “BlueLeaks” portal the data includes more than one million files, such as scanned documents, videos, emails, and audio files. The data is believed to cover more than ten years of collected information pertaining to over 200 police departments across the US. Not only does the data pertain to police departments but also fusion centers that are defined as state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal, and private sector partners.

Effective disinformation campaigns have been a tried and tested method used by spies in times of war and in times of peace. Hackers, following the example set by certain state departments and intelligence services, learned fairly quickly that they could sell their services to the highest bidder in return for a disinformation campaign using social media to fan a wildfire. While hackers looked to use the same tactics honed by nation-state actors the same platforms used to disseminate have been cracking down on campaigns. However, it still appears that skilled operators can avoid measures put in place by the likes of Facebook, Twitter, and Google and spread false information to serve political ends.

Social media research group Graphika published a 120-page report that uncovers a widely unknown Russian disinformation operation active since 2014 and has flown largely under the radar. Those behind the operation have been named Secondary Infektion and is not to be confused with the Internet Research Agency (IRA), the Sankt Petersburg Company (troll farm) that has interfered in the US 2016 presidential election. Graphika is of the informed opinion that the two groups exist as separate entities with differing objectives despite the obvious overlap. Since operations began Secondary Infektion has been relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America. Along with the report, Graphika has also published a library of forgeries attributed to the group that shows the group's handiwork and ability to deceive even the most skeptical.

In the InfoSec community a lot of effort is given to the analysis and reporting of malware, be they new, old, or updated. What does not receive a lot of attention is the measures developed by hardware and software manufacturers to prevent cyberattacks. There are a variety of reasons for this, one being that they might not generate as much interest and drive traffic to media outlet’s news websites. Another may be that we view new malware and the devastation it can cause as not as sexy as measures to prevent a potential disaster. While preventative technologies may lack the headlines including millions of dollars stolen or infections into the hundreds of thousands, they will have a longer-lasting effect.

At the start of 2018, Intel made the headlines for those reasons mentioned above. The Spectre and Meltdown vulnerabilities were compared to the infamous HeartBleed bug, however through a concerted effort by Intel and the CPU manufacturer’s partners the predicted devastation was avoided. Now the tech giant makes the headlines for the reasons it would like to with the introduction of its experimental CET security features. These features are to be implemented on the new series of Tiger Lake mobile CPUs set to hit the market soon.

First seen in the wild in December 2019, RedRum ransomware has been used in highly targeted campaigns, the latest of which seem to have education and software small to medium enterprises (SME) in its crosshairs. Further, according to analysis conducted by researchers at BlackBerry and security analysts with KPMG, the ransomware is capable of targeting not only Windows machines but Linux as well. The gang operating the ransomware has adopted several unique tactics, some not seen before in ransomware distribution, to better turn targets into victims.

The ransomware called Tycoon by BlackBerry and KPMG is written in Java, which is rare in itself, but this requires the ransomware to be run in a Java Runtime Environment (JRE) to infect and encrypt targeted data. To that effect, the ransomware operators make use of a trojanized JRE to run the ransomware which is further leveraged inside an obscure Java image format in order to invade detections. So confident are the gang in their evasion techniques that the code itself is not obfuscated in any way. The use of Java and other lesser-known languages including GoLang has been noted by researchers to be an increasing trend. By using Java and the weaponized Java image format the attackers hope to avoid detection without the need to obfuscate code.

The previous two weeks have seen a surge in eCh0raix activity. Active from roughly June 2019 the eCh0raix ransomware gang has targeted mainly vulnerable QNAP NAS devices. Recently detected activity suggests that this preferred target has not changed. QNAP NAS are network-attached storage systems that can be simply defined as hard drives that constantly connect to the Internet. They are often used as backup hubs by businesses to store vital data essential to business operations. This makes the device built by QNAP a target for ransomware gangs due to the data held on the device. NAS devices have been targeted in the past by attackers to distribute Internet of Things malware.

Security firm Lookout has published a report detailing the current state of phishing email attacks targeting smartphones. In the campaigns witnessed by researchers, many of them have the specific aim of infiltrating company networks. According to the report, researchers experienced a rise in such attacks of over a third, 37%, for the period from October 2019 to March 2020. Traditionally the scourge of phishing was predominantly an area affecting laptops and desktops but given the increase in the need for employees to work remotely has seen attackers look to target mobile devices. Attackers are not content to target one platform or the other as both Android and iOS devices have been seen actively targeted in recent campaigns.

When journalists and researchers talk about the information-stealing trojan Trickbot a number of superlatives are used to describe how successful the malware has become. In many cases, Trickbot has earned those superlatives as it is one of the most notorious pieces of malware currently making up the threat landscape. Three recent events in the malware life cycle prove this viewpoint. Early in 2019, Trickbot partnered with the equally notorious ransomware Ryuk in order to share resources and victims. The event showed that the operators behind Trickbot are willing to partner up for the good of turning even more profit. Then in the last quarter of 2019, the malware was upgraded to include a module that allowed for SIM swapping attacks. Then in March of this year Ryuk, with the help of Trickbot, added the Fortune 500 Company EMCOR to the ransomware ever-increasing victim list.

2020’s news cycle has already been exhausting to follow. For the InfoSec community, the COVID-19 pandemic brought with it a mass of malware campaigns looking to exploit the pandemic as a lure. Silent Night, Astaroth, Zeus Sphinx, and a vast number of other known malware threats have emerged looking to distribute their malware on the backs of the current pandemic. However, despite the pandemic and those looking to take advantage of it maliciously, there have been several interesting developments that went unreported for the most part during the first quarter of 2020. Google’s Threat Analysis Group (TAG) recently published its first-quarter report detailing some of these trends that would not have received much attention unless analyzed by a major tech giant.

Of particular interest was the number of disinformation campaigns backed by various governments that occurred throughout January, February, and March. This is the first time that TAG has released data and specifics detailing these campaigns. TAG describes these incidents as co-ordinated social media and political influence campaigns. Many of these campaigns were taking place on Google's network of sites, such as YouTube, the Play Store, AdSense, and the rest of its advertising platforms. Further, many of these campaigns were seen taking advantage of other platforms such as Twitter and Facebook.

It can be successfully argued that the most famous banking trojan ever released unto an unsuspecting public was Zeus. The malware itself caused havoc but when the source code found its way into the public domain several other malware variants sprouted up built of the source code. Zeus Sphinx, sometimes also referred to as Terdot, is one of those newer malware variants that can directly trace its lineage to Zeus, which was first seen in the wild in 2007 and was the most prolific malware of its type till 2010 when it was allegedly retired by its developer. Despite being retired the source code still presents a danger as a number of newer malware strains have been built of the source code.

In a recent report published by Malwarebytes and HYAS details the emerges of another banking trojan which can also trace its parenthood to Zeus called Silent Night. Banking trojans are trojans specifically designed to steal banking credentials and other data pertaining to banks and other financial institutions in order to steal funds from banks and their customers. Trojan typically infect machines by masquerading as legitimate applications and processes with many banking trojans making use of web injects targeting specific browsers to steal information entered by the victim on forms and login pages.

Security firms, media houses, and the InfoSec community at large dedicate a lot of time to the discovering and subsequent analysis and reporting of the latest malware strains. Whether ransomware, creepware, MageCart attacks, or the host of other malware types, it is these threats that need to be defended against. What of inside threats? The threat posed by a disgruntled employee about to resign and the sensitive data they have access to. While most agree that such a threat needs to be defended against, how to do it efficiently remains a problem, leaving holes in even the most secure of organizations.

Sodinokibi’s, also referred to as REvil, infamy has long been covered by this publication. From exploiting Window’s zero-day flaws to how both it and Ryuk almost single-handed caused ransomware demands to spike to nearly double. Again the gang behind the ransomware has caused a stir surrounding the latest victim to fall prey to the gang. Law firm to the stars, Grubman Shire Meiselas & Sacks, is that victim. The law firm currently represents John Mellencamp, Elton John, David Letterman, Robert DeNiro, Christina Aguilera, Barbra Streisand, Bruce Springsteen, and Madonna. Further, the firm also represents large companies including, Facebook, Activision, iHeartMedia, IMAX, Sony, HBO, and Vice Media. Given the high profile of the victim and who is represented by the firm the incident garnered far more attention from large media houses than would normally be the case. News of the incident was published through media houses like Variety, who are subsequently following the story closely.

Recently several publications began reporting on Google’s successful removal of 813 creepware apps from its app store. Creepware is often seen as a stalker-like application generally seen installed on smartphones and other mobile devices, a better definition will be presented below. Creepware in the past has been marketed as an anti-theft application to track stolen phones but in reality, the application can be used to track and trace victims, fundamentally allowing someone to stalk someone else. When compared to spyware, they are not as fully featured as their cousins such as LightSpy. Well, not as fully featured they still allow damage and trauma to be carried out by perpetrators.

Google was able to remove that many apps based on an algorithm developed by a group of academics which was later published in a research paper. The paper titled “The Many Kinds of Creepware Used for Interpersonal Attacks” was published in 2019 with Google managing to implement their algorithm last year as well to clamp done on the nefarious activity. Those behind the paper, academics from New York University, Cornell Tech, and NortonLifeLock, developed the algorithm with the specific purpose of detecting creep-like behaviors within apps and then ranking them.

In the two years since its discovery Astaroth, been seen in the wild for the first time in September 2018, has continued to evolve and add features, showing the prowess of its developers. The info-stealing trojan has now been seen to have received a significant update, boasting, even more, features designed to help it evade detection and analysis. The latest campaign seen distributing the malware is confined to Brazil only, for the time being, but previous campaigns had targeted users in Europe. However, the majority of activity in the past has been confined to the South American nation.

Discovered by IBM’s X-Force the malware was described as,

“This Trojan has been around since 2017 and uses fake invoice emails that seem to be coming from a legitimate vendor using the cam.br domains. PDC estimated that approximately 8,000 of their customers' machines saw attacks of this nature in just one week. Using CloudFlare based URLs, the campaign appears to be targeting potential customers in South America. If a potential victim does not have a South American based IP address, the malware does not attempt to infect the system. The initial payload is a malicious .LNK file that points to the next stage of infection. The infection process uses the Windows Management Instrumentation Console (WMIC) and its command line interface to download and install the malicious payload in a non-interactive mode so that the user is not aware of what is happening. To "hide in plain sight", the malware uses a domain selected from a list of 154 domains within its code and the rest of the URL that points to the payload is added. All of the domains in the list were hosted on CloudFlare. Using a legitimate vendor like this, it is harder for companies to blacklist malicious communication.”

For the most part, the malware has continued on the same path, focused namely on stealing information, since its discovery subsequent feature additions have been focussed on making the malware harder to detect and analyze. The latest campaign analyzed by Cisco Talos continues this development path in a few novel, but not necessarily new, ways. In summary, the latest campaign has included COVID-19 lures to further aid in the distribution of the malware, a tactic adopted by numerous other malware developers to take advantage of the current crisis. Of particular interest to security, researchers were the new anti-analysis and anti-sandboxing features hidden within a maze of obfuscated code as well as innovative use of YouTube channel descriptions for encoded and encrypted command and control communications implemented by the malware.