VMware Report Exposes Emotet Malware’s Supply Chain

Background:

VMware researchers analyzed the Emotet malware-as-a-service evolution and its command-and-control (C2) infrastructure. In June 2022, Emotet added two new modules: one stealing credit card information from Google Chrome browsers, and another one that leverages the SMB protocol to spread laterally. Emotet’s main component is a DLL file that stores a highly obfuscated list of C2 IP:port pairs. More than half of the ports counted were port 8080 used as a proxy port on compromised legitimate servers abused to proxy traffic to the real C2 servers.

Takeaway:

For network defenders it is important to strengthen email security and implement network segmentation whenever possible. Despite its continuous evolution, Emotet botnets can reuse previously identified infrastructure.

LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM

Background:

Checkmarx Security researchers described a financially-motivated threat actor group dubbed LofyGang (Lofy). This group aims at stealing credentials and credit card data by distributing approximately 200 malicious packages and fake hacking tools on code-hosting platforms, such as NPM and GitHub. LofyGang uses package name typosquatting and the starjacking technique of displaying fake popularity statistics. The first LofyGang package typically does not have a malicious behavior besides getting the second-stage malicious package. For its command-and-control communication the group often abuses legitimate services such as Discord, GitHub, glitch, Heroku, and Repl.it.

Takeaway:

Developers should be extra cautious and sensitized to the growing exploitation of the open source ecosystem as a means to spread malicious code and malware – especially to typos and properly verifying the legitimacy of the download. Developers should also ensure they are adhering to the development practices and standards of their employer and customers.

Destructive Fake Ransomware Wiping Out System Drives

Background:

Cyble researchers discovered a new campaign targeting adult-themed site visitors with fake ransomware. Actors prompt a targeted user to activate the downloaded file with double extension .JPG.EXE. It drops four malicious payloads that achieve persistence via the startup folder. They rename certain file types giving them extension .LOCKED_FILLE, drop a ransom note, and try to delete all system drives except C: drive.

Takeaway:

Since this fake ransomware/wiping campaign is run by a novice actor, it might be possible to restore your Windows to the previous state. Malware written by novice actors can often reveal their presence by causing visible error messages. This operation shows that at times, paying a ransom can be neither helpful nor necessary.

Learn about our Penetration Testing Services

Learn More

OnionPoison: Infected Tor Browser Installer Distributed Through Popular YouTube Channel

Background:

Kaspersky researchers detected a campaign targeting Chinese users with a trojanized version of Tor Browser. Malicious download links are being placed on a popular Chinese Youtube channel together with the official Tor Browser website, which is blocked in China.

This campaign, dubbed OnionPoison, leaves the basic Tor Browser appearance and functionality, but changes settings to be less secure: enables autofilling, browsing history, caching, and storing extra session data for websites. The attackers do not automatically collect user passwords, but collect data to identify the victims through social networking account IDs and other artifacts.

Takeaway:

If downloading software from the official website is not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures. The observed malicious installer in the OnionPoison campaign does not have a digital signature.

Malware Analysis Report: CovalentStealer

Background:

The US Cybersecurity and Infrastructure Security Agency published details of the CovalentStealer malware objectives and host-based artifacts. CovalentStealer identifies file shares on a system, categorizes the files, and uploads them to an attacker-controlled Microsoft OneDrive cloud folder. This malware was created using code from several open-source projects, including ClientUploader.

The studied infection chains included abuse of two open-source utilities: the Roshal archiver (RAR) and a PowerShell script used to extract the Master File Table from a system volume. CovalentStealer was identified as a part of advanced persistent threat activity targeting an organization in the defense-industrial-base sector.

Takeaway:

Network defenders should monitor for anomalous command-line use, investigate suspicious PowerShell usage. Keep your Windows machines and antiviruses up-to-date.

Bumblebee: Increasing Its Capacity and Evolving Its TTPs

Background:

Checkpoint researchers analyzed various samples and infrastructure for the Bumblebee loader. Since March 2022, this new loader shows a constant evolution. In July 2022, it expanded its reach by removing the limitation of infecting a single victim per public IP address. Most common infection chain includes the packed Bumblebee DLL embedded directly inside an ISO file. Bumblebee uses its own packer both for the loader itself and for some of the payloads it deploys. If the target is connected to an active directory domain, the loader downloads and injects an advanced post-exploitation framework (such as CobaltStrike, Sliver, or Meterpreter). Otherwise, it downloads and executes a common stealer (like Vidar Stealer), or a banking trojan.

Takeaway:

Bumblebee uses its own packer both for the threat itself and for some of the samples it deploys on victims’ computers, just like other advanced malware families such as Trickbot.

Learn about our Penetration Testing Services

Learn More