Reuse of infrastructure supporting malware distribution is a well-documented characteristic of online crime and a key way to track and classify threat actors. While it may seem simplistic for monitoring threat actor activities, the IP addresses, domains, hostnames, and URLs contacted by malware tools betray a significant amount of information about threat actor groups. For some malware attacks, it’s possible to determine the threat actor’s identity based on the infrastructure used, but, other times, the lines are blurred because some organizations harbor cyber criminals. [Read more…]
On 4/6, the Phishing Intelligence team came across a wave of phishing emails that contained a .js file packaged inside of a zip file used to deliver malware. This is nothing new, and has been seen being pushed out by resources associated with the Dridex botnet and the Locky encryption ransomware. The interesting piece is that the attackers are using a new piece of malware called RockLoader to download and install the malware on remote systems. Downloaders are nothing new, as Upatre was used with Dyre and Gameover ZeuS in the past. RockLoader has several tricks up its sleeve. [Read more…]
Over the last few months, the Phishing Intelligence team has observed a huge increase of ransomware. Many attackers are starting to experiment with ransomware as an alternative to quickly monetize. Dridex has employed a new family of ransomware named Locky, which is a pretty drastic shift in what this group is known for doing. We’re even seeing attackers go after OSX with ransomware, something that was once thought to be immune from malware, however there were nearly 6,500 users who downloaded the compromised BitTorrent client.
Follow along with us as we deconstruct a recent ransomware attack and hack the hackers behind the attempt.
Every year, attackers try to find some way to innovate and steal more money come tax time. Last year, attackers took advantage of e-filing, which led TurboTax to put a halt on all refunds due to a surge in fraudulent state tax returns. Here is a screenshot of a phishing email that the attackers are using to try and obtain W2’s for all employees:
Be on the lookout for these types of scams! Snapchat recently fell victim to one of these scams and did the responsible thing by notifying the affected parties and called on the assistance of the FBI. HMRC related phishing is something to watch out for as well, as well as anything else tax-themed around tax time. Stay alert!
A few weeks ago, we posted an article about how Dridex is experimenting with different families of malware and techniques. When one threat actor starts shifting TTP’s, it’s usually a big deal. Attackers get comfy in their infrastructure, some survive sinkholes, and they continue spamming or stealing money. One shift takes time, effort, and money on the attackers part. The part that people often forget is that attackers need people to maintain backends, code the malware, code panels, and patch exploits as researchers find them, or else they are going to be exploited by said researchers.
From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.
1/13/2016 Update: The blog has been updated to reflect the translation of the BlackEnergy word document.
On January 4th, ESET released an amazing blog post about the BlackEnergy Trojan being used to attack power companies in the Ukraine to knock out the power in some areas. While this is not the first time we’ve seen cyber attacks become kinetic, the BlackEnergy attacks could have been prevented.
When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.
Over the last few months, we’ve been seeing a huge influx of attackers using VistaPrint for business email compromise (BEC) scams. Losses due to account takeovers total over a billion dollars, and given the nature of these wire fraud attempts, it’s pretty easy to get the money, unless you’re the VP of finance for PhishMe. Why are attackers using VistaPrint, and what makes them such a middle-man for these attacks?