July 2020 might have been hot, and COVID-19 is still rampant, but that did not stop or slow down cybercriminals, on the contrary. Here is a rundown of their activity.
Hancitor and Emotet were used in several campaigns. Hanticor is a notorious downloader spreading through malicious attachments to download data-stealing malware such as Pony and Vawtrak. For the first time, Hanticor used a new three-pronged delivery approach:
- The use of the uncommon, native Windows CallWindowProc API.
- Piggyback riding on the EnumResourceTypesA API callback function “,” for interpreting and executing the shellcode.
- Obfuscating the malicious PowerShell commands for tricking users into enabling malicious macros, which also allows threat actors to create PowerShell commands.
After going dark in February 2020, Emotet resurfaced in July. Running from server clusters Epoch 1, Epoch 2, and Epoch 3, Emotet is a botnet that uses an email spam infrastructure to infect computers with the Emotet Trojan. The malicious emails include either a URL or an attachment containing highly obfuscated macros. These macros run a PowerShell script to download the payload from five separate download links. In an interesting twist, an unknown vigilante hacker has been replacing Emotet payloads with animated GIFs to prevent victims from getting infected.
Let’s have a closer look at some of the breaches, starting with promo.com. This popular video marketing website was breached via a vulnerable third-party service, exposing the personal information of 23 million Promo and Slidely users.
Another interesting incident was the GEDmatch hack. This US-based DNA research firm was the victim of two separate security incidents. Days later, customers of genealogy website MyHeritage/GEDmatch received phishing emails suspected to have used the compromised data.
- MyHeritage and GEDmatch customers received fake emails from email@example.com
- The subject was “DNA match”
- Once opened, it contained a link to the MyHeritaqe website which spoofed the legitimate MyHeritage one.
- A spoofed login page collected and stole user credentials.
Also making headlines was the Garmin breach. Navigation and fitness giant Garmin was at the receiving and of a ransomware attack that took down numerous services. Garmin Connect, the cloud platform that syncs user activity data, went dark, as did portions of Garmin.com. As a result, athletes were unable to record their runs and workouts. Pilots who were using flyGarmin services for position, navigation, and timing services in airplanes were also impacted. Also some support centers and production lines in Asia were brought to a halt. Ransom was demanded in the amount of USD 10 million.
The ransomware used in the Garmin breach has been identified as WastedLocker which is distributed by the Russian cybercrime group known as Evil Corp. Garmin did get the decryption key for its systems claiming that it did not directly make a payment to the hackers.
A critical remote code execution (RCE) vulnerability has been discovered in the wild, exploiting F5 BIG-IP networking devices that are widely used in government and ISP networks, banks, cloud computing data centers, and across enterprise networks. The CVE-2020-5902 vulnerability allows threat actors to read files, execute code, or take complete control over the compromised system. It is also known to install coin-miners and IoT malware as well as scrape administrator credentials from the compromised devices.
A new macOS threat with ransomware capabilities was found in the wild. Dubbed EvilQuest, ThiefQuest or MacRansom.K, it is far more than just a new piece of ransomware, since it is ransomware, spyware, and data theft all rolled into one. The ransomware component is used to hide other operations in the background, such as installing keyloggers and reverse shells as well as exfiltrating files containing for example, keys to cryptocurrency wallets, code-signing certificates, and other valuable information. What makes EvilQuest so dangerous is its capability to detect if it is running in a virtual machine and if there are any security and antivirus solutions running on the infected system. EvilQuest underpins how quickly macOS malware is evolving.
Last but not least, new feature-rich malware dubbed Ensiko entered the cybercrime scene. This web shell written in PHP can encrypt files on any system running PHP, targeting Windows, macOS, and Linux web servers. Ensiko allows threat actors to remotely control a compromised system for all kinds of malicious activities. Ensiko has a file-encryption component for ransomware attacks against servers.
- The symmetric Rijnadel-128 cipher in CBC mode is used for encrypting files
- The encrypted files are placed in a web shell directory and subdirectories and processed files get the extension .BAK
- Ensiko can be protected with a password to avoid malware payloads being replaced with memes (similar to what has happened to Emotet)
- The login form of the web shell is hidden in a “Not Found” page
- Ensiko can load several tools from Pastebin and store them in the tools_ensikology directory
- The steganologer module can identify image files that have code in their metadata (EXIF headers) for extraction and execution on the compromised server
- Ensiko also enables threat actors to run brute-force attacks on FTP, cPanel, and Telnet for extended access.
To find out if your organization is protected against these latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also provides remediation guidance in case it turns out that your organization is indeed vulnerable.
IOCs are also available from the Cymulate User Interface!
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate's platform.