February 2021 remained active by threat actors, launching cyberattacks and new malware strains. We saw that organizations working on COVID-19 vaccines remained popular targets. During the month, threat actors attacked an Oxford University lab, which is researching and producing COVID-19 vaccines. They were able to gain access to its internal systems, including machines used to prepare biochemical samples.
In addition to Oxford University, due to the COVID-19 pandemic, overworked hospitals also remained prime targets for threat actors focusing on those that lack human and financial resources for IT and cybersecurity to replace outdated and obsolete software and hardware. During February, French hospitals were hit by a wave of cyberattacks that were conducted, according to the French minister for digital technology, by mafia-type organizations, often based in Eastern Europe. Other organizations such as French motorhome company Trigano and boat maker Beneteau also suffered cyberattacks in February 2021 harming its production.
Threat actors keep fine-tuning their tools, launching new ransomware strains to optimize results. In February, ransomware Hades Locker was released. This new strain seems to be based on the Zyklon and Wildfire Lockers that were used in Kelihos botnet attacks last year. That botnet was also used in CryptFile2 and MarsJoke campaigns targeting state and local government agencies. With Hades Locker, the targets have shifted to manufacturing and business services verticals.
Hades Locker was not the only malware making a comeback in February, DanaBot also re-emerged using a distribution method that tricks users into downloading malicious software disguised as VPNs, anti-virus programs, or online games. DanaBot hides two stealer components within the software key of pirated tools. The first software key was used to collect browser details, system information, and cryptocurrency wallets from the victim, while the second was used to install a cryptocurrency miner. In the past, DanaBot was used in targeted attacks on financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine. After disappearing in June last year, it reappeared at the end of 2020 and made its presence felt again in February 2021.
In February, a new shellcode was detected. Dubbed BendyBear, it shares a lot of characteristics with the notorious WaterBear malware. The WaterBear malware family is associated with the cyber espionage group BlackTech, which has links to the Chinese government. The BendyBear shellcode loads directly into the memory of 64-bit computers and is capable of file transfer, shell access, screen capture, modified RC4 encryption, signature block verification, and polymorphic code while remaining obfuscated. The malware was used in recent attacks against several East Asian government organizations. What makes BendyBear a class on its own is its highly sophisticated, well-engineered (more than 10,000 bytes of machine code) and difficult-to-detect samples of shellcode employed during an Advanced Persistent Threat (APT).
In February, a new obfuscation technique was detected in a phishing campaign using Morse code to hide malicious URLs in an email attachment. The phishing campaign followed a familiar pattern:
At least eleven companies were victimized, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equiniti, and Capital Four.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable.
Also, IOCs are available at the Cymulate UI!
Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.