July 2021 started with an affiliate of the notorious REvil gang conducting a ransomware attack targeting Miami-based information technology firm Kaseya. It infected thousands of victims in at least 17 countries through firms that remotely manage IT infrastructure for multiple customers. The threat actors demanded a ransom of a rumored $50 million that the company stated it did not pay, but instead had obtained a decryption tool from a “third party”.
During July, the Lazarus Group made its presence felt again. Just as a reminder, the North Korean Lazarus Group (aka Hidden Cobra) has been active since 2009 and is best known for its destructive wiper attack against Sony Pictures Entertainment in 2014 and the theft of $81 million from the Bank of Bangladesh in 2016. The advanced persistent threat (APT) group’s standard attack arsenal includes DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware.
This time, the Lazarus Group targeted engineers working in the defense industry with job offers using malicious spear-phishing emails.
The attacks followed a familiar pattern:
On the malware front, we saw that the powerful and popular Remcos RAT (Remote Access Trojans) was delivered financially-themed emails (such as targeting US taxpayers with documents that contain tax-related content). It allowed the threat actors to gain full control of the infected machines, allowing them to capture keystrokes, screenshots, credentials, and other sensitive information. Remcos is openly sold by the company Breaking Security on its website, which makes attributing campaigns to specific threat actors almost impossible.
The RAT is used in phishing campaigns to deliver an executable containing an attached archive (.zip) or disk image (.img) file. In the latest campaigns, the phishing emails contain a zip archive containing a Visual Basic script (.vbs) which downloads and executes additional scripts followed by installing the Remcos payload into the Windows system binary aspnet_compiler.exe.
As in previous years, the Olympic Games are being abused by threat actors with various motives, such as cybercriminals, hacktivists, and nation-states. Motives vary from distributing malware to capture and exfiltrate data for profit, disrupting the Games for political or ideological reasons, to disrupting or even shutting down the Games by rogue nations. Following the breach in June 2020, when the personal information of around 170 people linked to the Tokyo Olympics 2020 organizing committee was breached via unauthorized access to an information-sharing tool developed by Fujitsu Ltd., in July, the stolen data included personal credentials such as usernames and passwords which can be used to access Tokyo 2020 websites aimed at volunteers and ticket holders.
The threat actors targeted event organizers and ordinary fans using malicious software and websites luring them to download a malicious PDF file. Once they opened the file, it activated wiper malware that infected the target's computer and deleted files. It is suspected that the threat actors emailed the fake PDF to Japanese event insiders in an attempt to destroy key Olympics-related documents. The wiper malware, dubbed Olympic Destroyer, also targeted the Pyeongchang Winter Games in 2018. A few more days left to the Olympics hopefully we saw the last of them
We are ending with mentioning a new ransomware actor sharing similarities with the REvil and DarkSide gangs. Dubbed BlackMatter, it created accounts on Russian-language hacking forums XSS and Exploit, deposited four bitcoin (around $160,000.--), and posted a ransomware ad. BlackMatter describes itself as combining the best features of DarkSide, REvil, and LockBit. As for now, no leaks are present on its website.
To find out if your organization is protected against the latest malware attacks, run Cymulate's Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!
Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.