In our monthly wrap-up, we cover the latest cyberattacks highlighting the attack methods and payloads used by malicious hackers and cybercriminals. Cybercrooks were very active in March 2019 successfully attacking Asus, Toyota, Jackson County, Earl Enterprise restaurants (e.g., Planet Hollywood), and various other industries.
If we look at the Asus breach, attackers used the Asus’ software update system to distribute their malware to about 1 million Windows computers. It looks like China-backed BARIUM APT was behind this “Operation ShadowHammer” attack which used a backdoor injection to compromise users of the ASUS Live Update Utility. For the second time in 5 weeks, Toyota was breached again, this time compromising 3.1 million customers at its subsidiaries. In the US, Jackson County, Ga., paid $400,000 in ransom to regain access to its encrypted files that were compromised in a ransomware attack that took down the municipal government computer network (including 911). At the end of March, hospitality firm Earl Enterprises announced that it had been the victim of a data breach. Hackers installed malware on the POS systems of its restaurants (including Planet Hollywood) to steal card details. Overall, customer data of 2.15 million credit cards was stolen and sold on darknet marketplace Joker’s Stash.
LockerGoga is a fairly new ransomware which has recently infected Norsk Hydro networks. This ransomware became known after it was used in a cyberattack in late January against French engineering company, Altran Technologies.
The LockerGoga ransomware is surprisingly bare-bones and does not use any network communications. There are no C2, DNS, or propagation methods used by the malware at all.
Here's how it works:
1. A ransom note is placed on the user’s Desktop (C:Users\DesktopREADME_LOCKED.txt), which demands victims to email the extortionists to pay a Bitcoin (BTC) ransom.
2. The email addresses used for the extortion includes ProtonMail (a Swiss privacy-oriented email provider) and o2 (a Polish internet services company).
A signed LockerGoga sample was identified and uploaded to VirusTotal from Norway, and it is speculated to be a sample of the LockerGoga variant that infected Norsk Hydro.
The sample was signed with a valid certificate issued by Sectigo RSA Code Signing CA, the certificate was later revoked just hours after the attack.
We also saw the Remote Access Trojan Cardinal RAT back in March, this time targeting two financial technology companies that write software relating to forex and cryptocurrency trading. Armed with new obfuscation techniques to avoid detection, the malware was delivered via the Carp downloader which used malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which in turn executed the Cardinal RAT malware family.
Let’s have a closer look at the malware used during cyberattacks in March 2019.
New this month was the Spelevo Exploit Kit (EK) exploiting Flash Player versions 188.8.131.52 (and earlier), and 184.108.40.206 (and earlier). It looks that it is distributing Backdoor.Win32.Gootkit.K (aka Gootkit backdoor). The exploit kit contains the CVE-2018-15982 vulnerability which was previously used in targeted attacks when attackers used malicious Word documents that included a Flash file with the vulnerability. The Word document was included in a RAR archive with a JPG picture containing the embedded RAT code.
Korean malspam was pushing Flawed Ammyy RAT malware. Emotet remained a firm favorite in March, this time combined with trickbot or Qakbot as the follow-up malware. Normally, Emotet used to save follow-up malware in the C:\ProgramData folder including the Qakbot exe. However, when QakBot was executed this time, it copied itself in another directory and replaced the original file with a renamed calc.exe to avoid detection.
Malspam with password-protected Word docs were pushing IcedID (Bokbot) with Trickbot.
- A spoofed email from e.g., Livia Westlake <firstname.lastname@example.org> was sent with the subject “Job”.
- The body of the email read: “Please to meet you. My name is Livia Westlake and I’m interested in a job. I’ve attached a copy of my resume. The password for the document is 1234. Thank you! Livia Westlake.
- The email contained a password-protected Word document entitled “Resume.doc”.
- To open this (malicious) Word file of 37,888 bytes, macros had to be enabled to fill in the password.
- This activated IcedID (Bokbot), which infected the Windows client.
- The IcedID-infected client retrieved trickbot downloaders (Sw9JKmXqaSj.exe and Tinx86_14.exe).
- The trickbot downloaders sent a trickbot exe (tin.png) to the DC over SMB using an EternalBlue-style exploit to execute trickbot spreaders for post-infections.
When we take a closer look at the Korean malspam, we see that also LokiBot was pushed.
- A spoofed email from Mr. Hong Woo <email@example.com> was sent with the subject INV 3326GHF- from Outriger General Importers Korea for acknowledgement.
- The body of the email read: “Dearsir/Madam, I hope this email finds you well. Please findattached proforma for your acknowledgement and kindly send thefinal PI in order to proceed with the request foradvance payment. Awaiting your reply. Thank you. Regards. Mr. Hong Woo, Overseas Sales/Purchase. [ogo] [autosignature] General Importers-Outriger Corporation COMPANY: Outrigger OWNER: King Sunge Hae ADDRESS: Outrigger 375-87 1st floor, Gyeongno-ro, Ilsan, Goayan-sei, gyeonggi-do TEL: 031-901-7092 FAX: 031-905-0444 E-MAIL: Overseas Sales Team - firstname.lastname@example.org Import Domestic Team - email@example.com http://www.ourtiger.biz. Business Registration No.: 130-28-55800.
- The email contained a password-protected Word document called “INV 3326GHF- from Outriger General Importers Korea for acknowledgement.zip.
- Once unzipped, the LokiBot was activated by a Windows executable extracted from the zip archive.
- Once executed, the Keymarble Trojan was delivered, which opened a backdoor for remote attack.
Other attacks we’ve seen during this ‘Spring Opener’ were MuddyWater attack on Korek Telecom among the commonly used AZORult, Lokibot and Hancitor.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks and offers suggestions for remediation.