In our monthly wrap-up, we cover the latest cyberattacks highlighting the attack methods and payloads used by malicious hackers and cybercriminals. The month ended with Marriott disclosing that it had been the victim of a large-scale data breach. The data of around 500 million customers who stayed at Starwood hotels (part of the Marriot group) for the last four years had been compromised. The breached data included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. The hackers accessed a database tied to customer reservations and encrypted the information before exfiltrating the data to avoid detection by security solutions.
If we look at the malware that threat actors used in their attacks during November, we saw some old “favorites” showing up again.
Let’s start with malspam Emotet. After being quiet for a few weeks, it became active again on November 11 sending out malspam to push its malware.
As before, a familiar pattern was used:
- An email from a spoofed sender was sent with subject titles such as “Account Alert - Pay Bill Alert” and an attached PDF for “payment remittance advise”
- The PDF contained a link with the title “view your transaction details here” to download a Word document
- To open the Word document, macros had to be enabled
- The attachment delivered the Emotet malware
- In some case, the Gootlkit banking Trojan was delivered after the initial infection
Apart from emails, the Emotet hackers also used trickbots and artifacts to push their malware. New on the Emotet front is, that email attachments with Emotet docs are now XML-based. These Emotet XML docs have a .doc extension and open in Microsoft Word.
Gandcrab ransomware also showed up during November. This time, hackers demanded $3000 in bitcoins. It shows that ransomware attacks are still profitable for hackers.
Lokibot also made its presence known:
- It started with an email “We received you contacts from a business partner who is your customer. Attached is an order on some products you deal on. Please kindly confirm availability and also quote your best price. We are in urgent need of the attached products and hope to smoothly proceed in order confirmation / proforma and probably shipping arrangements. Best regard”
- It was signed using a legit looking signature that included the business address, zip code, landline, mobile and fax numbers, WhatsApp and WeChat numbers and an email address
- The email itself contained an exe file as attachment and an icon that both opened exe
- Infected traffic included:
- 192.162.244[.]14 port 80 - www[.]zereocompany[.]com - POST /bazzltd/roks04/fre.php HTTP/1.0
- 194.87.93[.]62 port 80 - www[.]zereocompany[.]com - POST /bazzltd/roks04/fre.php HTTP/1.0
- The extracted Lokibot details
- SHA256 hash: 74f24d80ca15fd2123604c562e60908de928cd2742ba2783aeba4dae91faefb6
- File size: 1,111,864 bytes
- File name: scan001_2670170.exe
- File location after infection: C:\Users\[username]\AppData\Roaming\D22054\40274E.exe
Dharma ransomware was detected in the wild using multiple variants focusing each on different file extensions to encrypt files:
- Dharma ransomware variant that appends the .adobe extension to encrypted files.
- Dharma ransomware variant that appends the .tron extension to encrypted files.
- Dharma ransomware variants that append either the .AUDIT or .cccmn extension to encrypted files.
- Dharma ransomware variant that appends the .back extension to encrypted files.
- Dharma ransomware variant that appends the .Bear extension to encrypted files.
Additional ransomware variants which have been seen in the wild during November were:
- Kraken Cryptor 2.2 being distributed through the Fallout Exploit Kit.
- XUY Ransomware that appends the extension .xuy to encrypted file's names.
- Argus Ransomware that appends the .ARGUS extension and drops a ransom note named ARGUS-DECRYPT.html.
- Matrix Ransomware that appends the .FASTA extension and drops a ransom note named #README_FASTA#.rtf.
- C3YPT3OR Ransomware that impersonates WannaCry.
To find out if your organization is protected against the latest malware attacks such as Zorro, Darkgate and the ones mentioned above, run Cymulate’s Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable.