Cymulate’s Cyberattacks Wrap Up – August 2020

August 2020 was a hot month, with cybercrime heating up as well.

Ransomware attacks became more sophisticated, more incidents of cyber espionage were reported, and there were some major data breaches. The month started with the notorious ransomware group Maze stealing 10TB of data from Canon during a ransomware attack.

On August 12, cybercrooks posed as Ritz employees to obtain an unknown amount of personal data of guests in London’s The Ritz, including credit card information.

Around the same time, cruise line operator Carnival Corporation suffered a ransomware attack. Threat actors accessed and encrypted part of Carnival’s IT systems getting hold of the personal data of customers and employees.

In addition to that, the Canadian government was also a victim of a ransomware attack, which was forced to shut down most of its online portals after detecting that more than 12 million personal accounts were compromised.
Let’s have a look at the malware used in August.

Ransomware and RATs

 

1. DarkSide

DarkSide is the latest strain of ransomware built to extort corporate targets for millions. If a victim doesn’t pay, the DarkSide hackers keep the stolen trove on the dark web for at least six months. At the end of August, they announced that they had obtained 200 gigabytes of data comprising HR, finance, payroll, and more internal departments from Canadian real estate firm Brookfield Residential. What makes DarkSide stand apart is its business-like approach, stating that it only attacked companies “that can afford it”. The ransom amounts range from $200,000 to $2 million when paid on time, and double the amounts after the initial deadline passed.

1. Once the attack was launched, an encoded PowerShell script was executed.
2. Then the malware spread laterally through the network for access to an administrator account and the Windows domain controller.
3. The ransomware utilized a SALSA20 key to encrypt files.
4. This key was encrypted with a public RSA-1024 key included in the executable.
5. The PowerShell command “Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}” was used to delete Shadow Volume Copies on the machine before encrypting it.
6. The PowerShell command deleted Shadow Volume Copies on the system to prevent file restore.
7. The malware then terminated various databases, office applications, and mail clients to encrypt the infected machine.
8. DarkSide prevented the termination of processes such as vmcompute.exe, vmms.exe, vmwp.exe, svchost.exe, TeamViewer.exe, or explorer.exe. Quite likely, the threat actors used TeamViewer to access the infected computers remotely.
9. Unencrypted data was harvested from the infected servers and uploaded to the devices of the threat actors.
10. During the attack, DarkSide created a customized ransomware executable for the specific company that was attacked consisting of a custom extension using a custom checksum of the victim’s MAC address.
11. The stolen data was published by the hackers on the dark web to force victims to pay the ransom. 

2. Taidoor

In August, we also saw various remote access Trojan (RAT) attacks taking place. Taidoor, a RAT that has been around since 2008 and associated with Chinese state-sponsored hackers, made its presence felt. Various malware variants were used in conjunction with proxy servers to remain undetected in victimized networks for further exploitation. Taidoor, aka Taurus RAT, was installed on the targeted system as a service dynamic link library (DLL). It was comprised of two files: the first one was a loader that decrypted the second file, the RAT, and executed it in memory.

 

3. njRAT

Another RAT that was used in recent campaigns, was a new variant of njRAT featuring an updated infection chain, additional obfuscation, and anti-analysis techniques. The malicious payload was packaged inside installers for legitimate software to initiate the attack. To ensure the persistence of the RAT, a VBS file was dropped via the Startup folder. Then, a series of PowerShell scripts was executed to download and run the njRAT payload from a legitimate cloud hosting service (e.g., OneDrive). In another scenario, PowerShell scripts, masquerading as image files, were downloaded to initiate the final payload via process injection.

 

4. DeathStalker

Various small and midsize businesses (SMBs) were targeted by DeathStalker, a hacker-for-hire group that has been active since 2012. DeathStalker’s main focus is to act as a middleman, stealing sensitive (financial) business data on behalf and for the benefit of a principal. The hackers have been using three malware families for their attacks: Powersing, Evilnum, and Janicab. To deliver the malicious payload, DeathStalker used tailored spear-phishing email campaigns. Once the script was executed, more components were downloaded to give attackers control over infected machines. Recent victims of DeathStalker include financial companies, law firms, wealth consultancy firms, and fintech companies.

 

Security Validation

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!

Stay cyber-safe!