Cymulate’s January 2021 Cyberattacks Wrap-up

 In January 2021, cybercrime kept thriving, also exploiting the current COVID-19 pandemic for personal gain with hackers leaking stolen Pfizer COVID-19 vaccine data online.

Stolen Data from Pfizer/BioNTech Servers

The threat actors breached the European Medicines Agency (EMA) and stole part of its Pfizer/BioNTech COVID-19 vaccine data from its servers. The stolen data included email screenshots, EMA peer review comments, Word documents, PDFs, and PowerPoint presentations. Some of the stolen documents concerned the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine BNT162b2. The hackers posted (part of) the stolen data on several hacker forums. 

Phishing on US Business Owners

The tactic of sending phishing emails to steal credentials remained a firm favorite with threat actors using social engineering. In January, threat actors sent phishing emails impersonating a Small Business Administration (SBA) lender to prey on US business owners who wanted to apply for a Paycheck Protection Program (PPP) loan to keep their business running during the COVID-19 pandemic. The campaign consisted of several stages:

  1. The threat actors first sent mass emails posing as the president of World Trade Finance, a delegated SBA lender that finances small businesses with government-backed loans up to $5,000,000.
  2. The senders used legitimate-looking email addresses (such as [email protected]) to pose as an official government SBA official.
  3. The email body contained a link for downloading the PPP registration form.
  4. Once this link was clicked on, the victims were redirected to a page where they were first asked to fill in sensitive information, such as their social security numbers, full names, and dates of birth.
  5. Next, they were asked to enter business information such as their cost of operation, cost of goods, and gross revenues for the twelve months before the pandemic. The latter could be a way to establish ransom demands or to estimate the value of the credentials when put up for sale.

The stolen credentials will quite likely be used in Business Email Compromise (BEC) scams, network compromise, or for additional phishing attacks.


Credential Stealer Written in AutoHotkey (AHK)

During January, we also saw that threat actors started using a new tactic to remain obfuscated. They started to execute files on compromised machines using a scripting language that has no built-in compiler inside the operating system of the victims. They deployed a credential stealer with its main code components written in AutoHotkey (AHK). AHK is an open-source scripting language for Windows that that provides keyboard shortcuts or hotkeys, fast micro-creation, and software automation. Users can also create a “compiled” .EXE with built-in code. In

The malware infection consisted of several stages:

  1. A malicious Excel file is used containing an AHK script compiler executable, a malicious AHK script file, and a Visual Basic for Applications (VBA) AutoOpen macro.
  2. The dropped adb.exe and adb.ahk were used to execute the AHK script.
  3. The executed script had the same name in the same directory, in this case adb.ahk.
  4. The dropped AHK script is a downloader client used for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim’s machine.
  5. The downloader client also created an autorun link for adb.exe in the startup folder for persistency.
  6. The script generated a unique ID for each victim based on the volume serial number of the C drive.
  7. The malware went through an infinite loop and started to send an HTTP GET request every five seconds with the generated ID.
  8. This ID served as the request path to its command-and-control (C&C) server to retrieve and execute the AHK script on the infected systems.
  9. The malware accepted various AHK scripts for different tasks per victim and executed these using the same C&C URL.
  10. The threat actors were able to upload a specific script to achieve customized tasks for each user or group of users.

So far, five C&C servers located in the US, the Netherlands, and Sweden were discovered as well as two commands (deletecookies and passwords). The malware campaign targeted financial institutions in the US and Canada.

TA511 Enabled Threat Actors to Adapt Malware For Success

Not surprisingly, threat actors keep on adapting their malware for success as illustrated by TA551 (aka Shathak), which is used in email-based malware distribution campaigns targeting English, German, Italian and Japanese speakers. TA551 is notorious for delivering information-stealing malware such as Ursnif and Valak, but recently also IcedID.

The attacks followed a familiar pattern:

  1. The threat actors used the email addresses of new victims obtained from previously infected victims to send mass spoofed emails.
  2. The emails were sent with a ZIP archive as an attachment.
  3. Once the ZIP archive was opened, a Microsoft Word document with macros was extracted.
  4. Once the macros were enabled, a DLL installer for IcedID malware was retrieved for infecting the machine.

Malware Campaign DRBControl

Another malware campaign that made itself felt in January was DRBControl with links to APT27 and Winnti, two notorious APT groups. The campaign targeted major gaming companies worldwide.

  1. The threat actors started by sending a spoofed email with a malicious attachment.
  2. The attachment was a password-protected ZIP file.
  3. Once opened, a Word document with macros was extracted.
  4. After enabling the macros, the IcedID was installed.
  5. The IcedID binary made the malware persistent on the infected machine.
  6. The infected system was now ready for post-infection.

As a backdoor, DRBControl utilized Dropbox as a Command and Control (C2) server in the past. Alongside DRBControl, the ASPXSpy webshell, a sample of PlugX, and Mimikatz, was detected. The initial infection vector was through a 3rd party service provider, which had been previously infected through another 3rd party service provider.

Europol Takes Down Emotet Infrastructure

There was also some good news in January 2021 with Europol taking down the Emotet infrastructure. At the end of its heydays, Emotet turned into a monetized platform for threat actors to run malicious campaigns on a pay-per-install (PPI) basis for stealing sensitive data and extorting ransom. The presence of Emotet might still be felt, since it also served as a springboard to deliver other malware families, such as:

  • Bank Trojan IcedID, which injects itself into browsers, intercepting communications with banks, e-commerce and payment card providers.
  • Ursnif, which steals passwords and credentials, banking, and financial information.
  • Dridex specializes in stealing banking credentials and other passwords and delivering the Bitpaymer ransomware.
  • The bank Trojan and password stealer Qbot, which is known for delivering ransomware Megacortex.
  • The Trojan TrickBot, which steals customer access credentials to their bank accounts and delivers encryption Trojan Ryuk, known for encrypting data and locking out the victims. To gain access again, the victims need to pay ransom.

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!

Stay cyber-safe!

Start A Free Trial