During October 2020, there were some major developments in cybercrime, with ransomware groups stepping up their game and new malware strategies being used. In this monthly wrap-up, we will have a closer look at threat actors Egregor and Trickbot, malware GravityRAT, MosaicRegressor, and IPStorm.
Egregor Posts Stolen Data
Ransomware groups stepped up their game. The Egregor ransomware group started posting stolen data belonging to Barnes & Noble customers on its dark web domain when the US bookseller refused to pay after being breached on October 10. It is not the first time that the group used this tactic of dumping “small proof packs” of the data to put pressure on its victims. Previously, it leaked data from game organizations Ubisoft and Crytek.
Lazada Redmart’s Data for Sale
We’ve also seen threat actors selling stolen data on their own dark web domain or online hacker forums (e.g., the 1.1 million user accounts of online grocery store Lazada Redmart were sold for $1,500.per dump). Following a massive data breach of the Nitro PDF service, 1TB of documents (including 70 million user records containing email addresses, full names, hashed passwords, titles, company names, IP addresses, and other system-related data) are being sold in private auction with a starting price of $80,000. The data was stolen from the 10 thousand business customers, including Google, Apple, Microsoft, Chase, and Citibank, and 1.8 million licensed users that use Nitro to create, edit, and sign PDFs and digital documents.
TrickBot Uses Basecamp
The TrickBot hacker group, known for its phishing attacks against high-value targets, started to use Basecamp as part of its malicious phishing campaigns to distribute malware and steal login credentials. Basecamp is a web-based project management solution that allows people to collaborate, chat with each other, create documents, and share files. The threat actors abused Basecamp to host intermediary pages that redirect users to phishing landing pages. These landing pages unleash BazarLoader, Trickbot’s obfuscated backdoor Trojan, which will install Cobalt Strike beacons for access and deploying the Ryuk ransomware. Since the threat actors used Basecamp URLs, they were able to create carefully constructed and targeted campaigns to infiltrate a network as users may feel that the file is from their Basecamp project.
MosaicRegressor Targets New Technology
Whenever a new technology becomes popular, threat actors will find a way to abuse it for their own purposes. In October, UEFI (or Unified Extensible Firmware Interface), which replaces legacy BIOS for enabling the machine’s boot sequence and loading the operating system, was targeted by MosaicRegressor. This malicious UEFI firmware (quite likely from North Korea) uses several malicious modules to inject malware on victimized machines as well as the Winnti backdoor.
Botnets Use IPStrom
Botnets also upped their game, with IPStorm running on top of the IPFS (InterPlanetary File System) protocol to infect Android, macOS, Windows, and Linux-based devices for incorporating them into peer-to-peer networks to avoid detection.
- SSH brute-force attacks were launched at targeted devices.
- IPStorm is used to infect the devices.
- Once infected, the victimized systems are configured to act as socks5 proxies.
- Android devices are also infected via unsecured Android Debug Bridge (ADB) connections.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!