February 2021 remained active by threat actors, launching cyberattacks and new malware strains. We saw that organizations working on COVID-19 vaccines remained popular targets. During the month, threat actors attacked an Oxford University lab, which is researching and producing COVID-19 vaccines. They were able to gain access to its internal systems, including machines used to prepare biochemical samples.
In addition to Oxford University, due to the COVID-19 pandemic, overworked hospitals also remained prime targets for threat actors focusing on those that lack human and financial resources for IT and cybersecurity to replace outdated and obsolete software and hardware. During February, French hospitals were hit by a wave of cyberattacks that were conducted, according to the French minister for digital technology, by mafia-type organizations, often based in Eastern Europe. Other organizations such as French motorhome company Trigano and boat maker Beneteau also suffered cyberattacks in February 2021 harming its production.
Threat actors keep fine-tuning their tools, launching new ransomware strains to optimize results. In February, ransomware Hades Locker was released. This new strain seems to be based on the Zyklon and Wildfire Lockers that were used in Kelihos botnet attacks last year. That botnet was also used in CryptFile2 and MarsJoke campaigns targeting state and local government agencies. With Hades Locker, the targets have shifted to manufacturing and business services verticals.
- After distribution, the Hades Locker connected to http://ip-api.com/xml.
- The IP address of the victim and its geographic location were collected.
- A unique victim ID, a tracking ID, the computer name, the user name, the country, and the IP address of the victim were sent to the C&C server of the threat actors.
- The C&C server replied with a password to encrypt the files using AES encryption.
- The malware stored the unique victim ID and status entry in the registry.
- Hades Locker then encrypted all files on mapped drives matching defined file extensions.
- The malware executed the delete comment WMIC.exe shadowcopydelete/nointeractive to prevent file recovery by the victims.
- Hades Locker created ransom notes containing links to the C&C servers.
- The victim was instructed to access the Hades Locker payment site via two online C&C servers or via a specific TOR address.
- Ransom payment had to be made in bitcoin to Hades Enterprises.
Hades Locker was not the only malware making a comeback in February, DanaBot also re-emerged using a distribution method that tricks users into downloading malicious software disguised as VPNs, anti-virus programs, or online games. DanaBot hides two stealer components within the software key of pirated tools. The first software key was used to collect browser details, system information, and cryptocurrency wallets from the victim, while the second was used to install a cryptocurrency miner. In the past, DanaBot was used in targeted attacks on financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine. After disappearing in June last year, it reappeared at the end of 2020 and made its presence felt again in February 2021.
In February, a new shellcode was detected. Dubbed BendyBear, It shares a lot of characteristics with the notorious WaterBear malware. The WaterBear malware family is associated with the cyberespionage group BlackTech, which has links to the Chinese government. The BendyBear shellcode loads directly into the memory of 64-bit computers and is capable of file transfer, shell access, screen capture, modified RC4 encryption, signature block verification, and polymorphic code while remaining obfuscated. The malware was used in recent attacks against several East Asian government organizations. What makes BendyBear a class on its own is its highly sophisticated, well-engineered (more than 10,000 bytes of machine code) and difficult-to-detect samples of shellcode employed during an Advanced Persistent Threat (APT).
In February, a new obfuscation technique was detected in a phishing campaign using Morse code to hide malicious URLs in an email attachment. The phishing campaign followed a familiar pattern:
- An email was sent out pretending to contain an invoice.
- It contained an HTML attachment spoofing as an Excel invoice.
- The attachment included JavaScript that mapped letters and numbers to Morse code.
- The script called a decodeMorse() function to decode a Morse code string into a hexadecimal string.
- This hexadecimal string was decoded into JavaScript tags that were injected into the HTML page.
- Once a user has entered their password, the form submitted that password to a remote site.
- The threat actors collected the login credentials.
At least eleven companies were victimized, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equiniti, and Capital Four.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable.
Also, IOCs are available at the Cymulate UI!
Stay cybersafe!