Cymulate’s January 2022 Cyberattacks Wrap-up

Cybercriminals kicked off 2022 with increasingly sophisticated malware and attack strategies, refining their techniques to maximize profits and evade detection.

Bleak Outlook: ComLook Malware

Microsoft Outlook became a target for malware in early 2022, with the discovery of a backdoor named ComLook. Similar to the ComRAT variant used by the Russian-backed APT group Turla, ComLook introduced advanced capabilities:

• Hard-coded credentials for three mailboxes, each hosting unique folders for new commands and uploaded results.
• Encrypted commands enabling threat actors to execute commands, upload/download files, and update malware configurations.
• Use of compromised mail servers to host its mail server instance, with encrypted communications via IMAPS.

To register with Microsoft Outlook, ComLook leveraged “The Bat!” email client, mimicking Turla’s previous methods. Early evidence suggested that this backdoor was targeting Azerbaijani entities.

Additionally, a batch file (.bat) with an extremely low VT detection score (1/53) surfaced. The malware used the BlockInput API via a PowerShell one-liner to disable keyboard and mouse interactions, complicating debugging efforts.

Crazy Like a Fox: Purple Fox Rootkit Deployment

Threat actors continued using legitimate software to deliver malicious payloads undetected. A new attack vector emerged involving the deployment of the Purple Fox rootkit:

• The attackers used a malicious Telegram Installer disguised as “Telegram Desktop.exe.”
• The installer was a compiled AutoIt script, a freeware programming language for Windows, enabling the attackers to deploy malware in multiple small files with low detection rates by antivirus engines.

This method highlighted the sophistication of modern cybercriminal strategies.

Lazarus Group Strikes Again

The North Korean APT group Lazarus made headlines with spear-phishing attacks masquerading as job offers from Lockheed Martin. The attack involved:

1. Macro-embedded documents in phishing emails.
2. Execution of malicious macros that injected code and hijacked control flow.
3. Memory protection changes and overwriting of existing “WMIsAvailableOffline” code with malicious shellcode.
4. Deployment of an encrypted DLL with custom hashing for API resolution.
5. Use of Windows Update to execute the payload and GitHub (username "DanielManwarningRep") for command and control, making detection harder.

REvil Ransomware Takedown

In January 2022, there was a rare success in combating cybercrime. The Russian Federal Security Service (FSB) arrested 14 members of the REvil ransomware gang. The operation involved:

• Raiding over 20 addresses in Moscow, St. Petersburg, Leningrad, and Lipetsk.
• Seizing more than $600,000 USD, 426 million rubles (~$5.5 million USD), 500,000 euros, and 20 luxury cars bought with stolen funds.

This marked a significant blow to one of the most notorious ransomware groups.

Protect Your Organization with Cymulate

To ensure your organization is protected against the latest cyber threats, leverage Cymulate’s Immediate Threats assessment. This powerful tool allows you to:

• Test your defenses against recent malware attacks.
• Identify vulnerabilities and implement mitigation strategies.
• Access Indicators of Compromise (IOCs) directly within the Cymulate platform.

Stay ahead of evolving cyber threats with proactive testing and validation.

Stay Cyber-Safe

The evolving threat landscape requires constant vigilance. Strengthen your cybersecurity posture with Cymulate to ensure resilience against emerging attack vectors.