July 2021 started with an affiliate of the notorious REvil gang conducting a ransomware attack targeting Miami-based information technology firm Kaseya. It infected thousands of victims in at least 17 countries through firms that remotely manage IT infrastructure for multiple customers. The threat actors demanded a ransom of a rumored $50 million that the company stated it did not pay, but instead had obtained a decryption tool from a “third party”.
During July, the Lazarus Group made its presence felt again. Just as a reminder, the North Korean Lazarus Group (aka Hidden Cobra) has been active since 2009 and is best known for its destructive wiper attack against Sony Pictures Entertainment in 2014 and the theft of $81 million from the Bank of Bangladesh in 2016. The advanced persistent threat (APT) group’s standard attack arsenal includes DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware.
This time, the Lazarus Group targeted engineers working in the defense industry with job offers using malicious spear-phishing emails.
The attacks followed a familiar pattern:
- Malicious emails were sent to targeted engineers mimicking engineering opportunities from defense contractors and engineering companies such as Boeing, Airbus, General Motors, BAE Systems, and military contractor Rheinmetall.
- Word documents with malicious macros were attached to the emails.
- The macros evade detection by separating the first two characters from the rest of the content (TVoA, TVpB, TVpQ, TVqA, TVqQ, or TVro),
- All executed files are stored in a new folder C:/Drivers for remaining obfuscated.
- To avoid endpoint detection and response (EDR) signatures based on system utilities, the legitimate executable Certutil.exe is also stored in this folder.
- Once the necessary files have been decoded, the encoded files are removed from the system.
- To deliver the malicious payload, the legitimate Mavinject was abused for arbitrary code injections inside any running process.
- Requests were sent to a hardcoded C&C server using HTTPS with hardcoded headers.
- In later campaigns, the threat actors abandoned using Mavinject and directly executed the payload with explorer.exe.
- Once the payload was executed, the Macro created an .inf file in the same folder.
- The Macro then sent the beacon to the C&C server with the execution status and deleted all the temporary files.
- The only files left in C:Drivers at that point were the payload and the .inf file.
Remcos RAT (Remote Access Trojans)
On the malware front, we saw that the powerful and popular Remcos RAT (Remote Access Trojans) was delivered financially-themed emails (such as targeting US taxpayers with documents that contain tax-related content). It allowed the threat actors to gain full control of the infected machines, allowing them to capture keystrokes, screenshots, credentials, and other sensitive information. Remcos is openly sold by the company Breaking Security on its website, which makes attributing campaigns to specific threat actors almost impossible.
The RAT is used in phishing campaigns to deliver an executable containing an attached archive (.zip) or disk image (.img) file. In the latest campaigns, the phishing emails contain a zip archive containing a Visual Basic script (.vbs) which downloads and executes additional scripts followed by installing the Remcos payload into the Windows system binary aspnet_compiler.exe.
Breaches in Olympic Games
As in previous years, the Olympic Games are being abused by threat actors with various motives, such as cybercriminals, hacktivists, and nation-states. Motives vary from distributing malware to capture and exfiltrate data for profit, disrupting the Games for political or ideological reasons, to disrupting or even shutting down the Games by rogue nations. Following the breach in June 2020, when the personal information of around 170 people linked to the Tokyo Olympics 2020 organizing committee was breached via unauthorized access to an information-sharing tool developed by Fujitsu Ltd., in July, the stolen data included personal credentials such as usernames and passwords which can be used to access Tokyo 2020 websites aimed at volunteers and ticket holders.
The threat actors targeted event organizers and ordinary fans using malicious software and websites luring them to download a malicious PDF file. Once they opened the file, it activated wiper malware that infected the target’s computer and deleted files. It is suspected that the threat actors emailed the fake PDF to Japanese event insiders in an attempt to destroy key Olympics-related documents. The wiper malware, dubbed Olympic Destroyer, also targeted the Pyeongchang Winter Games in 2018. A few more days left to the Olympics hopefully we saw the last of them
New Ransomware – BlackMatter
We are ending with mentioning a new ransomware actor sharing similarities with the REvil and DarkSide gangs. Dubbed BlackMatter, it created accounts on Russian-language hacking forums XSS and Exploit, deposited four bitcoin (around $160,000.–), and posted a ransomware ad. BlackMatter describes itself as combining the best features of DarkSide, REvil, and LockBit. As for now, no leaks are present on its website.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!