Threat Intelligence Bulletin – week ending Feb 7

Threat Intelligence Bulletin – week ending Feb 7

Lastline Threat Briefing

Welcome back to another Lastline Threat Intelligence Briefing. This email briefing intends to give Lastline customers and other interested parties a regular recap of the most important news and events surrounding malware in the world in the previous two weeks. We are providing links to reports and analysis from multiple sources for your benefit. This briefing will also include public links to our Lastline Knowledge Base (LLKB), giving you all the technical threat intelligence information you may need to see how the malware operates (these links do not require paid access to LLKB or a login). If you are not a Lastline customer please reach out for a free demo and see how Lastline’s unmatched Threat Intelligence and Network Detection and Response provides deep value on both garden-variety and zero-day thqreats.

This briefing is provided as a free service to Lastline customers and other parties interested in reading more about malware events. We respect your time and privacy. If you do not wish to receive this regular digest just send us a quick note to weeklybriefing@lastline.com and we’ll immediately remove you from the distribution.

A self-registration portal is now available for people to subscribe! If you have other people on your team who you think would benefit from this short briefing, please send them to https://go.lastline.com/threat-brief-signup.html and they can sign up in seconds.

Item 1: Emotet Campaign Capitalizes on Global Fears of Coronavirus Outbreak

Link: https://www.darkreading.com/endpoint/coronavirus-phishing-attack-infects-us-uk-inboxes/d/d-id/1336946

Summary: A new email campaign is making its rounds purporting to offer protective measures against the coronavirus outbreak. What it really does is cause an entirely different sort of viras infection.

Key Takeaways: Attackers who send out malware campaigns via email are always looking for new avenues to entice end users to open malicious content and infect themselves. This isn’t the first time that we’ve seen campaigns based on both fear and recent global events. This is a regular occurrence in email malware campaigns, and it certainly won’t be the last one we see. Just remind users that the best source of information is never going to be an unsolicited email that has an attachment with active content you must enable (or visit).

Detections: All samples seen in the wild thus far are easily detected as highly malicious. Links to the behaviors and actions taken by the malware are below:

Item 2: Ransomware Attack Spotted Intentionally Attempting to Hit Industrial Control Systems (ICS) Networks

Link: https://www.darkreading.com/attacks-breaches/ekans-ransomware-raises-industrial-control-worries/d/d-id/1336950

Summary: A fairly primitive campaign has been spotted targeting ICS networks. While the attack was easy to detect and stop, ICS operators should be rightly concerned.

Key Takeaways: What’s really important is that this malware is intentionally attempting to stop processes that are only seen in ICS networks. This is concerning because it indicates some specific and deliberate targeting by the attackers against industrial targets. While this campaign seems to be very basic and not able to really cause impacts like a plant-wide shut down, this is probably only the beginning and anyone operating ICS networks should sit up and review their current security plans.

Detections: Lastline’s ability to detect code reuse of previous malware variants means that threats like these that borrow heavily from other sources (in this case families like MegaCortex) will still be detected as malicious:

Item 3: New Campaign Against US Banks

Links: https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html

Summary:  A very recent campaign by an attacker is using some clever tricks to attempt to fool AV and analysis tools.

Key Takeaways: Unlike Item 2 which is primitive in execution, this is a very carefully crafted campaign  with some very interesting aspects that deserve additional review. VBA Stomping is a term that covers how an Office document is altered so that certain parts of the macro code being used is manipulated in a unique way that can fool many static analysis tools. It can also not execute correctly (aka maliciously) on other versions of Office, which may stymie dynamic analysis tools that rely on a specific version of Office to detect malicious activity. This one-two punch against both static and dynamic analysis tools can increase risk to end users who rely only on AV tools to keep malicious documents out of their inbox.

More information on VBA Stomping: https://vbastomp.com/

Detections: At the time of this writing, we’ve analyzed close to 100 samples related to this campaign and we have detected 100% of them as malicious. A small subset of samples is below:

Item 4: Gamaredon Group Back at it with New Tools and Larger Scale Against Ukraine

Link: https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/

Summary: The Gamaredon APT Group, believed to have close ties to Russia is back with a ramped-up campaign utilizing new tools against Ukranian government groups.

Mitre ATT&CK Information on Gamaredon Group: https://attack.mitre.org/groups/G0047/

Key Takeaways: Russian interests in Ukraine have not subsided – we continue to see incidents against many Ukranian government organizations. It is believed that Russia’s interest in Ukraine is multi-faceted: Russia uses Ukraine as a testing ground to try out new cyberwarfare techniques, and to further unrest and discord in the country after the military events that ended in 2015. The key lesson here is simple: nations with sufficiently advanced cyber capabilities will continue to wage low-intensity conflict in the Fifth Domain.

Detections: Defender has zero issues detecting these new samples as malicious:

Item 5: A New Complex Malware Family Called “Oski” has Emerged – and Packs a Wallop

Link: https://threatpost.com/oski-data-stealing-malware-north-america-china/151856/

Summary: A new malware family called Oski (perhaps named after a Viking warrior) has the ability to steal credentials, credit card, crypto wallets, and more.

Key Takeaways: This new family is likely a new malware-for-hire variant sold on the Dark Web by enterprising malware authors. We’ve seen many such packaged malware for sale in the past, but it’s always important to note when something new or novel appears. This new malware casts a very wide net and can steal credentials from scores of things including a wide range of browsers and other assets. It’s very capable and only in its early stages. Expect to see many updates and campaigns using Oski in the future.

Detections: Samples in this early stage are of course limited, but Lastline Defender easily detects those that we have analyzed:

https://user.lastline.com/report_viewer/715043573:4bbad96:nZVVVvb95yVI6S5g#/analyst/task/4af7a805da2c001017f104a454c87391/overview

Don’t Forget: Your Feedback is Essential! Please reach out and let us know your thoughts or suggestions.

Thank you!

Lastline Global Threat Intelligence Team

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson