Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer referred to as StrelaStealer.

The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today.

“These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer’s DLL payload,” the company said in a report published today.

“In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns.”

First disclosed in November 2022, StrelaStealer is equipped to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server.

Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 targeting high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the E.U. and the U.S.

These attacks also aim to deliver a new variant of the stealer that packs in better obfuscation and anti-analysis techniques, while being propagated via invoice-themed emails bearing ZIP attachments, marking a shift from ISO files.

Present within the ZIP archives is a JavaScript file that drops a batch file, which, in turn, launches the stealer DLL payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic-link libraries.

The stealer malware also relies on a bag of obfuscation tricks to render analysis difficult in sandboxed environments.

“With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself,” the researchers said.

The disclosure comes as Broadcom-owned Symantec revealed that fake installers for well known applications or cracked software hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware known as Stealc.

Phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by means of a cryptors-as-a-service (CaaS) called AceCryptor, per ESET.

“During the second half of [2023], Rescoms became the most prevalent malware family packed by AceCryptor,” the cybersecurity firm said, citing telemetry data. “Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia.”

Other prominent off-the-shelf malware packed inside AceCryptor in H2 2023 include SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It’s worth noting that many of these malware strains have also been disseminated via PrivateLoader.

Another social engineering scam observed by Secureworks Counter Threat Unit (CTU) has been found to target individuals seeking information about recently deceased individuals on search engines with fake obituary notices hosted on bogus websites, driving traffic to the sites through search engine optimization (SEO) poisoning in order to ultimately push adware and other unwanted programs.

“Visitors to these sites are redirected to e-dating or adult entertainment websites or are immediately presented with CAPTCHA prompts that install web push notifications or popup ads when clicked,” the company said.

“The notifications display false virus alert warnings from well-known antivirus applications like McAfee and Windows Defender, and they persist in the browser even if the victim clicks one of the buttons.”

“The buttons link to legitimate landing pages for subscription-based antivirus software programs, and an affiliate ID embedded in the hyperlink rewards threat actors for new subscriptions or renewals.”

While the activity is currently limited to filling fraudsters’ coffers via affiliate programs, the attack chains could be easily repurposed to deliver information stealers and other malicious programs.

The development also follows the discovery a new activity cluster tracked as Fluffy Wolf that’s capitalizing on phishing emails containing an executable attachment to deliver a cocktail of threats, such as MetaStealer, Warzone RAT, XMRig miner, and a legitimate remote desktop tool called Remote Utilities.

The campaign is a sign that even unskilled threat actors can leverage malware-as-a-service (MaaS) schemes to conduct successful attacks at scale and plunder sensitive information, which can then be monetized further for profit.

“Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware,” BI.ZONE said.

Feb 19, 2024NewsroomCyber Espionage / Vulnerability

Threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations.

These entities are primarily located in Georgia, Poland, and Ukraine, according to Recorded Future, which attributed the intrusion set to a threat actor known as Winter Vivern, which is also known as TA473 and UAC0114. The cybersecurity firm is tracking the hacking outfit under the moniker Threat Activity Group 70 (TAG-70).

Winter Vivern’s exploitation of security flaws in Roundcube and software was previously highlighted by ESET in October 2023, joining other Russia-linked threat actor groups such as APT28, APT29, and Sandworm that are known to target email software.

The adversary, which has been active since at least December 2020, has also been linked to the abuse of a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.

The campaign discovered by Recorded Future took place from the start of October 2023 and continued until the middle of the month with the goal of collecting intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan government mail servers that were detected in March 2023.

“TAG70 has demonstrated a high level of sophistication in its attack methods,” the company said. “The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of government and military organizations.”

The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads that are designed to exfiltrate user credentials to a command-and-control (C2) server.

Recorded Future said it also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden.

“The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran’s diplomatic activities, especially regarding its support for Russia in Ukraine,” it said.

“Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.”

Feb 09, 2024NewsroomCyber Espionage / Threat Intelligence

An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a stealthy cyber espionage campaign designed to drop a previously undocumented backdoor called Zardoor.

Cisco Talos, which discovered the activity in May 2023, said the campaign has likely persisted since at least March 2021, adding it has identified only one compromised target to date, although it’s suspected that there could be other victims.

“Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command-and-control (C2), and maintain persistence,” security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer said, calling out the threat actor’s ability to maintain long-term access to victim environments without attracting attention.

The intrusion targeting the Islamic charitable organization involved the periodic exfiltration of data roughly twice a month. The exact initial access vector used to infiltrate the entity is currently unknown.

The foothold obtained, however, has been leveraged to drop Zardoor for persistence, followed by establishing C2 connections using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks, and Venom.

“Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker’s tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2,” the researchers said.

The as-yet-undetermined infection pathway paves the way for a dropper component that, in turn, deploys a malicious dynamic-link library (“oci.dll”) that’s responsible for delivering two backdoor modules, “zar32.dll” and “zor32.dll.”

While the former is the core backdoor element that facilitates C2 communications, the latter ensures that “zar32.dll” has been deployed with administrator privileges. Zardoor is capable of exfiltrating data, executing remotely fetched executables and shellcode, updating the C2 IP address, and deleting itself from the host.

The origins of the threat actor behind the campaign are unclear, and it does not share any tactical overlaps with any known, publicly reported threat actor at this time. That said, it’s assessed to be the work of an “advanced threat actor.”

Dec 19, 2023NewsroomRansomware / Threat Intelligence

The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” authorities said.

Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware.

It’s worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 2023, per data from Corvus.

Cybersecurity firm Adlumin, in a report published last month, revealed that Play is being offered to other threat actors “as a service,” completing its transformation into a ransomware-as-a-service (RaaS) operation.

Ransomware attacks orchestrated by the group are characterized by the use of public and bespoke tools like AdFind to run Active Directory queries, GMER, IOBit, and PowerTool to disable antivirus software, and Grixba to enumerate network information and for collecting information about backup software and remote administration tools installed on a machine.

The threat actors have also been observed to carry out lateral movement and data exfiltration and encryption steps, banking on Cobalt Strike, SystemBC, and Mimikatz for post-exploitation.

“The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data,” the agencies said. “Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.”

According to statistics compiled by Malwarebytes, Play is said to have claimed nearly 40 victims in November 2023 alone, but significantly trailing behind its peers LockBit and BlackCat (aka ALPHV and Noberus).

The alert comes days after U.S. government agencies released an updated bulletin about the Karakurt group, which is known to eschew encryption-based attacks in favor of pure extortion after obtaining initial access to networks via purchasing stolen login credentials, intrusion brokers (aka initial access brokers), phishing, and known security flaws.

“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the government said.

The developments also come amid speculations that the BlackCat ransomware may have been a target of a law enforcement operation after its dark web leak portals went offline for five days. However, the e-crime collective pinned the outage on a hardware failure.

What’s more, another nascent ransomware group known as NoEscape is alleged to have pulled an exit scam, effectively “stealing the ransom payments and closing down the group’s web panels and data leak sites,” prompting other gangs like LockBit to recruit their former affiliates.

That the ransomware landscape is constantly evolving and shifting, whether be it due to external pressure from law enforcement, is hardly surprising. This is further evidenced by the collaboration between the BianLian, White Rabbit, and Mario ransomware gangs in a joint extortion campaign targeting publicly traded financial services firms.

“These cooperative ransom campaigns are rare, but are possibly becoming more common due to the involvement of initial access brokers (IABs) collaborating with multiple groups on the dark web,” Resecurity said in a report published last week.

“Another factor that may be leading to greater collaboration are law enforcement interventions that create cybercriminal diaspora networks. Displaced participants of these threat actor networks may be more willing to collaborate with rivals.”