A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.

Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it’s likely associated with the North Korean state-sponsored group tracked as Kimsuky.

“The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.

“Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs.”

A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic.

On top of that, the use of such cloud services to stage the payloads allows for updating the functionality of the malware or delivering additional modules.

The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file (“IMG_20240214_0001.pdf.lnk”).

The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script (“ps.bin”).

The second-stage PowerShell script, for its part, fetches a new file from Dropbox (“r_enc.bin”), a .NET assembly file in binary form that’s actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control.

It’s worth noting that Kimsuky has employed TruRat in at least two campaigns uncovered by the AhnLab Security Intelligence Center (ASEC) last year.

Also retrieved by the PowerShell script from Dropbox is a VBScript (“info_sc.txt”), which, in turn, is designed to run arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script (“w568232.ps12x”).

The VBScript is also designed to use Windows Management Instrumentation (WMI) to execute commands on the system, and set up scheduled tasks on the system for persistence.

Another noteworthy aspect of the VBScript is the use of Google Docs to dynamically retrieve configuration data for the Dropbox connection, allowing the threat actor to change the account information without having to alter the script itself.

The PowerShell script downloaded as a result is equipped to gather extensive information about the system and exfiltrate the details via a POST request to Dropbox.

“The purpose of this script appears to be designed to serve as a tool for periodic communication with a command-and-control (C2) server via Dropbox,” the researchers said. “Its main purposes include encrypting and exfiltrating or downloading data.”

In other words, it acts as a backdoor to control the compromised hosts and continuously keep a log of user activity, including keystrokes, clipboard content, and the foreground window.

The development comes as security researcher Ovi Liber detailed North Korea-linked ScarCruft’s embedding of malicious code within Hangul Word Processor (HWP) lure documents present in phishing emails to distribute malware like RokRAT.

“The email contains a HWP Doc which has an embedded OLE object in the form of a BAT script,” Liber said. “Once the user clicks on the OLE object, the BAT script executes which in turn creates a PowerShell-based reflective DLL injection attack on the victims machine.”

It also follows Andariel’s exploitation of a legitimate remote desktop solution called MeshAgent to install malware like AndarLoader and ModeLoader, a JavaScript malware meant for command execution.

“This is the first confirmed use of a MeshAgent by the Andariel group,” ASEC said. “The Andariel Group has been continuously abusing the asset management solutions of domestic companies to distribute malware in the process of lateral movement, starting with Innorix Agent in the past.”

Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the notorious Lazarus Group, actively orchestrating attacks for both cyber espionage and financial gain.

The prolific state-sponsored threat actor has since been observed laundering a chunk of the crypto assets stolen from the hack of crypto exchange HTX and its cross-chain bridge (aka HECO Bridge) through Tornado Cash. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.

“Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges,” Elliptic said. “The stolen funds then lay dormant until March 13, 2024, when the stolen crypto assets began to be sent through Tornado Cash.”

The blockchain analytics firm said that Tornado Cash’s continuation of its operations despite sanctions have likely made it an attractive proposition for the Lazarus Group to conceal its transaction trail following the shutdown of Sinbad in November 2023.

“The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been,” it noted.

Users in Brazil are the target of a new banking trojan known as CHAVECLOAK that’s propagated via phishing emails bearing PDF attachments.

“This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware,” Fortinet FortiGuard Labs researcher Cara Lin said.

The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents.

In reality, clicking the button leads to the retrieval of an installer file from a remote link that’s shortened using the Goo.su URL shortening service.

Present within the installer is an executable named “Lightshot.exe” that leverages DLL side-loading to load “Lightshot.dll,” which is the CHAVECLOAK malware that facilitates the theft of sensitive information.

This includes gathering system metadata and running checks to determine whether the compromised machine is located in Brazil and, if so, periodically monitoring the foreground window to compare it against a predefined list of bank-related strings.

If it matches, a connection is established with a command-and-control (C2) server and proceeds to harvest various kinds of information and exfiltrate them to distinct endpoints on the server depending on the financial institution.

“The malware facilitates various actions to steal a victim’s credentials, such as allowing the operator to block the victim’s screen, log keystrokes, and display deceptive pop-up windows,” Lin said.

“The malware actively monitors the victim’s access to specific financial portals, including several banks and Mercado Bitcoin, which encompasses both traditional banking and cryptocurrency platforms.”

Fortinet said it also uncovered a Delphi variant of CHAVECLOAK, once again highlighting the prevalence of Delphi-based malware targeting Latin America.

“The emergence of the CHAVECLOAK banking Trojan underscores the evolving landscape of cyberthreats targeting the financial sector, specifically focusing on users in Brazil,” Lin concluded.

The findings come amid an ongoing mobile banking fraud campaign against the U.K., Spain, and Italy that entails using smishing and vishing (i.e., SMS and voice phishing) tactics to deploy an Android malware called Copybara with the goal of performing unauthorized banking transfers to a network of bank accounts operated by money mules.

“TAs [Threat actors] have been caught using a structured way of managing all the ongoing phishing campaigns via a centralized web panel known as ‘Mr. Robot,'” Cleafy said in a report published last week.

“With this panel, TAs can enable and manage multiple phishing campaigns (against different financial institutions) based on their needs.”

The C2 framework also allows attackers to orchestrate tailored attacks on distinct financial institutions using phishing kits that are engineered to mimic the user interface of the targeted entity, while also adopting anti-detection methods via geofencing and device fingerprinting to limit connections only from mobile devices.

The phishing kit – which serves as a fake login page – is responsible for capturing retail banking customer credentials and phone numbers and sending the details to a Telegram group.

Some of the malicious infrastructure used for the campaign is designed to deliver Copybara, which is managed using a C2 panel named JOKER RAT that displays all the infected devices and their geographical distribution over a live map.

It also allows the threat actors to remotely interact in real-time with an infected device using a VNC module, in addition to injecting fake overlays on top of banking apps to siphon credentials, logging keystrokes by abusing Android’s accessibility services, and intercepting SMS messages.

On top of that, JOKER RAT comes with an APK builder that makes it possible to customize the rogue app’s name, package name, and icons.

“Another feature available inside the panel is the ‘Push Notification,’ probably used to send to the infected devices fake push notifications that look like a bank notification to entice the user to open the bank’s app in such a way that the malware can steal credentials,” Cleafy researchers Francesco Iubatti and Federico Valentini said.

The growing sophistication of on-device fraud (ODF) schemes is further evidenced by a recently disclosed TeaBot (aka Anatsa) campaign that managed to infiltrate the Google Play Store under the guise of PDF reader apps.

“This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages,” Iubatti said. “Before downloading the banking trojan, the dropper performs advanced evasion techniques, including obfuscation and file deletion, alongside multiple checks about the victim countries.”

Feb 27, 2024NewsroomCloud Security / Threat Intelligence

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.

Previously attributed to the supply chain compromise of SolarWinds software, the cyber espionage group attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” according to the security bulletin.

These include –

• Obtaining access to cloud infrastructure via service and dormant accounts by means of brute-force and password spraying attacks, pivoting away from exploiting software vulnerabilities in on-premise networks

• Using tokens to access victims’ accounts without the need for a password

• Leveraging password spraying and credential reuse techniques to seize control of personal accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their own device to gain access to the network

• Making it harder to distinguish malicious connections from typical users by utilizing residential proxies to make the malicious traffic appear as if it’s originating from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and conceal their true origins

“For organizations that have moved to cloud infrastructure, the first line of defense against an actor such as SVR should be to protect against SVR’ TTPs for initial access,” the agencies said. “Once the SVR gains initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb.”

Feb 20, 2024NewsroomMalware / Supply Chain Security

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.

The packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.

“The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding,” ReversingLabs researcher Petar Kirhmajer said in a report shared with The Hacker News.

The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision’s employees to PyPI.

In other words, the goal is to trick developers searching for NP6HelperHttp and NP6HelperConfig into downloading their rogue counterparts.

Contained within the two libraries is a setup.py script that’s designed to download two files, an actual executable from Beijing-based Kingsoft Corporation (“ComServer.exe”) that’s vulnerable to DLL side-loading and the malicious DLL to be side-loaded (“dgdeskband64.dll”).

In side-loading the DLL, the aim is to avoid detection of the malicious code, as observed previously in the case of an npm package called aabquerys that also leveraged the same technique to execute code capable of deploying a remote access trojan.

The DLL, for its part, reaches out to an attacker-controlled domain (“us.archive-ubuntu[.]top”) to fetch a GIF file that, in reality, is a piece of shellcode for a Cobalt Strike Beacon, a post-exploitation toolkit used for red teaming.

There is evidence to suggest that the packages are part of a wider campaign that involves the distribution of similar executables that are susceptible to DLL side-loading.

“Development organizations need to be aware of the threats related to supply chain security and open-source package repositories,” security researcher Karlo Zanki said.

“Even if they are not using open-source package repositories, that doesn’t mean that threat actors won’t abuse them to impersonate companies and their software products and tools.”

The landscape of cybersecurity in financial services is undergoing a rapid transformation. Cybercriminals are exploiting advanced technologies and methodologies, making traditional security measures obsolete. The challenges are compounded for community banks that must safeguard sensitive financial data against the same level of sophisticated threats as larger institutions, but often with more limited resources.

The FinServ Threat Landscape

Recent trends show an alarming increase in sophisticated cyber-attacks. Cybercriminals now deploy advanced techniques like deep fake technology and AI-powered attacks, making it increasingly difficult for banks to differentiate between legitimate and malicious activities. These developments necessitate a shift towards more sophisticated and adaptive cybersecurity measures. Take these industry statistics, for example.

• Financial firms report 703 cyberattack attempts per week.1
• On average, 270 attacks (entailing unauthorized access of data, applications, networks, or devices) occurred in financial services, an increase of 31% compared with the prior year.2
• On average, financial services businesses take an average of 233 days to detect and contain a data breach.3
• 43% of senior bank executives don’t believe their bank is adequately equipped to protect customer data, privacy, and assets in the event of a cyberattack.4
• The average data breach cost in financial services is $5.72 million per incident.5

State-sponsored cyberattacks also pose a unique threat to the financial sector. These attacks are often highly sophisticated and well-funded, aimed at destabilizing financial systems or stealing sensitive economic information. Community banks must be prepared to defend against these high-level threats, which require a different approach than conventional cybercriminal activities.

Similarly, in recent times, there has been a concerning trend where major service providers catering to small-medium-sized banks, such as FIS, Fiserv, and Jack Henry, have become prime targets for cyber-attacks. Targeting these service providers allows threat actors to widen their net and make their attempts more efficient, as compromising a single service provider can potentially provide access to multiple small banks. This underscores the critical importance of strong vendor management governance. Community banks must be prepared to defend against these high-level threats, which require a different approach than conventional cybercriminal activities.

Proactive measures can be taken to overcome the threats facing the FinServ industry. Companies like ArmorPoint provide complimentary Cybersecurity Workshops where they have seasoned cybersecurity experts identify specific security gaps and produce recommendations to mitigate those risks.

Top 5 FinServ Cybersecurity Challenges and How to Overcome Them

1. Advanced Cloud Security Strategies

Cloud computing, with its numerous benefits of scalability, flexibility, and cost-effectiveness, is increasingly being adopted by financial institutions. However, this shift introduces specific security concerns that can be challenging to manage. The complexity of cloud security stems from the need to protect data across diverse and dynamic environments. In the cloud, data often moves across various services and geographies, making traditional perimeter-based security approaches less effective. Additionally, the shared responsibility model in cloud computing can lead to ambiguity in security roles and responsibilities between the cloud service provider and the bank.

To address these challenges, banks must adopt advanced cloud security strategies. This involves implementing comprehensive data encryption to protect data at rest and in transit, and robust identity and access management systems to control who can access what data and under what conditions. Zero-trust security models, where trust is never assumed and verification is required from everyone trying to access resources in the network, are increasingly vital. Understanding the nuances of different cloud environments—public, private, and hybrid—is also key to tailoring security measures effectively.

2. Ransomware: Beyond Basic Defense

Ransomware attacks in the financial sector have become increasingly sophisticated, leveraging tactics like “Ransomware as a Service” (RaaS) to target institutions. The evolving nature of ransomware, combined with the high value of financial data, makes these institutions particularly vulnerable. Traditional defense strategies are often inadequate in the face of such advanced threats, which can bypass standard security measures and encrypt critical data, causing operational disruptions and financial losses.

Banks need to implement a multi-layered defense strategy against ransomware. This includes advanced threat intelligence systems that can provide real-time insights into emerging threats and vulnerabilities. Regular security audits are crucial to identify and address potential vulnerabilities in the bank’s cybersecurity infrastructure. Additionally, proactive threat hunting teams can play a critical role in identifying and neutralizing threats before they materialize, providing an additional layer of defense against ransomware attacks.

3. Comprehensive Vendor Risk Management

Financial institutions increasingly rely on third-party vendors for a range of services, from cloud computing to customer relationship management. Each vendor relationship introduces potential cybersecurity risks, as vendors may have access to or manage sensitive bank data. Managing these risks is complicated by the differing security postures and practices of various vendors, making it challenging to ensure consistent security standards across all third-party relationships.

Effective vendor risk management goes beyond initial security assessments and requires continuous monitoring and evaluation of vendor security practices. Regular security audits of vendors are essential to ensure they adhere to agreed-upon security standards and practices. Integrating vendor risk management into the bank’s overall cybersecurity strategy ensures a unified approach to security, reducing the likelihood of vendor-related security breaches.

4. Regulatory Compliance: Navigating a Complex Landscape

The regulatory landscape for cybersecurity in the financial sector is intricate and constantly evolving. Banks are required to comply with a wide range of international, national, and regional regulations, each with its own set of requirements and penalties for non-compliance. Navigating this complex landscape is challenging, as banks must continually adapt their cybersecurity strategies to meet these evolving requirements.

To effectively navigate this landscape, community banks must develop a deep understanding of relevant regulations, such as the GBLA, PCI DSS, SOX, and more. This involves establishing a dedicated compliance team, or even utilizing a virtual Chief Information Security Officer (vCISO), responsible for staying abreast of regulatory changes and ensuring that the bank’s cybersecurity practices align with these requirements. Regular training and awareness programs for all staff are also crucial to ensure widespread understanding and adherence to compliance requirements.

5. Bridging the Cybersecurity Talent Gap

The cybersecurity talent gap poses a significant challenge for financial institutions. The rapidly evolving nature of cyber threats requires skilled professionals who are up to date with the latest technologies and strategies. However, there is a shortage of such professionals in the market, making it difficult for banks to recruit and retain the talent needed to effectively manage their cybersecurity risks.

Banks must adopt creative solutions to bridge this talent gap. Developing internal training programs can help upskill existing staff, making them capable of handling more complex cybersecurity tasks. Collaborating with educational institutions to develop tailored cybersecurity curriculums can help create a pipeline of skilled professionals. Additionally, leveraging AI and automation for routine security tasks can free up human resources for more complex and strategic cybersecurity challenges, optimizing the use of available talent.

Furthermore, another viable strategy for addressing the talent gap is outsourcing. Financial institutions can consider outsourcing security operations talent, partnering with specialized firms to provide expert cybersecurity services. This approach allows banks to access a pool of seasoned professionals who can monitor, detect, and respond to security threats effectively. Additionally, outsourcing executive-level insights, such as a virtual Chief Information Security Officer (vCISO), can provide strategic guidance and governance to strengthen the bank’s overall cybersecurity posture. By outsourcing specific talent needs, banks can bridge the talent gap more effectively while maintaining a strong focus on cybersecurity excellence.

ArmorPoint has recently released a security maturity self-assessment. Take the 15-question quiz to determine the gaps in your security posture.

Three Steps to Implement a Robust Cybersecurity Framework

An integrated approach to cybersecurity is imperative for effectively managing these diverse challenges. This involves creating a cohesive framework that combines advanced technology solutions, thorough policies and procedures, regular risk assessments, continuous monitoring, and proactive incident response planning.

Step 1: Strategic Alignment and Planning

The cornerstone of a successful cybersecurity program lies in its strategic alignment and planning. This critical first step involves setting clear cybersecurity goals that are closely aligned with the business objectives of the organization. Integration of security controls into the organizational strategy is essential, ensuring every business aspect is underpinned by robust security measures. An effective strategy also includes the creation of a risk prioritization framework, which is instrumental in identifying and focusing on the most critical threats. Furthermore, the development of a security architecture, tailored to the specific needs and risk profile of the organization, is crucial. This architecture needs to be dynamic, evolving in tandem with the changing landscape of cybersecurity threats and business requirements.

Step 2: Risk-Centric Action and Deployment

The second phase of developing a cybersecurity program is centered around risk-centric action and deployment. This involves establishing an efficient team structure, one that is dedicated to the meticulous implementation of the cybersecurity strategy. A key component of this phase is the deployment of the necessary tools and technologies that bring the strategic plan to life. Translating high-level strategies into actionable, practical steps is essential for effective execution. Strategic allocation of resources, especially in areas with higher perceived risks, ensures that critical aspects of the network are prioritized and reinforced. Moreover, the importance of continuous monitoring and management of security systems cannot be overstated, as they are vital for maintaining the efficacy of security measures and for addressing emergent threats swiftly.

Step 3: Continuous Recalibration and Optimization

In the final phase, the focus shifts to the continuous recalibration and optimization of the cybersecurity program. This phase demands maintaining accountability at all organizational levels and enhancing incident response capabilities to ensure swift and effective reactions to threats. Cultivating a culture that is aware of cybersecurity, through the education of employees and stakeholders about security best practices and risks, forms the bedrock of this phase. Regular evaluations and transparent communication of the program’s effectiveness to key stakeholders are crucial for fostering an environment of continuous improvement. The cybersecurity strategies should be under constant review and refinement based on ongoing assessments. This adaptive approach ensures that cybersecurity measures remain both effective and relevant, aligning with the ever-evolving business environment and the shifting landscape of cyber threats.

Preparing for Emerging Trends and Future Threats

The future of cybersecurity in the financial sector is likely to be shaped by emerging technologies and evolving threat landscapes.

AI and Machine Learning in Cybersecurity

The integration of AI and machine learning in cybersecurity tools is set to revolutionize threat detection and response. These technologies can analyze vast amounts of data to identify patterns indicative of cyber threats, offering a level of speed and efficiency unattainable by human analysts alone.

The Role of Blockchain in Enhancing Security

Blockchain technology has the potential to offer enhanced security features for financial transactions and data integrity. Its decentralized and immutable nature makes it an attractive option for securing transaction records and preventing fraud.

Cyber threats are constantly evolving; community banks must stay vigilant and proactive in their cybersecurity efforts. Embracing comprehensive and integrated cybersecurity strategies, focusing on cyber resilience, and preparing for future technological advancements are key to safeguarding against the diverse and sophisticated threats in the cyber landscape. By staying ahead of these challenges, financial institutions can ensure the security and continuity of their operations, maintaining the trust and confidence of their customers.

For more information about how you can enhance the security of your regional financial institution, explore ArmorPoint’s solutions and experience the power of a unified approach to cybersecurity program management.

Resources

1 https://blog.checkpoint.com/security/check-point-research-cyber-attacks-increased-50-year-over-year/

2 https://www.accenture.com/us-en/insights/security/state-cybersecurity

3 https://info.varonis.com/hubfs/docs/research_reports/2021-Financial-Data-Risk-Report.pdf?hsLang=en

4 https://kpmg.com/us/en/articles/2022/cybersecurity.html

5 https://www.ibm.com/reports/data-breach

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.