Alerts for new malware strains and active ransomware groups were spread widely across the security industry throughout March and the first half of April.
New strains on the rise
New strains of malware targeting organizations of all kinds were discovered, harnessing infection vectors that may not already be in their threat models. It’s highly important that organizations stay on top of emerging threats and patch their systems against the most prevalent types of attacks. Patching isn’t always an easy task to do, especially in large organizations, but as a bare minimum, it’s advised that active threats are protected against if a more comprehensive patch operation isn’t feasible.
Knowing what cyber security vulnerabilities and zero days to patch is one thing, but it’s equally important to pay close attention to the ways malware is evolving to bypass security detections so the workforce can be aware of what suspicious activity to look out for.
Ever since Microsoft made the long-awaited decision to disable VBA macros in Office documents by default last year, cyber attackers have been experimenting with inventive ways to deliver malware in a trusted way. Microsoft OneNote is installed on Windows by default, unlike Word, Excel, and PowerPoint, and can therefore allow all Windows users to open email attachments in the OneNote format regardless of whether they have a Microsoft 365 subscription.
The combination of using a malware-laden OneNote file to seem more legitimate and the weaker detection measures the application provides against embedded malware, now makes OneNote a more reliable threat vector than Office documents.
Zscaler’s ThreatLabz researchers found that a variety of scripts and malware have been observed running after successful phishing attacks led victims to download and open the files. Remote access trojans (RATs) and information stealers have been installed following successful attacks. Researchers also said that MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote, using multi-layered obfuscation techniques to evade detection. CHM, HTA, JS, WSF, and VBS scripts are also supported via OneNote documents.
Emotet returns with a vengeance
Trend Micro announced in March that the Emotet botnet has returned once again after another of its trademark periods of downtime. Emotet was observed mimicking replies in existing email chains, increasing the perceived legitimacy of responses rather than it being a cold email from an unrecognized sender.
While OneNote is being exploited to bypass Microsoft’s VBA macro defenses, Emotet instead deploys social engineering tactics to trick victims into manually re-enabling macros, allowing malicious Office documents to execute commands, like downloading DLLs, and install malware.
The new version of Emotet also uses binary padding – crafting large files, such as 500MB Word documents, to bypass security scans. The prevailing advice is that workers should remain mindful that attempts to re-enable VBA macros will likely lead to malicious activity and should be flagged to the security team as soon as possible.
Cl0p overtakes LockBit in ransomware rankings
Cl0p’s exploitation of the vulnerability in GoAnywhere MFT propelled it to the top of Malwarebytes’ ransomware rankings for April, overtaking LockBit by a small margin. The group claimed to have breached more than 130 organizations in a month including Proctor and Gamble, Virgin Red, Saks Fifth Avenue, and the UK’s Pension Protection Fund (PPF).
Although Cl0p operates its own namesake ransomware program, many of the GoAnywhere-related breaches are thought not to have involved ransomware. Regardless, it overtook LockBit this month after it dominated in March with 126 attacks. For context, the second-place gang from last month, ALPHV, only registered 32 attacks. The reliability of LockBit was questioned earlier this month by DarkTracer International, accusing it of running an inefficient website on the dark web.
LockBit responded by attempting another of its ‘pranks’, like it has done in the past with the likes of Mandiant and Thales, but it ultimately backfired when its team, which does not speak English natively, confused DarkTracer with Cambridge, UK-based Darktrace. This forced Darktrace to publicly deny that it had been attacked by LockBit, and the event prompted many in the community to mock the ransomware gang’s mistake. A patch for the GoAnywhere MFT vulnerability has been available since February and should be applied as a priority if it hasn’t been already to prevent further attacks from Cl0p.
Microsoft signals new ransomware gang: Nokoyama
In yet another error-strewn Patch Tuesday from Microsoft, it highlighted an actively exploited zero-day vulnerability. Researchers identified the new ransomware gang, known as Nokoyama, exploiting the vulnerability since February. Trend Micro’s report on the group linked the operation to the recently taken down Hive group, which claimed attacks on the likes of New York Racing Association, Tata Power, and Altice. The researchers said the two groups share a number of similarities in their attack chain such as the use of Cobalt Strike and phishing emails, but noted Hive’s double extortion technique hasn’t been used by Nokoyama yet.
FusionCore: Malware-as-a-Service operation
Researchers at CYFIRMA detailed an emerging threat actor believed to be operating from inside Europe earlier this month. FusionCore has been described as a ‘one-stop shop’ for malware services, with a wide range of tools on offer, plus hacker-for-hire services too. The malware on offer has been described as “cost-effective, yet customizable”, and its ransomware affiliate scheme provides both a ransomware payload and affiliate software to manage negotiations with victims. “FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks,” CYFIRMA said. A number of indicators of compromise (IOCs) can be found on the researcher’s blog.
Chinese hackers target unsupported products
Mandiant’s blog in March highlighted a threat actor, which it tracks as UNC3886, targeting products that aren’t supported by endpoint detection and response (EDR) products. These include firewalls, IoT devices, hypervisors, and VPNs from Fortinet, SonicWall, Pulse Secure, and others. Dozens of attacks have been investigated by the security firm and have involved the exploitation of zero-day vulnerabilities and the use of custom malware to both steal credentials and maintain a lasting presence in a victim’s IT environment. Full details of the attack scenarios, their methods, and the products being targeted can be found in Mandiant’s detailed blog. The takeaway for admins here is that they should be communicating regularly with vendors to ensure any potential threats can be mitigated.
