DeathRansom can now encrypt files.
Researchers at Fortinet have found that the malware known as "DeathRansom," which was previously a functionally harmless piece of scareware, has been turned into a real strain of file-encrypting ransomware. Earlier versions of the malware would append a file extension to the victim's files, but the file itself would remain intact and could be accessed by simply removing the new file extension. A new variant of DeathRansom, however, "uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files." ZDNet notes that while DeathRansom is a relatively new strain of malware, it "has been backed by a solid distribution campaign, and has been making regular victims on a daily basis for the past two months."
Fortinet's researchers also posted a second blog in which they tied DeathRansom to a malware operator who used the nickname "scat01" across numerous malicious projects and Russian underground forums. This nickname (and a specific profile picture) led them to a product review posted on Yandex.Market from the small town of Aksay in southern Russia, which is located just east of the city of Rostov-on-Don. The researchers then found a YouTube account, a Skype account containing a phone number from the Rostov-on-Don region, and "many other profiles of the same actor," including one on the Russian social media service VKontakte which included his full name. The researchers stop short of definitively accusing the man of responsibility for the DeathRansom campaigns, but based on the extensive web of connections, they say his involvement "seems likely."
Clop ransomware terminates 663 processes.
A new variant of the Clop ransomware kills 663 Windows processes before it begins encrypting files, BleepingComputer has found. These processes include "new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software....Android Debug Bridge, Notepad++, Everything, Tomcat, SnagIt, Bash, Visual Studio, Microsoft Office applications, programming languages such as Python and Ruby, the SecureCRT terminal application, the Windows calculator, and even the new Windows 10 Your Phone app." Vitali Kremez, who reverse engineered the new Clop variant, has provided a full list of these processes on GitHub.
Ransomware commonly terminates processes in order to encrypt them and to ensure antivirus programs have been shut down, but Clop kills far more than average. It's not clear why Clop kills so many processes, some of which are seemingly unimportant, but BleepingComputer speculates that it may be trying to encrypt those programs' configuration files.
Payment card skimmer uses steganography.
Malwarebytes describes the first publicly known web skimmer that uses steganography to avoid detection. The researcher who disclosed this technique explains that the attackers either upload their own image or modify an existing image on a compromised site. In this case, the skimming code was packaged within an image showing a generic "free shipping" logo. This file contained 19,704 bytes after the marker that signals the end of a normal JPEG image file (0xFFD9). The extra data was JavaScript code that was loaded and parsed by a small snippet of code placed on the compromised site. The JavaScript within the image file isn't obfuscated and the attackers have made no effort to conceal the fact that the JPEG is malformed, but Malwarebytes notes that "the majority of web crawlers and scanners will concentrate on HTML and JavaScript files, and often ignore media files, which tend to be large and slow down processing."
SideWinder APT placed malicious apps in the Play Store.
Trend Micro has identified three malicious apps in the Google Play Store which were tied to the South Asian APT known as "SideWinder." Two of the apps, Camero and FileCrypt Manager, functioned as droppers to install a third app named callCam, which purported to be a video calling application. Upon installation, callCam would hide its icon and begin collecting information from the device, including its location, files, list of installed apps, WiFi information, sensor data, camera information, and data from Chrome, Facebook, Gmail, Outlook, Twitter, WeChat, and Yahoo Mail. This data is then encrypted and sent back to a command-and-control server. The researchers found that the C2 servers in this campaign were previously linked to SideWinder.
One noteworthy aspect of the campaign is the use of CVE-2019-2215, a use-after-free vulnerability in Android's interprocess communication mechanism that hadn't previously been seen exploited in the wild. The Camero dropper app uses this vulnerability to gain root privilege on infected devices.
FBI warns companies about data-stealing Maze ransomware.
The FBI shared a flash alert with the private sector regarding the threat posed by the Maze ransomware, which the Bureau says began targeting US organizations in November 2019. According to BleepingComputer, the TLP:Green alert warns that the Maze operators distribute their malware via phishing campaigns in which they pose as government agencies or security companies. The phishing emails contain a malicious Word document with a macro that delivers the malware. The consequences of a Maze infection can be greater than a traditional ransomware attack, since the attackers exfiltrate the victim's data before encrypting it. The attackers then threaten to publicly release the data unless the victim pays an additional sum. The FBI advises victims not to pay the ransom, but they ask that all victims get in touch with the Bureau to provide the indicators of compromise, regardless of whether the ransom was paid.
Analyzing critical infrastructure targeting.
The National Consortium for the Study of Terrorism and Responses to Terrorism (START), housed at the University of Maryland, has compiled a dataset containing information on "130 cyber-physical and cyber-operational incidents carried out against critical infrastructure worldwide from January 1, 2009, to November 15, 2019." START defines a cyber-physical incident as an attack which causes physical disruption by specifically targeting operational technology, while a cyber-operational incident is one that indirectly disrupts physical processes by targeting IT systems linked to an industrial environment. Most of the incidents compiled by START fall into the latter category, which includes espionage-focused attacks.
The majority of critical infrastructure-focused attacks targeted the energy sector. The United States was the most targeted country, followed by Ukraine, although Ukraine experienced the highest number of destructive attacks by far. Most of the attacks worldwide were either attributed to state actors or unattributed, and Russian threat actors led the pack with 60% of the state-sponsored attacks.
Don't buy cocaine on the Internet (or anywhere else, for that matter).
Researchers at Malwarebytes warn that those looking to purchase illegal substances online are likely to find themselves at the mercy of scammers. Users searching the clear web for "buy cocaine online" will find a website, "buycocaineonline[.]us," whose headline advertises "LEGIT DARK WEB DRUGS." The site offers free shipping on orders over $200, and users can buy five hundred grams of Colombian cocaine on sale for $6000. The site also conveniently allows customers to pay using PayPal. Malwarebytes recommends that users "exercise a bit of critical thinking" to avoid falling for this type of scam.