At a glance.
- Verizon's Data Breach Investigations Report.
- Ramsay malware designed to operate within air-gapped networks.
- New COMpfun variant spotted.
- Lazarus Group targets macOS.
- New Trojan active against organizations in Central Asia.
Verizon's Data Breach Investigations Report.
Verizon this morning released its 2020 Data Breach Investigations Report (DBIR). The report stresses that stolen credentials are a key component of most breaches, so attackers have grown more reliant on phishing and credential theft. Likewise, password dumpers were the most commonly used type of malware. The researchers explain that the use of malware in breaches has continued to decline as attackers rely on more efficient ways to gain access, such as social engineering and credential stuffing.
86% of breaches were financially motivated (compared to 71% in last year's report), and 55% were attributed to organized criminal groups. The number of breaches attributed to errors, particularly misconfigurations, rose noticeably, but the researchers suspect this is due to increased reporting rather than an increase in errors, so they conclude that this is a positive trend.
The report also found that ransomware is "a big problem that's continuing to get bigger," and they attribute this in part to the proliferation of ransomware- and hacking-as-a-service offerings, which make it easier for criminals to carry out complex attacks. The report classes cyber events as "breaches" if they result in a confirmed disclosure of data, and as "incidents" if there's no confirmed data exposure. The researchers note that several ransomware families are now exfiltrating data and publicly using the stolen data as leverage; however, this activity took off in November 2019, and the data scope for the 2020 DBIR ended on October 31st, 2019. As a result, the report tracks most ransomware attacks as "incidents."
Ramsay malware designed to operate within air-gapped networks.
ESET researchers uncovered malware they call "Ramsay" that's "tailored for collection and exfiltration of sensitive documents" within air-gapped networks, and it's delivered to those networks via removable media. Once it's on a system, Ramsay will scan for Word documents, PDFs, and ZIP archives, then collect and encrypt these files and store them in a hidden container.
Notably, the malware doesn't have the ability to connect to a command-and-control server—its functionality is self-contained, and ESET isn't sure how the attackers retrieve the data it collects. However, the researchers surmise that an additional component is used for this, and this component would probably "scan the victim’s file system in search for the Ramsay container’s magic values, in order to identify the location of artifacts to exfiltrate."
The researchers don't attribute Ramsay to any group, but they note that it possesses many shared artifacts with the Retro backdoor developed by the DarkHotel APT. DarkHotel is believed to be a state-sponsored actor operating from the Korean peninsula, and ZDNet says observers tend to suspect South Korea is behind it.
New COMpfun variant spotted.
Kaspersky has been tracking a Trojan using the same codebase as COMPfun that has the capability to spread from one computer to another by infecting USB drives. The Trojan is being used in a campaign targeting European diplomatic entities. Based on the campaign's victims, Kaspersky attributes the malware to the Russian state-sponsored actor Turla with a "medium-to-low level of confidence."
The malware's dropper is a spoofed visa application, and the "file name related to the visa application process perfectly corresponds with the targeted diplomatic entities." The researchers aren't sure how the dropper is initially delivered. Once the file is opened, it tries to convince the user to run it with administrative privileges.
The researchers describe the malware as "a normal full-fledged Trojan that is also capable of propagating itself to removable devices." The Trojan acts as a keylogger, takes screenshots, reports the machine's geolocation, and obtains data about the host and the network. It uses obscure HTTP status codes as its command-and-control communication protocol, and it exfiltrates data over HTTP/HTTPS.
Lazarus Group targets macOS.
Researchers at Trend Micro have observed the same Dacls variant described by Malwarebytes earlier this month. Dacls is a remote access Trojan attributed to North Korea's Lazarus Group, and it was first discovered by Qihoo 360 NetLab in December 2019. The original versions were designed to exploit Windows and Linux systems, but the new variant is tailored to macOS. It's delivered via a Trojanized version of an open-source two-factor authentication app for macOS that's primarily used by Chinese speakers. The original app also has an iOS version, so Trend Micro suspects that Lazarus could build a mobile-focused version of their malware as well.
The researchers say the "shift in focus towards attacking multiple operating systems indicates an expansion of targets," and they note that the choice of a Trojanized 2FA application suggests that Lazarus is targeting security-minded individuals. Furthermore, considering Lazarus's past activities, Trend Micro points out that these apps are commonly used among cryptocurrency traders.
Newly observed threat actor distributes various commodity RATs.
Researchers at Sophos have published a report on a threat actor they're calling "RATicate" that's targeting industrial companies in Europe, the Middle East, and South Korea. The group is using phishing emails to deliver a variety of information-stealing malware families, including LokiBot, BetaBot, FormBook, AgentTesla, and NetWire. Sophos observed five different campaigns by the group between November 2019 and January 2020, but the researchers believe it's been active since before November. The targets included manufacturing and engineering companies in Romania, Kuwait, the UK, South Korea, and Switzerland, as well as a Japanese transportation company. Other targets in South Korea included an internet company, an investment firm, and a medical news publication.
RATicate uses the open-source Nullsoft Scriptable Install System (NSIS) toolkit to generate their malware installers. They pad these installers with non-malicious junk files such as ASCII text, benign source code, images, and other legitimate files in order to disguise the malicious payload. These junk files were identical across multiple attacks, which enabled Sophos to tie the attacks to the same threat actor.
RATicate's motivation is unclear. Sophos isn't sure if the attackers are conducting corporate espionage themselves or if they're simply breaching organizations and selling access to other threat actors.
New Trojan active against organizations in Central Asia.
Researchers from ESET and Avast published reports following a joint investigation into an APT campaign targeting entities in Central Asia, including "several important companies in the telecommunications and gas industries, and governmental entities." The campaign was linked to a long-running operation observed by Check Point, as well as campaigns tracked by Kaspersky and Palo Alto Networks Unit 42. Avast agrees with Check Point's assessment that the threat actor seems to be based in China, although they don't name any specific groups. The actor uses a custom RAT which ESET has named "Mikroceen," along with Gh0st RAT, a tool primarily associated with Chinese threat groups.
The current campaign is targeting organizations in Tajikistan, Kyrgyzstan, Uzbekistan, and Kazakhstan, while earlier campaigns targeted Mongolia, Russia, and Belarus.