At a glance.
- Evilnum targets the financial sector.
- GoldenHelper malware embedded in Chinese tax software.
- Decryptor released for macOS ransomware.
- More reason to treat ransomware attacks as data breaches.
- Pre-installed malware on Lifeline Assistance devices, again.
- Mirai variant incorporates new exploits.
Evilnum targets the financial sector.
ESET has published a report on Evilnum, a threat actor that conducts espionage against financial technology companies. The group's custom malware (also called "Evilnum") has been observed in the wild since at least 2018. Evilnum's primary goal is the theft of financial data, including:
- "Spreadsheets and documents with customer lists, investments and trading operations"
- "Internal presentations"
- "Software licenses and credentials for trading software/platforms"
- "Cookies and session information from browsers"
- "Email credentials"
- "Customer credit card information and proof of address/identity documents"
The group uses spearphishing emails with malicious ZIP archives containing shortcut (LNK) files. These LNK files are named with double file extensions to trick the user into thinking they're opening a JPG or PNG image file. Once the file is opened, it creates and executes a JavaScript file which in turn creates and opens a decoy image file. This image is a photo of a real financial document, ID, or credit card, which the attackers likely stole during a previous campaign. The JavaScript file also installs the primary malware, which includes either the group's custom C# infostealer or a commodity malware strain sold by the malware-as-a-service provider Golden Chickens. (ESET notes that both the JavaScript file and the C# infostealer have been called "Evilnum.")
ESET doesn't link the attacks to any other known APT group, noting that Golden Chickens has other sophisticated customers that focus on the financial sector, including FIN6 and Cobalt Group.
GoldenHelper malware embedded in Chinese tax software.
Trustwave released a report on another strain of malware built into Chinese tax software designed to compromise the networks of companies doing business in China. This report describes malware dubbed "GoldenHelper," which the researchers say is "entirely different from GoldenSpy, although the delivery modus operandi is highly similar." GoldenHelper was used in a campaign that ran from January 2018 to July 2019, and was embedded in "Golden Tax Invoicing Software (Baiwang Edition), required by Chinese banks for payment of VAT taxes." GoldenHelper, like GoldenSpy, is tied to Aisino Corporation, one of only two companies authorized to produce tax software under China's national Golden Tax project.
Decryptor released for macOS ransomware.
SentinelOne has released a public decryptor for the EvilQuest/ThiefQuest ransomware for macOS (SentinelOne calls the malware "EffectiveIdiot" based on a reversed string in its code). The researchers found that the malware's authors used symmetric key encryption, and "the clear text key used for encoding the file encryption key ends up being appended to the encoded file encryption key." The researchers also confirmed earlier findings indicating that the malware is technically a wiper posing as ransomware; not only does the ransom note lack contact information for the attackers to keep track of which victims have paid the ransom, the malware's code never even calls the decryption function. SentinelOne concludes that either the code is incomplete, or the "presence of the decryption routine in the code is an artifact of earlier testing."
However, the researchers stress that the malware doubles as an effective keylogger and information stealer, with a particular focus on "SSH keys and trusted certificates in order to facilitate the ability to log in remotely and manipulate web browsers to trust sites without throwing security warnings." Because of this, the researchers say the malware may have "wrong-footed victims into continuing to use their infected machines and leak vital data while they sought a solution to the apparent problem of encrypted files."
More reason to treat ransomware attacks as data breaches.
Emsisoft notes that, based on data from ID Ransomware, more than eleven percent of ransomware attacks are likely to involve data theft. ID Ransomware received 100,001 total samples from targeted ransomware attacks between January 1st and June 30th, 11,642 of which were related to ransomware groups that routinely exfiltrate data. Emsisoft concludes, "An absence of evidence of exfiltration should not be construed to be evidence of its absence, especially during the preliminary stages of an investigation. This [is] particularly true in the case of attacks by groups such as DoppelPaymer, Maze and REvil which are known to steal data. In these cases, the initial assumption should be that data may have been exfiltrated and potentially affected parties should be promptly notified of this possibility."
Pre-installed malware on Lifeline Assistance devices, again.
Researchers at Malwarebytes have found pre-installed malware on phones sold by Assurance Wireless under the US Federal Communications Commission’s Lifeline program, which makes budget phones available to low-income consumers. The affected devices are ANS (American Network Solutions) UL40 phones running Android OS 7.1.1. This marks the second time this year Malwarebytes has discovered malware pre-installed on discount Lifeline devices. As in the previous case, which affected UMX U683CL phones, the ANS UL40 has compromised Settings and Wireless Update apps. In this instance, the built-in Wireless Update app will install four different variants of the HiddenAds Trojan. In the case of the UMX phones, it was the Settings app that delivered the malware.
Mirai variant incorporates new exploits.
Trend Micro describes a new Mirai variant that exploits CVE-2020-10173, a vulnerability in Comtrend VR-3033 routers that can grant an attacker full control over the router. This is the first known instance of the vulnerability being exploited in the wild, although a proof-of-concept has been available since February.