At a glance.
- MuddyWater tied to wiper disguised as ransomware.
- TrickBot is back up and running.
- QR code scams on the rise.
- Personalized smishing.
- Ryuk resurfaces with new tactics.
MuddyWater tied to wiper disguised as ransomware.
Researchers at ClearSky have observed a new campaign attributed to MuddyWater (also known as Static Kitten or Seedworm), a threat actor believed to be a contractor working on behalf of Iran's Islamic Republic Guard Corps (IRGC). ClearSky says the actor is targeting "many prominent Israeli organizations" with destructive wiper malware disguised as ransomware. The researchers link the operation to a recent report from Palo Alto Networks, which described a destructive variant of the Thanos ransomware designed to overwrite an infected system's Master Boot Record (the same technique used by NotPetya).
ClearSky notes that, while other Iranian threat actors have been known to launch destructive attacks (most notably using the Shamoon wiper), MuddyWater has traditionally focused on espionage. The researchers say this is "the first known instance of a potentially destructive attack executed by MuddyWater." They add, "It is possible that due to the advancing confrontation with Israel, and simply developments of attack methods over time, that the group had undergone an organizational\strategic evolution (or simply received new instructions) into destructive attacks."
In the recent campaign, MuddyWater has used both social engineering and known vulnerabilities to gain entry to the targeted organizations. The threat actor is exploiting CVE-2020-1472 (Zerologon) in the Windows Netlogon Remote Protocol and CVE-2020-0688 in Microsoft Exchange Server. Alternatively, the attackers send phishing emails with macro-laden Excel documents.
TrickBot is back up and running.
CrowdStrike says the operators of the TrickBot malware (tracked by CrowdStrike as "WIZARD SPIDER") have resumed operations after the botnet was disrupted by separate efforts from US Cyber Command and the private sector. The disruption took the form of hacking TrickBot's command-and-control servers and sending updates to infected systems that set their new command-and-control addresses to 127.0.0.1 (localhost), effectively severing communication with the criminals' servers. This happened twice—first on September 22nd, and again on October 1st. Additionally, KrebsOnSecurity reported that someone (presumably Cyber Command) was stuffing TrickBot's databases of stolen information with millions of phony records, creating further confusion. During the same timeframe, Microsoft and industry partners also took action against TrickBot, obtaining a court order from a US court to disable key infrastructure used by the botnet.
CrowdStrike says the operation had "a definite impact on the TrickBot network, with almost 10,000 unique downloads of the non-standard configuration identified. However, in spite of this, TrickBot activity has returned to its usual rapid pace, and the impact of the disruption operation was manifested as a short-term setback for WIZARD SPIDER." Neither Cyber Command nor the private sector expected their efforts to have long-term impacts, and CrowdStrike concludes that "Any attempt to increase the cost for the criminals contributes to a more secure cyberspace."
QR code scams on the rise.
Malwarebytes warns that QR code scams are on the rise, as the COVID-19 pandemic has prompted businesses to adopt these codes as a touchless alternative to physical handouts like menus and tour guides. The researchers warn that scanning a QR code is the equivalent of clicking a link, so users should be cautious if they're asked to enter information or install anything after scanning one of these codes.
Digital Shadows describes a widespread smishing campaign that uses a tracking domain to fingerprint visitors' devices in order to serve them personalized phishing pages:
"The malicious domains gather a significant amount of identifying information on victims, including their IP addresses, city, state, browser type, device brand and model, and the name of their internet service provider (ISP). However, attackers cannot use this information to precisely target your location, only your nearby geographical area. It is unlikely that they are using that information to track any victims. Instead, that information seems to be used to personalize the phishing sites for each different victim. For example, we were able to identify phishing pages for many ISPs, such as Spectrum, Frontier, and AT&T. The phishing sites also often show the victim’s IP address, location, and the current date on the landing page. Most of the data gathered was used to personalize the phishing sites and make them seem more legitimate."
Ryuk resurfaces with new tactics.
Sophos says the Ryuk ransomware operators have launched a fresh wave of attacks after seemingly going quiet earlier this year. Sophos observed an attack last month in which an employee fell for a spearphishing email, opened a malicious document, and enabled macros. The attackers then used Cobalt Strike and publicly available malware to perform reconnaissance and compromise Active Directory administrator accounts, eventually gaining access to more than ninety systems. The attackers failed to deploy their ransomware and the attack was largely thwarted, but Sophos was able to discern some noticeable changes in tactics from the last time the gang was observed:
"The tactics exhibited by the Ryuk actors in this attack demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot). The Ryuk gang shifted from one malware-as-a-service provider (Emotet) to another (Buer Loader), and has apparently replaced Trickbot with more hands-on-keyboard exploitation tools—Cobalt Strike, Bloodhound, and GMER, among them—and built-in Windows scripting and administrative tools to move laterally within the network. And the attackers are quick to change tactics as opportunities to exploit local network infrastructure emerge—in another recent attack Sophos responded to this month, the Ryuk actors also used Windows Global Policy Objects deployed from the domain controller to spread ransomware. And other recent attacks have used another Trickbot-connected backdoor known as Bazar. The variety of tools being used, including off-the-shelf and open-source attack tools, and the volume and speed of attacks is indicative of an evolution in the Ryuk gang’s operational skills."