At a glance.
- CryptoCore campaign attributed to North Korea's Lazarus Group.
- Attackers use 3D modeling software to bypass selfie checks.
- BazarLoader distributed via call centers.
- Phorpiex botnet evolves.
- Threat actors abusing legitimate services.
CryptoCore campaign attributed to North Korea's Lazarus Group.
ClearSky has attributed CryptoCore, a cryptocurrency theft campaign that's been active for the past three years, to North Korea's Lazarus Group. ClearSky notes that their report confirms an earlier attribution by F-SECURE that the Lazarus Group is behind this activity:
"By being able to sign F-SECURE’s YARA rules to RATs associated with LAZARUS from ESET and KASPERSKY’s we have greatly strengthened F-SECURE’s attribution of the CryptoCore attack campaign to LAZARUS. In addition, we have located several indicative and uncommon traits in these tools all associated with LAZARUS. The above information means we can, with a high level of probability, attribute the CryptoCore attack campaign to LAZARUS."
When it first surfaced, CyptoCore had been thought the work of an Eastern European gang.
Attackers use 3D modeling software to bypass selfie checks.
ZeroFOX says attackers are using 3D modeling software to defeat authentication measures that require the user to take a selfie. The criminals are using this technique to file phony claims under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. CARES Act applications require users to upload their driver's license along with a selfie to prove that the license belongs to them. The attackers in this case create 3D models of people's heads based on a stolen driver's licenses, then file their claims using the models to fool the selfie check.
ZeroFOX has observed hundreds of thousands of CARES fraud advertisements on Telegram between May 2020 and May 2021:
- "270,828 profile or method advertisements for SBA, PPP and CARES fraud
- "269,381 background investigation service lookup advertisements (Phish or Insider)
- "48,271 Driver’s License Lookup advertisements (Method or Service)"
BazarLoader distributed via call centers.
Palo Alto Networks' Unit 42 says attackers are using call centers to distribute BazarLoader malware. The criminals send phishing emails informing recipients that a trial period for a subscription service is ending, and their credit card will soon be charged. The emails contain a phone number for customer support, which will connect the victim with a scammer. The scammer sends them to a website where clicking an "unsubscribe" button will download a malicious Excel document. The scammer says this document contains a confirmation code to trick the user into enabling macros and installing the malware. Unit 42 notes that this technique was first observed in February 2021, and they include a link to a video of the scam. The researchers also explain that the phone number in the emails changes frequently:
"We contacted this call center on at least five different occasions, and the operator was a different person each time. All operators were seemingly non-native English speakers. Two of the operators were female, and three were male. Each operator followed the same basic script, but there were variations."
Phorpiex botnet evolves.
Researchers at Microsoft describe the ways in which the Phorpiex botnet is expanding its functionality and targeting. The botnet previously focused on targets in Japan, but over the past few months has been observed distributing malware to targets in 160 countries, with most attacks hitting Mexico, Kazakhstan, and Uzbekistan. Microsoft says some changes in its C2 infrastructure also indicate that Phorpiex's proprietors are working to keep the botnet up-to-date:
"The Phorpiex botnet has a reputation for being simplistic and lacking robustness, and it has been hijacked by security researchers in the past. Its tactics, techniques, and procedures (TTPs) have remained largely static, with common commands, filenames, and execution patterns nearly unchanged from early 2020 to 2021. To support its expansion, however, Phorpiex has shifted some of its previous command-and-control (C2) architecture away from its traditional hosting, favoring domain generation algorithm (DGA) domains over branded and static domains.
"This evolution characterizes the role of botnets in the threat landscape and the motivation of attackers to persist and remain effective. The threat ecosystem relies on older botnets with large and diverse network of compromised machines to deliver payloads at low costs. And while many of the older botnet architectures have been primarily classified as spam delivery mechanisms, these infrastructures are critical for newer, modular delivery mechanisms."
Threat actors abusing legitimate services.
Proofpoint warns that threat actors continue to abuse Microsoft and Google services to host and send their phishing messages:
"Last year, 59,809,708 malicious messages from Microsoft Office 365 targeted thousands of our customers. And more than 90 million malicious messages were sent or hosted by Google, with 27% sent through Gmail, the world’s most popular email platform. In Q1 2021, we observed seven million malicious messages from Microsoft Office 365 and 45 million malicious messages from Google infrastructure, which far exceed per quarter Google-based attacks in 2020.
"The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders."