At a glance.
- Ransomware attackers are increasingly using virtual machines.
- ReverseRat targets Indian power companies.
- Spearphishing campaign targets the aviation industry.
- JSSLoader gets an upgrade.
Ransomware attackers are increasingly using virtual machines.
Symantec says more ransomware attackers are using virtual machines to evade detection while running their malware. The researchers describe a recent attempted ransomware attack in which the threat actors installed a VirtualBox machine containing ransomware that could encrypt files on the host computer via shared folders. The researchers note, "The ransomware payload itself is often the stage of the attack most likely to raise red flags and, by hiding it in a virtual machine, there is an expectation that it may not be discovered."
Symantec also notes that the attackers in this case used both Conti and Mount Locker ransomware, leading the researchers to suspect that the threat actor was an affiliate of both strains. The researchers say the attackers "may have attempted to run a payload (either Conti or Mount Locker) on a virtual machine and, when that didn’t work, opted to run Mount Locker on the host computer instead."
ReverseRat targets Indian power companies.
Researchers at Lumen's Black Lotus Labs have observed a malware campaign targeting power generation and transmission organizations, primarily located in India. The malware, dubbed "ReverseRat," is stealthy and evasive, and is delivered via phishing emails. The researchers stress that while the campaign targeted power companies, there's no evidence yet that the attackers were seeking to access or disrupt operational technology (OT).
"Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan. The potentially compromised victims aligned with the government and power utility verticals. One point we would like to emphasize is that the agents we discovered were designed for Windows-based machines traditionally found on the IT network; thus far we have not been able to associate any malware samples with this activity cluster that were specifically designed to target systems associated with OT systems."
Spearphishing campaign targets the aviation industry.
Fortinet describes a spearphishing campaign that's targeting the aviation industry with malicious download links that deliver the AsyncRAT:
"The phishing emails observed in this campaign were sent to multiple aviation companies. They all appear to be coming from the federal aviation authority using a spoofed sender address that matches with a “foreign operators affairs” email address for enquiries/approvals. The email goes through the extra step of having a signature and a logo to impersonate a federal authority. Also, the content is carefully crafted to create a sense of urgency by making it to look like a Reporting of Safety Incident (ROSI) from Air Traffic Control. In addition, the email contains malicious Google Drive links disguised as a pdf attachment. Most of the emails in this campaign contain the strings ROSI, AOP, Incident Report, as well as the attachment name 'ROSI-AOP Incident Report Details, <date>'.pdf."
The researchers note that all of these emails were sent from an IP address that was previously used in a campaign spotted by Morphisec in April and May of 2021. That campaign, which used the Snip3 Crypter-as-a-service, also targeted aviation companies.
JSSLoader gets an upgrade.
Proofpoint warns that a new version of the JSSLoader downloader is being used in phishing campaigns targeting a broad variety of industries:
"In June 2021, Proofpoint researchers observed a new variant of the downloader JSSLoader in several campaigns impacting a variety of organizations. This version of the malware loader was rewritten from .NET to the C++ programming language. This change, while not unheard of, is not a common occurrence and could be an effort by the threat actors utilizing JSSLoader to evade current detections. JSSLoader is often dropped in the first or second stage of a campaign and has the functionality to profile infected machines and load additional payloads.
"The campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019. According to our data, the recent campaigns have attempted to target as many as several hundred organizations at a time across a wide range of industries, including finance, manufacturing, technology, retail, healthcare, education, and transportation. "
The researchers note that JSSLoader is primarily used by a threat actor tracked by Proofpoint as "TA543," and the phishing lures "typically focus on invoices and delivery information of packages."