At a glance.
- Emotet's return.
- LodaRAT improvements.
- Callback phishing leads to data theft extortion.
Proofpoint is tracking the return of Emotet earlier this month, warning that the malware's distributor has been sending out hundreds of thousands of phishing emails per day. The threat actor, which Proofpoint tracks as TA542, had been quiet since mid-July, but resurfaced on November 2nd. Notably, Emotet is being widely used to deliver the IcedID Trojan:
"The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet. Emotet dropping IcedID marks Emotet as being in full functionality again, by acting as a delivery network for other malware families. Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that’s not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot. TA542’s return coinciding with the delivery of IcedID is concerning. IcedID has previously been observed as a follow-on payload to Emotet infections. In many cases, these infections can lead to ransomware."
Cisco Talos has published an analysis of LodaRAT, a remote access tool written in the AutoIt scripting language. Users of the malware have been modifying its source code to make it more efficient:
"Over the course of LodaRAT’s lifetime, the implant has gone through numerous changes and continues to evolve. While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware. As it grows in popularity, it is reasonable to expect additional alterations in future. The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities.
"Depending on the skill of the threat actors attempting LodaRAT customization, we are likely to see more complex and advanced variants in the wild. In conjunction with the appearance of new variants, it is expected that LodaRAT will continue to be dropped alongside other malware families. Being readily available and easy to customize, it has become an attractive tool for some attackers."
Callback phishing leads to data theft extortion.
Palo Alto Networks’ Unit 42 is tracking a large callback phishing campaign dubbed “Luna Moth” that’s using legitimate tools to exfiltrate data for extortion.
Callback phishing requires the victim to get in contact with the attacker. The attacker then uses social engineering to trick the victim into granting access to a system or transferring money:
“The initial lure of this campaign is a phishing email to a corporate email address with an attached invoice indicating the recipient’s credit card has been charged for a service, usually for an amount under $1,000. People are less likely to question strange invoices when they are for relatively small amounts. However, if people targeted by these types of attacks reported these invoices to their organization’s purchasing department, the organization might be better able to spot the attack, particularly if a number of individuals report similar messages.
“The phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email service. These phishing emails also have an invoice attached as a PDF file. These features make a phishing email less likely to be intercepted by most email protection platforms.”
The PDF file has a phone number that will connect the victim to the scammer. The scammer then instructs the victim to download a remote support tool so the scammer can manage the victim’s computer, supposedly to cancel the phony subscription. After exfiltrating data, the attackers email the compromised organization and demand a ransom. The ransom amounts vary depending on the organization’s revenue, and range from around $30,000 to over $1 million worth of Bitcoin. Unit 42 notes that the attackers don’t always follow through on their promise to provide proof that the stolen data have been deleted.