At a glance.
- IcedID spreads via malvertising.
- Phishing lures use stolen bank data.
- North Korean financially motivated activity.
IcedID spreads via malvertising.
Trend Micro reports that the IcedID Trojan is being distributed via malicious Google pay per click (PPC) ads. The ads are impersonating at least fifteen well-known brands, and lead to convincingly spoofed phishing pages. The researchers outline the following infection chain:
- "A user searches for an application by entering a search term on Google. In this particular example, the user wants to download the AnyDesk application and enters the search term “AnyDesk” on the Google search bar.
- "A malicious ad for the AnyDesk application that leads to a malicious website is displayed above the organic search results.
- "IcedID actors abuse the legitimate Keitaro Traffic Direction System (TDS), to filter researcher and sandbox traffic. The victim is then redirected to a malicious website.
- "Once the user selects the “Download” button, it downloads a malicious Microsoft Software Installer (MSI) or Windows Installer file inside a ZIP file in the user’s system."
Phishing lures use stolen bank data.
Qualys has found that the commercial remote access Trojan BitRAT is being distributed via phishing attacks containing sensitive customer information stolen from a Colombian bank:
"While investigating multiple lures for BitRAT we identified that, an adversary had hijacked a Colombian cooperative bank’s infrastructure. Moreover, the lures themselves contain sensitive data from the bank to make them appear legitimate. This means that the attacker has gotten access to customers’ data. While digging deeper into the infrastructure we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps. Overall, 418,777 rows of sensitive data have been leaked of customers with details such as Cedula numbers (Colombian national ID), email addresses, phone numbers, customer names, payment records, salary, address etc. As of today, we have not found this information shared on any of our darkweb/clearweb monitored lists."
North Korean financially motivated activity.
Researchers at Kaspersky warn that North Korea’s BlueNoroff group is using several new methods to deliver malware. The threat actor began using .iso and .vhd files to deliver their malware, which allows them to bypass Mark-of-the-Web flags:
“The first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet. To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were used. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.”
The threat actor also seems to be testing out other file formats for malware delivery:
“We observed a new Visual Basic Script, a previously unseen Windows Batch file, and a Windows executable. It seems the actors behind BlueNoroff are expanding or experimenting with new file types to convey their malware efficiently.”
The threat actor set up multiple domains that impersonated venture capital firms, most of which were located in Japan. The impersonated firms included Beyond Next Ventures, ANOBAKA, Z Venture Capital, ABF Capital, and Angel Bridge. BlueNoroff also impersonated Bank of America.