At a glance.
- Trigona ransomware.
- FakeCalls mobile malware targets South Korea.
- BlackSnake in the RaaS criminal market.
- Novel phishing tactics.
- Ransomware and extortion trends.
Palo Alto Networks' Unit 42 describes Trigona, a strain of ransomware that was first spotted in late October 2022. The ransomware's operators compromised at least fifteen entities during December, with the victims spanning the "manufacturing, finance, construction, agriculture, marketing and high technology industries." The victims were located in the United States, Italy, France, Germany, Australia, and New Zealand. The attackers have set up a data leak site, although it appears they've only used it to name one of their victims. The researchers believe the threat actor is still testing out this capability.
The researchers observed overlaps with the CryLock ransomware operators, which they say "[suggests] that ransomware threat actors that once deployed CryLock ransomware might have moved on to deploying Trigona ransomware." The ransomware also employs an "uncommon technique of using password-protected executables to obfuscate malware."
FakeCalls mobile malware targets South Korea.
Check Point is tracking an Android Trojan called "FakeCalls," which "can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees." The malware masquerades as the mobile app of a real South Korean banking institution, and tricks the victim into thinking they can apply for a loan with a lower interest rate. The victim is convinced to call a phone number within the app in order to apply:
"At the point where conversation actually happens, the phone number belonging to the malware operators, unknown to the victim, is replaced by a real bank number. Therefore, the victim is under the impression that the conversation is made with a real bank and its real employee. Once the trust is established, the victim is tricked into “confirming” the credit card details in the hope of qualifying for the (fake) loan."
BlackSnake in the RaaS criminal market.
Netskope has published a report on the BlackSnake ransomware-as-a-service (RaaS) operation, which first surfaced in August 2022. A new version of the ransomware was observed on February 28th, containing a clipper module designed to steal cryptocurrency information. The malware appears to be targeting home users rather than corporations, since it asks for ransom amounts as low as $20. As a result, the researchers suspect “that BlackSnake is perhaps still under development or that they don’t have affiliates at this point.”
Novel phishing tactics.
Barracuda has published a report looking at three novel phishing tactics being leveraged by cybercriminals. Attackers are using Google Translate links, image attachments, and special characters to evade detection.
The researchers found that during January 2023 13% of organizations received phishing attacks that abused Google Translate:
“Attackers use the Google Website Translate feature to send Google-hosted URLs embedded in emails that ultimately lead to phishing websites....In this type of attack, the attacker relies on a translation service to deceive the victim and hide the actual malicious URL. Google Translate is the most widely used service, but our security analysts have also seen similar attacks hosted behind other popular search engines as well.”
Additionally, 11% of organizations received phishing emails that simply contained an image attachment, with no text in the actual email. Most of these images displayed an invoice with a URL or phone number for the user to contact manually.
And finally, 15% of organizations in January received phishing emails that utilized special characters to evade detection, including “zero-width Unicode code points, punctuation, non-Latin script, or spaces.”
Ransomware and extortion trends.
Palo Alto Networks’ Unit 42 has published its 2023 Ransomware Threat Report, finding that threat actors have significantly escalated their extortion tactics. By late 2022, threat actors were conducting data theft in 70% of ransomware attacks, compared to 40% in 2021. Additionally, the use of harassment as an extortion tactic rose from less than 1% in 2021 to 20% in 2022:
“Threat actors call and leave voicemails for corporate executive leaders and other employees, send emails to personnel, or disclose victims’ identities on a leak site or social media. The purpose of these activities is to make it uncomfortable for an organization to avoid responding to the threat actors and their demands.”
Manufacturing organizations, particularly in the US, were the most frequent targets for extortion attacks last year:
“Based on our analysis of dark web leak sites, manufacturing was the most targeted industry in 2022, with 447 compromised organizations publicly exposed on leak sites. Unit 42 believes this is due to the prevalence of systems used by this industry running on out-of-date software that isn’t regularly or easily updated or patched—not to mention the industry’s low tolerance for downtime. Organizations based in the United States were most severely affected, according to leak site data, accounting for 42% of the observed leaks in 2022.”