At a glance.
- Advanced point-of-sale malware.
- Mimic ransomware abuses legitimate search tool.
- TrickGate tracked.
Advanced point-of-sale malware.
Kaspersky warns that the financially motivated threat actor Prilex is using three new versions of its malware (also called "Prilex") that can disable contactless payment transactions. This forces the victim to insert or swipe their payment card, allowing the attackers to steal their data. The new versions of Prilex can also apply filters so the malware only collects data from Infinite, Black, or Corporate Platinum cards with very high credit limits. The researchers note that Prilex is "highly advanced malware adopting a unique cryptographic scheme, doing real-time patching in target software, forcing protocol downgrades, manipulating cryptograms, doing GHOST transactions and performing credit card fraud—even on cards protected with the so-called unhackable CHIP and PIN technology."
Mimic ransomware abuses legitimate search tool.
Trend Micro has discovered a new ransomware dubbed "Mimic" that abuses the legitimate Windows filename search tool called "Everything" to query filenames and extensions for encryption. Mimic has been targeting Russian and English-speaking users since at least June 2022. The malware appears to have reused code from the leaked builder of the now-defunct Conti ransomware:
"Mimic ransomware, with its multiple bundled capabilities, seems to implement a new approach to speeding up its routine by combining multiple running threads and abusing Everything’s APIs for its encryption (minimizing resource usage, therefore resulting in more efficient execution). Furthermore, the threat actor behind Mimic seems to be resourceful and technically adept, using a leaked ransomware builder to capitalize on its various features, and even improve on it for more effective attacks."
Check Point describes the history of TrickGate, a malware packer first observed in 2016. TrickGate has been used to distribute many strains of popular malware, including Trickbot, Maze, Emotet, REvil, Cobalt Strike, Formbook, and AgentTesla. The packer's purpose is to help malware payloads avoid detection by antivirus software.
Check Point has observed up to 650 attacks per week using TrickGate over the past two years. The researchers state, "According to our telemetry, the threat actors who use TrickGate primarily target the manufacturing sector, but also attack education facilities, healthcare, finance and business enterprises. The attacks are distributed all over the world, with an increased concentration in Taiwan and Turkey. The most popular malware family used in the last 2 months is Formbook with 42% of the total tracked distribution."
The researchers observed most of these attacks being launched via phishing emails with malicious attachments or links. Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
"Seventy to ninety percent of all hacking involves social engineering. Whatever organizations and individuals can do to prevent from being socially engineered into revealing passwords or running trojan horse programs they need to do. Every organization needs to implement their best defense-in-depth social engineering protection using a combination of policies, technical defenses, and education."