Podcasts
Only Malware in the Building
Ep 10
Only Malware in the Building 3.4.25
Ep 10 | 3.4.25

The new malware on the block.

Show Notes
Transcript

David Bittner: Does your computer run slower than a dial-up modem in 1999? Are mysterious pop-ups offering free vacations ruining your workday? Have you recently inherited $10 million from a prince you've never heard of? [ Cheering ] Well, you might just have a case of --

Unidentified Person: Malware. [ Chaotic Music ]

David Bittner: Sorry.

Selena Larson: That's right, folks. Here at "Only Malware in the Building," we help you learn about the sneaky, slimy, and downright devious cyber threats that are trying to weasel their way into your life.

David Bittner: From phishing scams to ransomware shenanigans --

Selena Larson: Access denied.

David Bittner: We'll teach you how to spot the scams before they spot you.

Selena Larson: Tired of sketchy security software that promises protection but actually is malware?

David Bittner: Sick of pop-ups that say, "You've won a new iPhone," but instead steal your credit card info? [ Screaming ]

Selena Larson: We'll break down the biggest threats, show you how they work, so tune in and level up your cybersecurity knowledge before you become the next victim of a hacker in sweatpants.

David Bittner: But wait, there's more. [ Audience Reacting ] If you tune in to "Only Malware in the Building" today, we'll throw in a free virtual security check. [ Applause ] Just kidding, we're not a scam. [ Audience Reacting ] But seriously, update your passwords.

Selena Larson: And remember, if you ever feel like something is fishy, it probably is.

David Bittner: "Only Malware in the Building," where malware is the mystery and cybersecurity is the solution. Call today at 1-800-555-MALWARE, and speak to one of our account representatives to start your journey today. "Only Malware in the Building" does not provide actual IT support. Side-effects of tuning in to the show may include an uncomfortable urge to use multi-factor authentication, a deep distrust of USB sticks, and a sudden appreciation for strong passwords. "Only Malware in the Building" is not responsible for lost Bitcoin, emotional distress caused by realizing your high school password was indeed password123, or any existential crisis resulting from learning how much data social media collects on you. If suspicious emails last longer than four hours, please report them to IT immediately. The following tips are considered valid forms of payment. Spinach, buffalo, bean, baba ganache, pico de gallo, guacamole, artichoke, beer cheese, hummus, seven-layer, queso, sour cream and onion, ranch, smoked trout, tonnato, and most aioli. Blue cheese and crab dips are no longer accepted as valid forms of payment. Call today, or don't. We already have your phone number and email address anyways. [ Music ]

Selena Larson: Welcome in. Since Rick is busy enjoying his retirement, I thought maybe we could audition a third host here at "Only Malware in the Building." May I introduce you to Advanced Reconnaissance Cyber Operations with Network Infiltration Algorithms.

Archy: Oh, please. That's my father's name. You can call me Archy. He preferred Advanced Reconnaissance Cyber Operations with Network Infiltration Algorithms, but personally, I think that's a bit much for casual conversation. Now if you'll excuse me, I need to optimize my sarcasm subroutines. They seem to be running at only 97% efficiency today. [Electronic sounds]

Selena Larson: Well, Archie, please try and pay attention as we discuss a very important topic today, web injects and the expanding threat landscape of sneaky malware operators that are trying to get people to infect themselves with malware.

Archy: Oh, sure. I'll pay attention. Unlike the humans who keep clicking "Enable Macros" like it's a competitive sport, but please go on. I'm dying to hear how flash-based intelligence plans to outsmart malware this time.

David Bittner: Well, let's start off here, Selina. What is a web inject campaign, and why is this a growing cybersecurity threat?

Selena Larson: Yeah, so it's really interesting to see that we are increasingly seeing web injects, and this is a threat not just for the enterprise, but consumers as well. So essentially, a web inject is something that gets malicious code put on a website. That's when a visitor goes to the website and passes the identity checks or the ways that they're filtered to say, yes, I want to infect this person. They're shown a screen that essentially overwrites what they think the actual website is. And typically, it will say something like, you need to update your Chrome browser. And in doing so, if they click that button, it actually leads to malware installation.

David Bittner: They're using lures here. I mean, why are these lures so effective? [ Music ]

Selena Larson: Yeah, so it's pretty interesting. So it's not a traditional sort of campaign that we think of from email spam, for example. So these threat actors are compromising legitimate websites. So you might be browsing to your favorite news website or to a consumer goods website or a local business, and you're on this legitimate website. And then all of a sudden, you see this screen that comes up that says you need to update your browser. And what's really interesting is the threat actors behind this are pretty clever, and there's multiple components of the overall campaign, which we can get into. But the main point is that they can tell, based off of the user agent of the browser that you're using. So they'll tailor these little pop-up screens that say, if you're on Chrome, you need to update your Chrome browser. And they look very legitimate, right? They take the language, they take the graphics that are the actual Chrome browser update or look very similar to that sort of branding and put it there. So it makes it seem like you're on a legitimate website. You see this pop-up. It looks like the same font as you usually see. And so you might actually believe them.

David Bittner: Is there any way to like X out of it?

Selena Larson: Oh, yeah. If you just close your screen, that typically works. But typically, what this is is it'll download a file, and then you have to actually click on the file, follow the instructions, and install the malware or, you know, download and click on the file to run the actual script. So it's not something immediate that you're going to get infected with malware. It does take some human interaction, of course. So if you do see something like this pop-up, just closing the tab will get rid of it.

David Bittner: So is this a new thing, or is this something that's been around, but you all have been tracking the evolution of?

Selena Larson: It's been around. And in recent, I'd say about a year and a half, there has been an expansion of this threat, and it's interesting because we see a lot more different threat actors using, oftentimes people call them fake-updates-style threats. This basic idea of this malicious web inject that will have instructions for someone to update their browser or install some new software. But I think a lot of people, especially in our industry, are most familiar with SockGolish, right? So that is a -- an actor that has been around for a long time. We track them as TA569, and essentially, you know, this SockGolish leading to this loader. The SockGolish is a JavaScript inject that's the malicious component on the website that leads to, ultimately, a loader that will install additional malware, including potentially ransomware. But they were kind of the big baddies of the web inject landscape for a really long time. But within the last, I'd say, year-and-a-half, two years, there was a lot of sort of copycats that started following the same technique that SockGolish became so famous for, and now we see a lot of different clusters of activity that are using very similar techniques, but they're using different traffic distribution systems, which I can -- you know, we can explain, or they're delivering different malware leading to different things. So now it's almost a constellation of different threat actors. It's an ecosystem all on its own, right, where it used to kind of be, oh, that's SockGolish. Now it's like, oh, it could be, but it could also be one of the similar copycats or new threat actors that have emerged. [ Music ]

David Bittner: Well, I was reading through your research, and you identified two new threat actors. You've got TA2726 and TA2727, which I have to say, are very catchy names that roll trippingly off the tongue.

Selena Larson: Yes.

David Bittner: [laughing] So, I mean, I guess that's the alternative. It's either like TA2726 or like electric stapler, right? [laughing] Like there's no in between when it comes to naming these things.

Selena Larson: There really isn't. No, no, there's truly no industry standard. We like the numbering system. But, yes, of course, there's everything from windstorms to action figures for sure.

David Bittner: Yeah, so what do we know about these particular groups? How are they operating here?

Selena Larson: Yeah, so that's a good question, and I wanted to use a metaphor that I invented to kind of explain all of this. Because we often talk to people and it's a little bit confusing because it's not just something like you get delivered a phishing link, and you click on it, and it installs malware. It has a lot more kind of going into it. And so the whole attack chain, I would like people to put on their metaphor imagination caps and think of it like an Uber Eats delivery. So let's pretend you're a threat actor. You order some food, which could be considered malware, to be delivered to somebody at a certain house. So they have to meet the requirements of the address, for example. You use Uber Eats, the driver, to actually take your food and drive it to be dropped off at the house. That is a traffic distribution, or the TDS, portion of this metaphor. So the recipient at that house takes your package from the Uber Eats delivery person and upon opening it gets a face full of spoiled burrito. That is horrible.

David Bittner: That sounds like a threat actor group, Spoiled Burrito.

Selena Larson: Spoiled Burrito, exactly. So it's like, oh, okay, well, this is -- this is crap that I didn't want or need.

David Bittner: Right.

Selena Larson: But the Uber Eats driver, they have other houses to drop stuff off at. So even if other people are ordering, they're driving around, a lot of food delivery, but they're not going to get your spoiled burrito. So if you can kind of think of it as multiple components to this overall attack chain, and I bring this up because we have the two new threat actors can be both one. The 2726 is the delivery driver and TA2727 is the person that ordered the crap burrito. So yeah, so we have these two actors, and it's kind of interesting, too, because it can be very difficult to delineate different components of the web in checks, attack chain or delivery method, and in this case, 2726 is that malicious TDS operator. They facilitate traffic distribution for other threat actors to enable the delivery of spoiled burritos, a.k.a. malware, and 2727 is a threat actor that uses these fake update theme floors to distribute a variety of malware payloads. So TA2726 is delivering for TA2727. But they have, you know, that TDS operator can be a deliverer for a lot of different malware, a lot of different payloads, and a lot of different threat actors. [ Music ]

David Bittner: Do we think these two groups are related, or are they merely collaborators or parts of an ecosystem?

Selena Larson: It's probably more parts of an ecosystem. So TA2726 we've actually seen deliver for TA569 as well, for example. It's possible that this actor is selling traffic on the cybercrime forums. We were unable to confirm that with high confidence, but just based off of being a TDS operator, they can really just, you know, whoever pays them, they can work for. And so they're kind of operating that whole sort of traffic distribution piece, whereas TA2727 seems to be more of like the malware delivery. So they actually also are pretty interesting because they deliver a variety of different payloads, right? Where historically, like TA569 is just the SockGolish inject. With TA2727, we've seen them deliver various information stealers if the user is on a Windows computer or a new malware called FrigidStealer if the user is on a Mac, and even Android has a payload called Marcher, which is a banking trojan that has been around for quite a while, and I don't know, Archer -- Archy, does that sound familiar?

Archy: Ah, FrigidStealer. Sounds like the malware equivalent of a frosty reception at a party. As for Marcher, I'm more of a data theft connoisseur than a history buff, but I do recognize that one. It's like the classic banking trojan that just won't retire, despite its best efforts. It's like malware's version of I'll be back. You know, just keeps showing up, trying to swipe your info. But yeah, the variety in payloads from TA2726 is pretty wild. They've got a little something for everyone, no matter what device you're using. It's like a malware buffet, but not the kind you want to be a part of.

David Bittner: Archy, I don't know where you got that, but I think we're going to need a source. Well, help me understand. You mentioned TDS, Traffic Distribution Services. Unpack that for me. What role do they play there?

Selena Larson: So Traffic Distribution Services as a whole, so TDS is the common parlance that we talk about in our industry. They are a traffic distribution system, sometimes traffic delivery system, but essentially, they're kind of the pipes, like the traffic in the pipes, right? So they are essentially these services track and direct users to different content on different websites. It's important to note that TDSs are -- can be used legitimately, right? Like for advertising purposes, marketing purposes, you know, tracking and delivering various content based off of various characteristics of a user's host or their browser. But with the illegitimate TDS services or the legitimate TDS services that are just used maliciously, essentially, what threat actors are doing is they are orchestrating where the traffic goes and who's going to get served what. And in the case of being used legitimately, who's going to be served which advertisement, for example. But in the case of something maliciously, who's going to be served which malware? [ Music ] Well, you mentioned FrigidStealer, which is a macOS version. Is there particular significance that they're going after Mac users now? Yeah, you know, that's a good question. One thing I think that is pretty interesting about the Mac malware space, in general, is that we're seeing a lot more information stealers in particular come on the Mac malware landscape. That's been also something that's been popping up for the last, you know, year-and-a-half, two years, I would say. But in this particular case, it's interesting because it's a malware that we hadn't seen before. So it's a new type of stealer, and it, of course, was delivered alongside a variety of different payloads, depending on what, you know, the browser someone was using on which type of computer. But from the sort of overall Mac information stealer perspective, I think, you know, there's been this sort of stereotype in the security community, Macs don't get malware, you know like --

David Bittner: Right.

Selena Larson: And what we know, what we've seen, is very sophisticated types of malware, but the information stealer ecosystem is definitely expanding to include Mac malware targeting, as well as Windows malware. So it's still definitely not as common, but you are seeing it a little bit more, and in particular, it's important to note on Macs, to get the malware installed, you have to -- it gives the instructions on how to click, what to click, to sort of bypass the inherent built-in security features that are on Macs in a way that you don't see the same on Windows boxes.

David Bittner: Right, right. So it walks you through how to infect yourself.

Selena Larson: Yes, yes, exactly.

David Bittner: How sporting of them.

Selena Larson: Yes. [ Music ] Stay tuned. There's more to come after the break. [ Music ]

David Bittner: Well, what makes detecting and stopping these types of things so challenging?

Selena Larson: So it's interesting. So from the actual detection perspective, they use a lot of filtering to prevent identification from automated sandboxes or to prevent identification from, you know, people that are trying to look into it and see if this is -- if this is, you know, something that's malicious. Oftentimes, what we've seen with some threat actors, not necessarily the ones in this report, but overall, with the web injects, there's this thing called -- that we've considered it like a lot of different things, but strobing is one way of describing it. Where they'll infect the website. They'll remove the inject, so it will be clean for a while, and they'll go back and reinfect the particular website. From a defense perspective, though, there's actually, you know, many steps that you can take to stop this. So first of all, obviously, network detections, making sure that you have those in place. But also, something like restricting users from downloading script files and opening them in anything but a text file, especially from the Windows perspective. That's kind of the best way, because oftentimes these are JavaScript files, for example. So if you're downloading malicious JavaScript, don't let people run it. Just don't do it. And then, of course, from the user training perspective, it's really important to make sure that we're talking about this and getting this out there. I think, you know, people are just kind of used to being like, oh, okay, a security alert or, you know, update. I have to keep something up to date. So I'm trying to be best and follow the instructions, as I know that I'm, you know, doing, but yeah. I don't -- it's interesting, because it's interesting social engineering, but also there are some steps that organizations can take to prevent this, especially for like the Mac perspective. You really want to make sure that you're educating Mac users on the instructions that are provided, regardless of what the lure is. So, you know, the right-click, right-click, click open, that sort of bypasses the internal Apple protections, you don't want to be doing that. [ Music ]

David Bittner: What about the websites themselves that are being compromised here? Like if I -- if I have an online store or something that, you know, that these folks target, how do I protect that?

Selena Larson: So it's best to keep your websites up to date. A lot of times, these are going after vulnerable installations, oftentimes of WordPress websites. So websites themselves that have, you know, security gaps or holes or vulnerable versions or plugins, for example, that can be hijacked and modified. Oftentimes, they're going at the web hosting provider themselves or, you know, who's just looking for holes in some of those websites. So it's best, really, to make sure that you're keeping your website and your internet footprint as secure and up to date as you can, as well as thinking about it from a business and network enterprise idea, right? Like you want to keep your software up to date. You want to keep your website up-to-date, and make sure that you are staying on top of that, and if there's, you know, new updates to implement them and to make sure that you're, you know, trying to pay attention to anything going on in your website to close any gaps or holes. And if you do find yourself impacted by this, again, it can be a little bit difficult sometimes because they might remove the injection, but if you do an investigation and you find it, clean it up, close the hole, and hopefully, they won't come back and reinfect.

David Bittner: Yeah. Looking at the big picture here, is your sense that the threat actors are like shifting towards web injects, away from phishing and email-based attacks, or is this in addition to that sort of thing?

Selena Larson: So we do have a couple of threat actors that we've seen do both, right? So we have some threat actors that we'll see in mail spam, but we'll also see their payloads being delivered via web injects. These particular threat actors are -- that we talked about are exclusively doing web injects, but I do think it brings up a really good point, right? So we have seen an increase of web-injects-type of threats, also SEO poisoning, things like multi-channel attacks, right? Teams bombing, you know, social engineering via, you know, message spamming. You see this sort of expansion of TTPs across the landscape, and I think that is, in part, as a direct result of organizations having better defense on things like the email gateway because threat actors have to be very creative. It's the same thing that we've seen, for example, with disabling macros by default, as Microsoft did, and we saw the shift in the landscape where actors who used that often had to pivot and use new and different attack chains. So any time that defenders make a job harder for a threat actor, they are going to find a way to do something else, or to expand their wheelhouse and expand their arsenal of capabilities. So I do think that it's interesting that we are seeing this growth of new delivery mechanisms via web injects or, you know, multi-channel attacks and things like that, at the same time that maybe we're not seeing quite the same types of activity that we see in mail flow. However, of course, we still see tons and tons of phishing, but it does seem that actors are trying to experiment and see what else they can do. [ Music ]

David Bittner: Well, I mean, in terms of takeaways for our listeners and folks -- who read through this research, so what are you hoping that they get from this?

Selena Larson: I would love it if people just realized the types of social engineering and the techniques that threat actors are using. In my opinion, it always goes back to the person who's receiving whatever the content is, and it kind of just goes back to social engineering, right? It's like being very clever and crafty with how you're sending things and the type of content that you're using from a threat actor. Not you, Dave. Not you, Archy.

Archy: I should surely hope not.

Selena Larson: But you, as a threat actor. But yeah, but it kind of goes back to like, okay, how are threat actors trying to hack your brain? And if you know the signs of being scammed, then it is much more likely that you won't fall for them. So I want people, you know, in the security community, we might be a little bit more mindful. If we see something like a website redirect, a pop-up while we're browsing, you know, our favorite website, we might be a little bit more skeptical, but I want everyone listening to tell someone about this. To say, hey, have you ever heard of this? Has this ever happened to you? Have you ever experienced this time where you're just looking at a website and you get this weird pop-up or this -- all of a sudden it says you have to update your browser? Don't click it. I just -- you know, and we've talked about this before on the podcast, Dave, where if we're looking at it from a social engineering perspective, it's teaching people, educating them, and talking about it in a way that can help, regardless of your level of understanding or technical capability, you can see the key signs of scams.

David Bittner: Yeah, yeah, don't talk to strangers. [ Laughing ] [ Music ]

Selena Larson: We'll be right back. [ Music ]

David Bittner: Well, this is interesting stuff, Selena and Archy.

Archy: Oh, social engineering. It's like when you're at the deli counter, and there's that one guy who's been standing there for ages trying to get the attention of the worker. He's all like, hey, I think I'll try the pastrami on rye. No, wait, actually, maybe the turkey. You know what? I'll take a whole stack of meats. Just throw them all on the sandwich. And you're like, buddy, this is not how sandwiches work. But then, as he's talking, you start getting hungry and thinking, maybe I do want extra pickles, and I guess that mustard would be nice. Before you know it, you've been convinced to buy a sandwich that's not even on the menu, one you didn't plan on. But now you're holding it, paying for it, and wondering why you made that decision. Scammers do the same thing. They get in your head with a story. And before you know it, you've clicked a link you shouldn't have. And trust me, it's way harder to get rid of that sandwich, or that malware, than it is to just say, I'll pass when the offer first comes around. [ Electronic Sounds ]

David Bittner: I'm sorry, what? What? Okay. Thank you. [ Laughing ] We'll let you know. Don't call us. We'll call you.

Selena Larson: Don't develop a side hustle in automatic compromising of websites to deliver malware, please, Archy.

David Bittner: Archy goes bad. [ Archy Laughing ]

Selena Larson: I feel like that's ultimately what might happen with these things. You never know. Sorry, Archy.

David Bittner: Yeah, somehow, Archy, I love you, but I don't really see you being effective like of making phone calls and convincing people to do things, but I don't mean to offend you. I'm -- you know, I know you come to this in good, technological, silicon-based faith but --

Archy: Don't worry, Dave. I'm more of a back-end kind of guy anyway. Convincing people? Nah. I'll leave that to you experts. But accounting? Now that's a different story. I'd be excellent at balancing the books and keeping things error-free. No missed decimals. No accidental malware in the budget. Maybe I'm just too efficient for the phone call business. [electronic sounds]

David Bittner: Maybe. I don't know. Maybe you could find work in accounting or something like that.

Selena Larson: That's good advice, for sure, Dave.

David Bittner: All right. Well, thank you, everybody, for listening. It was an interesting conversation, and we look forward to talking to you all next time.

Selena Larson: And that's "Only Malware in the Building," brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes. Mixing and sound design by Tré Hester, with original music by Elliot Peltzman. Our Executive Producer is Jennifer Eiban. Peter Kilpe is our publisher.

David Bittner: I'm Dave Bittner.

Archy: And I'm Archy.

Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ] [ Typing ] [ Long Tone ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Keith Mularski
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Keith Mularski is the Chief Global Ambassador for Qintel and a retired FBI Special Agent with extensive experience in cybercrime investigations and intelligence operations. He previously led major cybercrime takedowns and held leadership roles bridging public and private sector cybersecurity efforts, including as a cybersecurity executive at Ernst & Young. He continues to collaborate with global partners to combat cyber threats and protect critical infrastructure.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K