Emotet (👹) . Now asks to update MS Word ! Tricky

Emotet comes with a new template of phishing pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The botnet is operated by a threat actor tracked as TA542. Recent campaigns tricked with malicious word doc’s with Covid themed info

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

In a recent campaign ,the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.”. reported researchers

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft Word
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder

Users should be educated aware about the legitimate and Phishing mails. Proper defence in depth strategy to get escaped from these anomalies

Bazar Backdoor 🚪✴️

TrickBot trojan has survived the massive takedown operation! While the trojan is set to reboot its operations with a new bunch of backend infrastructure, the operators are making headway with another creation dubbed BazarLoader/BazarBackdoor.

BazarLoader is the newest preferred stealthy covert malware added to the TrickBot group toolkit arsenal. It came to the limelight in July when researchers were investigating a particular attack campaign against targets across the U.S. and Europe. BazarLoader consists of two components: a loader and a backdoor.

The malware uses legitimate file-sharing services, as well as phishing emails, as part of the infection chain. The group behind the malware takes advantage of certificate signing to evade antivirus and software products.

Key Strengths

  • BazarLoader’s strength lies in its stealthy core component and obfuscation capabilities. Such obfuscation qualities allow the crime group to maintain persistency on the host even if the third-party software gets detected by antivirus software. 
  • Moreover, the ingenious use of blockchain by BazarLoader operators displays their ability to abuse legitimate services for nefarious activities. 

Essence

Loaders are becoming an essential part of any cybercrime campaign. They start the infection chain by distributing the payload. In essence, they deploy and execute the backdoor from the C2 server and plant it on the victim’s machine.

BazarLoader demonstrates tha alarming trend. Furthermore, the abuse of legitimate services and digital signatures for obfuscation represents the widespread use of deception techniques

Operation QuickSand !

Iranian hackers contracted by the country’s Islamic Revolutionary Guard Corps targeted prominent Israeli companies in a series of ransomware attacks last month, known to be muddywater exposed by Microsoft last month

Dubbing the Iranian effort “Operation Quicksand,” the Clearsky and Profero cybersecurity firms said they “uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organizations in Israel and in other countries around the world.”

The firms said they identified and thwarted the attacks before any harm could be inflicted, but were now raising an alarm to the methods used, indicating that they could have been employed in earlier hacking attacks that might have gone unnoticed.

The names of the Israeli firms targeted in the ransomware attacks were not identified in the report, ostensibly for security reasons.

Researchers identified two primary attack vectors:

  • The first vector entailed sending a malicious decoy document (PDF or Excel) that communicates over OpenSSL with a malicious C2 server and downloads files, which later deploy the “PowGoop” payload.
  • The second vector involves exploiting CVE-2020-0688 and deploying the same payload via aspx file (WebShell). The attacker will create an internal socket tunneling between compromised machines in the network. The attacker used a modified SSF (Socket) for it. Then, the attacker downloads the PowGoop as well. Recently, Microsoft revealed that MuddyWater had been leveraging the ZeroLogon vulnerability as well (CVE-2020-1472)[1].

FIN 11 , Email Campaign on the go

FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.

Hybrid extortion attacks

Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.

  • FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
  • The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.

FIN11 & TA505 Collaboration

The researchers given a variation between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.

Attack strategy

The FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.

Recent FIN11 lightson

The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.

  • FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
  • The threat actor continued to modify its delivery tactics during Q3 2020; the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.

Concluding notes

The tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial