NetWire RAT bypassing AMSI scanning for PowerShell script by patching bytes in memory

/in /by

Overview:

A highly obfuscated VBScript file inside an archive is being delivered to victim’s machine as an email attachment named “Carta de pago.vbs”. “Carta de pago” means “Payment letter” in English. The VBScript file executes a PowerShell script which further executes second layer remotely hosted PowerShell script. The second layer PowerShell script loads and executes the NetWire Portable Executable file along with AMSI bypassing module and Rzy Protector module.

SonicWall RTDMI ™ engine detected the malware file the same day it was created and spread. The conclusion is based on the hard-coded host id “19 MARCH” present in the NetWire binary file, which is shown below along with capture report snippet:

VBScript:

The VBScript pretends to be a component of AntiVirus (AV) product by using many AV related strings for the function names. Function names that have AV related names with their real functionality are listed below:

  • KasperskyInternetSecurity -> Reverse String
  • ZoneAlarmAntivirus -> Hexadecimal to String
  • ESETNOD32Antivirus -> Decimal to Hexadecimal
  • AVGAntiVirus -> Executes the PowerShell script

The VBScript has code to check 32bit and 64bit system architecture, but the code execution is same regardless of the system architecture. The malware calls the function AVGAntiVirus which executes winlogon.exe multiple times and calls the function Fly. This Fly function is responsible to spawn a process for the given argument:

 

The VBScript executes a PowerShell script using the Fly function. The PowerShell script reads the content from the Unified Resource Locator (URL) “http://www.m9c.net/uploads/15846070821.jpghttp://www.m9c.net/uploads/15846070821.jpg” which is invalid due to the human error of pasting the URL twice by malware author. After correcting the URL to “http://www.m9c.net/uploads/15846070821.jpg” , the malware is able to read the malicious content which is converted into second layer PowerShell script by removing “-” which is then executed:

 

The VBScript makes registry entry into “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” to ensure it executes on system start and copies itself into “C:\Users\[Redacted]\AppData\Local\Microsoft\Carta de pago.vbs”:

 

Second Layer PowerShell Script:

The PowerShell script has function “UNpaC0k1rrrr147555” that performs gzip decompression to get the Portable Executable (PE) component files for the malware. The component PE files are AMSI bypassing module and Rzy Protector module:

 

AMSI Bypassing Module:

The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any anti-malware product that is present on a machine. The AMSI feature is integrated in PowerShell that loads amsi.dll into every PowerShell process

The PowerShell script replaces “@$” with “0x” in $blindB byte array to decompress and load the AMSI bypassing Dynamic Link Library.

 

The AMSI bypassing module checks the loaded original amsi.dll for 32bit or 64bit environment, by using API System.Int32(). If the API call returns “4” then loaded amsi.dll is considered as 32bit, otherwise it is considered as 64bit:

 

The malware retrieves the address of AmsiScanBuffer from amsi.dll. The malware overwrites the initial bytes to set Error Code as ERROR_INVALID_PARAMETER which is followed by “ret” assembly instruction:

 

Rzy Protector Module:

The malware uses a modified Rzy Protector module to protect its execution in controlled environment:

 

The Rzy Protector supports the features below:

 

Executing the malware while fiddler is running on the machine, we get the message below:

 

NetWire RAT:

The PowerShell script finally executes the NetWire RAT binary as “control.exe”:

 

The NetWire RAT keeps the old code which is disabled in the current variant by setting flag values. Disabled old code includes decryption of strings and persistence registry entry into “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”:

 

The malware ensures only single instance should run at a time, by creating a mutex named as “G”. If the mutex is already present, the malware terminates its execution:

 

The malware creates registry entries into HKCU\Software\NetWire which includes host id and current time:

 

The malware keeps 3 Command and Control (C&C) servers with port numbers and a localhost Internet Protocol (IP) address into a circular linked list. The malware keeps iterating the circular linked list and tries to connect each IP address after a sleep period of 40 seconds:

 

The C&C server did not respond to victim’s machine at the time of analysis. After looking into the malware code, the malware seems to perform various actions on victim’s machine based on the response from its C&C server which includes stealing information from web browser and other installed applications like Outlook etc.

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:

 

Evidence of detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Corona Anti-Locker Ultimate – Data stealing malware

/in /by

Since the CoViD19 pandemic started, we have been seeing various malware families cashing in on the Covid scare for its distribution.
Earlier, we had also posted an alert about the families milking this pandemic.

Beware of scams in connection with COVID-19

Infection Cycle

This malware uses “Perfect DOS VGA 437 win” font to display information in Windows Forms. Thus upon execution, it ensures “Perfect DOS VGA 437 win” font is installed by first checking presence of “FONT_FILE.ttf” file in the system. A warning message with an “OK” button is displayed to the victim if the specified font is not found in the system. This warrants font installation.

Upon installation of the font it prompts the user for installation of the anti-locker:

Following successful installation, the victim is asked to reboot the system:

A hidden subfolder named “d0ntcl1ckh3r3_” is created in the %WINDIR% folder where following malicious component files are dropped:

Persistency is achieved by adding a run entry in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “d0ntcl1ckh3r3_start_”=”C:\\Windows\\d0ntcl1ckh3r3_\\d0ntcl1ckh3r3_start_.exe”

d0ntcl1ckh3r3_start_

d0ntcl1ckh3r3_start_.exe is the component that gets started after reboot. It has two main functionalities. First a form is displayed as shown below which locks the victim’s screen such that the victim is not able to access any other applications:

Any key press displays an information window named “Hello!” instructing the victim to click on the blue screen’s “continue” button:

The “CONTINUE” button press in the form, launches “d0ntcl1ckh3r3_main_” executable.

Below code snippet from d0ntcl1ckh3r3_start_.exe shows, any event besides the Windows shutdown which attempts to close the form is disregarded.

The other job of this executable is to ensure none of the below listed process is running

  • Taskmgr.exe
  • Regedit.exe
  • Process Explorer.exe
  • Cmd. exe

d0ntcl1ckh3r3_main_

d0ntcl1ckh3r3_main_ performs following tasks:

  • Ensure registry entries are not modified:

  • Search files with string “doc” in its name and add the filename to a list consisting of filename which is used later:

  • Capture screenshot and save it as a hidden PNG file as shots_:

  • Files added previously in the filename list and the captured screenshots are uploaded to a remote FTP server:

First, a directory is created on the FTP server. The directory name consists of the IP Address, computer name of the victim, date & time when the directory is created. The public IP address of the victim is fetched using “hXXp://icanhazip.com” service which is an alternative to “whatismyip.com”.

  • Update executable
  • Execute d0ntcl1ckh3r3_temp_.exe

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Downloader.COVID_4 (Trojan)

Indicators Of Compromise:

  • 12FDBDD5BBFAA363C466B9AA986DBD0E09E2FA0BDC1577FCC467827B39A7DFB4

This threat is also detected by SonicWall Capture ATP

Ada_Covid ransomware operator uses WhatsApp for price negotiation

/in /by

The SonicWall Capture Labs threat research team have come across a new ransomware family known as Ada Covid.  The sample we analysed appears to be in early stages of development and does not modify any files on the system.  It does, however, contain the ability to do so.  An interesting shift with this malware is that the operators have chosen WhatsApp as a means of communication with infected users.  This could be in response to the social change triggered by the current global pandemic.  The operators perhaps, realize that instant messaging is a more effective negotiation medium when victims are stuck at home abiding by shelter-in-place orders.  This is opposed to messaging via email, the medium of choice for many ransomware operators in the past.

Infection Cycle:

The malware is reported to have been served via the following link which is no longer active:

https://www.ktalents.com.my/wp-admin/images/Covid-19%20Check.exe

The trojan executable file uses the following icon:

The executable file is an sfx archive that contains 3 files:

  • fud.bat
  • server.exe
  • server.sfx.exe

fud.bat contains the following script:

server.sfx.exe -p123 -d%temp%

Upon running the executable, the following command line box appears while extracting files from the sfx archive:

The following files are added to the system:

  • %USERPROFILE%\AppData\Local\Temp\RarSFX1\server.exe [Detected as: GAV: Ada_Covid.RSM (Trojan) ]
  • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\Name of your explain.lnk
  • %USERPROFILE%\OneDrive\Desktop\Name of your explain.txt

The following message is displayed on the desktop in notepad:

The malware is written in .NET and is easy to decompile.  Although no modification of files took place during our analysis, the code evidently contains functionality to encrypt files.  It is coded to give encrypted files a .pdf extension:

If files were actually encrypted, the encryption key (1,2,3,4,5,6,7,8) is easy to obtain:

Decompilation of the encryption function shows a list of file types to target:

The following file types are targeted:

jpeg, gif, jpg, png, docx, php, cs, cpp, rar, zip, html, htm, xlsx, avi, mp4, xls, pdf, odt, ods, pptx, ppt, doc, jpej, mid, midi, mp3, wav, bat, psd, psp, tif, iso, mdb, sql, log, dat, csv, com, cgi, py, aspx, cer, css, htm, part, c, class, java, sh, swift, vb, h, cpp, bak, wpd

As stated in the ransom message, WhatsApp is the medium of choice for negotiation.  We had the following conversation with the operator via WhatsApp:

There has been some transaction activity at the supplied address.  However, this does not necessarily indicate success:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AdaCovid.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

GULoader

/in /by

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in April for a downloader called GuLoader. GuLoader is used in conjunction with other malware components such as RATs (Remote Administration Tools). Some of the well-known components for 2020 are: Parallax, Netwire, FormBook, Tesla RATs.

The binary is compiled with Visual Basic 5.0/6.0. Visual Basic is somewhat cryptic to read and understand while using many of the reverse engineering tools such as Disassemblers, Decompilers, and Hex Editors. Most of the Visual Basic programmers are from the early 90’s. Which probably means the malware author is older, Most likely in his/her late 30’s or 40’s.

This binary is used in conjunction with Initial Access components such as Spearphishing applied as an email attachment. Most of the email attachments will be compressed such as zip or rar files.

The loader is protected with an xor encryption, the encryption uses a 4-byte key to unpack its executable stub. The binary is also armored with Anti-Debugging techniques such as NtSetInformationThread and custom ExceptionHandlers to watch for single stepping or toggled breakpoints.

Samples: 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Visual Basic 5.0 Win32 binary.

Command-line static information:

Main starting routine from IdaPro:

Main starting routine in VB Decompiler:

HTTP Network Connections & Objects:

Connections:

Objects:

The binary will reach out and grab an exe called “3.bin” from multiple domains:

  • arabianbrother.com
  • ntaryan.com

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: GULoader.PN

Appendix:

Sample Hash: 1b1279f4eca61a6661eb687cba8566b20fdc0cfa17bed09a6c0b87d53e7055dd

Cybersecurity News & Trends – 04-10-20

/0 Comments/in /by

This week, SonicWall updates its MSSP program, the World Health Organization fends off phishing attempts, and hackers have a crisis of conscience… maybe.

SonicWall Spotlight

New SonicWall MSSP Program Boosts Pricing Options, Tech Support – CRN

  • SonicWall’s MSSP program has evolved from requiring customers to commit to an annual license from the get-go to offering both monthly and annual pricing options.

Addressing Cybersecurity Threats – Trending Business Insights

  • SonicWall’s VP of EMEA Sales, Terry Greer-King, talks about cybersecurity trends and SonicWall operations in the Middle East.

SonicWall Updates Its SecureFirst MSSP Program – Enterprise Times

  • Terry Greer-King, SonicWall VP of EMEA Sales, and Luca Taglioretti, SonicWall VP of Global MSSP & Carrier Sales, discuss spike licensing, the role training plays in the updated MSSP program, and more.

Cybersecurity News

Microsoft Exchange: 355,000 Servers Lack Critical Patch – Bank Info Security

  • Less than 20 percent of vulnerable Microsoft Exchange servers have received a fix for a serious flaw that Microsoft first disclosed nearly two months ago, potentially leaving them open for a remote attacker “to turn any stolen Exchange user account into a complete system compromise.”

Hackers struggle morally and economically over coronavirus – Bleeping Computer

  • With the coronavirus pandemic in full swing, threat actors are torn about how they should operate during the pandemic—and like everyone else, are also seeing a downturn in the marketplace.

‘Coronavirus’ malware can wreck your PC: What to do – Tom’s Guide

  • SonicWall has discovered a ‘coronavirus’ malware that aims to disable computers amid the COVID-19 crisis—but it turns out there’s an easy fix.

Is Remote Working A Threat To Your Business? – Disruption Hub

  • The rapid spread of the coronavirus and the sudden implementation of lockdown measures gave companies little time to prepare secure working from home strategies—and little time to educate employees on the potential security pitfalls of remote work.

Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus – sources – Reuters

  • Hackers working in the interests of the Iranian government have attempted to break into the personal email accounts of staff at the World Health Organization during the coronavirus outbreak, four people with knowledge of the matter told Reuters.

A researcher found zero-days in one city’s software. Then he realized the problem could be bigger. – Cyberscoop

  • “He unpacked the code, sifted through it, and found more than a dozen previously undisclosed vulnerabilities, or zero-days, that a hacker could exploit to manipulate data or dump user passwords. But it was more than just a catalog of bugs: Poring over the code, Rhoads-Herrera found the names of two other city governments that have used the software.”

DarkHotel hackers use VPN zero-day to breach Chinese government agencies – ZDNet

  • More than 200 VPN servers have been hacked in this campaign, 174 of which were located on the networks of government agencies in Beijing and Shanghai, and the networks of Chinese diplomatic missions operating abroad in several countries.

Phishing emails impersonate the White House and VP Mike Pence – Bleeping Computer

  • Phishing scammers have begun impersonating President Donald Trump and Vice President Mike Pence in emails that distribute malware or perform extortion scams.

In Case You Missed It

Excel 4.0 macro being used to deliver Malware

/in /by

Sonicwall Capture Labs Threats Research team has been tracking a campaign from the last two months which involves Microsoft Office Excel for malware distribution. Microsoft Excel provides a feature to its user which allows one to hide worksheets. Worksheet state is “visible” by default which can be changed to “hidden” or “very hidden”. The malicious MS-Excel files are found to be leveraging this feature to hide worksheet carrying malicious excel 4.0 macro. Another interesting artifact in these malicious excel files is the use of excel 4.0 macro though Microsoft has been encouraging its users to use the latest version of Microsoft Visual Basic for Application (VBA).

Upon opening the malicious excel file, user is displayed an image with a message educating the user on how to enable editing in order to view the document. As can be seen in the following image, the file appears to be just having one sheet.

We have observed a few variants surrounding this campaign. In some of its appearances, the image varies as shown below:

       Screen captured images of third party products or services are intended only to demonstrate the real-world application of the reported malware

Initial variants of this malware were found to be using data connection which could further be used to download payload. Later variants started using excel 4.0 macro for downloading payload. As of now, the samples analyzed either have domain names that are not registered or they redirect the victim to google.com or they download a DLL file from GitHub which further launches Microsoft Windows calculator application “calc.exe”.

As highlighted in the following image, the malicious excel contains two sheets indicated by the two BOUNDSHEET records (85h). One sheet’s state is set to hidden thus the sheet is not visible. This sheet also contains excel 4.0 macro.

Sheet Record:

85 00 Start of sheet record 2 Bytes
0E 00 Size of record 2 Bytes
D5 58 01 00 Address of BOF 4 Bytes
00 00h = visible01h = hidden

02h = very hidden

 1 Byte
00 00h = worksheet or dialog sheet

01h = Excel 4.0 macro sheet

02h = chart

06h = Visual Basic module

 1 Byte
06 Size of sheet name 1 Byte
53 68 65 65 74 31 Sheet name

 

The sheet can be made visible by altering the state byte to “0” which happens to be the 9th byte of the BOUNDSHEET record. Following VBA macro would also do the trick:

For Each ws in Sheets

ws.Visible = xlSheetVisible

Next ws

The early variants which surfaced had hidden sheet but with no macro code. The other variants differ how payload is downloaded. Payload execution through excel 4.0 macro has been the same.

The macro begins by checking the workspace width (13), height (14), presence of mouse (19), whether the system can play sound and windows environment.

GET.WORKSPACE(42): Should be capability of playing sound.

GET.WORKSPACE(13): Usable workspace width should be less than 770.

GET.WORKSPACE(14): Usable workspace height should be less than 381.

GET.WORKSPACE(19): Mouse should be present and avoid execution in sandbox.

GET.WORKSPACE(1): Environment should be windows.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signature:

  • GAV:Downloader.XL_8 ( Trojan )

Sonicwall RTDMI engine detects these Excel files.

The New Front in Hospitals’ Battle Against COVID-19: Ransomware

/0 Comments/in /by

In 2016, hackers attacked Hollywood Presbyterian Medical Center in Los Angeles. While systems critical to patient care weren’t affected, for two weeks, employees were locked out of email and other forms of electronic communications.

Ultimately, hospital administrators decided that the most cost-effective way to regain control was to pay the $17,000 ransom. Last year, a similar but more devastating attack hit three Alabama hospitals, forcing them to turn away all but the most critical patients. They, too, paid an undisclosed ransom, but were hardly the only victims of targeted ransomware attacks.

Recent news stories celebrating a drop in ransomware cases last year on the heels of 2018’s record may cause some to wonder whether ransomware is on its way out. But as we noted in the 2020 SonicWall Cyber Threat Report, ransomware isn’t going away, it’s just getting more efficient. “Spray and pray,” the report concluded, is over—but for big-game hunting, the season is just beginning.

Today, ransomware operators have one guiding principle: The bigger the potential disruption caused by an attack, the bigger the chance of a payday. According to the report, 2019 saw widespread attacks of K-12 schools, public utilities, and state and local governments. 2020 looks to be more of the same, with one crucial difference: Amid a global pandemic, already wildly disruptive in and of itself, many attackers who once targeted a wide swath of businesses and organizations that kept our lives running are now targeting the businesses and organizations that keep us alive.

Data presented in the 2020 SonicWall Cyber Threat Report suggests that in 2019, many medical companies had security insufficient for threats they faced then. Out of the year’s top 40 data exposures, roughly 18% were organizations in the medical/healthcare industry; these incidents resulted in compromised data for 42 million people.

But now, as future healthcare workers are being offered early graduation and retired ones are being called back into the field — as ailing patients are being doubled up on ventilators and facilities begin to reach, and then surpass, capacity — the more predatory hackers are seeing an opportunity to turn a nation’s suffering into some of the easiest money they’ll ever make. “You can keep the money you’ll need to ensure care later,” their bargain implies, “or lose access to the data that’s allowing you to offer care now.”

Either way, healthcare providers lose.

In 2019, SonicWall Capture Labs researchers uncovered 187.9 million ransomware attacks globally. If that number doesn’t rise — which seems increasingly unlikely — and just 20% more of those cyberattacks targeted the healthcare industry, the results would be devastating.

“In a modern, citizen-centric environment, successful ransomware attacks are highly disruptive,” SonicWall President and CEO Bill Conner wrote for Forbes. “Networks from city hall, law enforcement agencies, sanitation, courthouses, or the DMV could be compromised in minutes and everyday operations held for ransom, often at exorbitant costs.”

Like the virus itself, this situation has arrived in some places far sooner than expected. Medical labs, doctors’ offices, and hospitals are already seeing an increase in attacks, with one group even targeting a lab that was actively working on a COVID-19 vaccine.

As increasingly desperate hospitals quickly and reliably pay ransomware demands to ensure minimal disruption during a situation in which there’s no room for error, hackers are becoming more audacious in their demands — according to Bloomberg News, there has been not only an increase in the quantity of attacks on healthcare organizations, but also the amount of ransom requested.

The old adage about planting trees could just as easily apply to cybersecurity: The best time to develop a crisis continuity plan and put appropriate security measures into place was 20 years ago. The second-best time is right now.

While it’s of utmost importance to ensure the doctors, nurses and staffers currently risking their lives to save others have access to enough ventilators, beds and hospital gear to adequately care for their patients, it is equally important that doctors have access to the patient data — such as health conditions, current medications, and allergies — that guides care and ultimately helps save lives.

SonicWall Unveils Partner Program Designed for MSSPs

/0 Comments/in /by

Faced with threats, exposure points and personnel needs growing at a pace their budgets and actual headcount can’t keep up with, IT departments are increasingly relying on managed security service providers (MSSP) to fill the gaps.

To help our MSSP partners meet the unprecedented demand for their knowledge and expertise, SonicWall has leveraged its nearly three decades in the channel industry to create a new MSSP partner program focused on delivering simplicity and efficiency during a time when you need it most.

By combining our expanding set of threat intelligence solutions with a flexible set of pricing options, our goal is to help MSSPs grow profitability. And by adding program enhancements such as simplified operations; automated provisioning and billing;  unified visibility and security management; and pre-defined threat analytics, reporting and workflows, we’re offering MSSPs the opportunity to meet goals more easily than ever.

“After being in close communication with our MSSP partners, we’ve been working around the clock to develop a strong program layered in with our highly successful SecureFirst partner program that caters to the specific needs of over 20,000 current partners around the world,” said SonicWall Vice President, Global MSSP & Carrier Sales, Luca Taglioretti. “We’re excited to deliver flexible pricing options that match the way customers want to buy, including monthly, annual and consumption-based models.”

The MSSP program offers its own curriculum and accreditation with access to L3 Premier Support and full technical knowledgebase. What’s more, all program participants will benefit from an assigned partner manager and sales engineer, while those in the Top Tier will also have access to a solution architect.

“Our goal is to help simplify the daily operations of MSSPs and provide them with the support that they need, exactly when they need it,” said SonicWall Vice President, Global Channel Sales, HoJin Kim. “Being a 100% channel company, we feel this is a natural progression for us and look forward to continuing to deliver managed security services to enterprises, SMBs and government organizations that are challenged with the task of defending increasingly more targeted cyberattacks.”

Through the three MSSP program tiers — MSSP Protect, MSSP Powered and MSSP Powered Plus — partners will enjoy:

  • Expanded annual and monthly pricing model licenses
  • Aggressive volumebased pricing based on assets under management
  • Priority access to Premier Support Tier 3 engineers
  • Increased access to MDF, including accruals for Powered Plus partners
  • Support from a new and expanding MSSP strategic account management team

To learn more about how SonicWall’s partner programs can help you grow your business visit, www.sonicwall.com/partners/mssp-partner-program.

Beware of scams in connection with COVID-19

/in /by

UPDATED APRIL 8TH

Scammers have devised numerous ways of defrauding people in connection with COVID-19. Some examples of scams linked to COVID-19 include treatment, testing, medical supplies, insurance, charity, work from home, investment, student loan, and disinformation.

SonicWall Capture Labs Threat Research team has come across the below scams this week in connection with COVID-19.

IRS economic impact payment scam:

The Internal Revenue Service (IRS) will begin to distribute COVID-19 Economic Impact Payments in a matter of weeks. For most Americans, this will be a direct deposit into your bank account. For the unbanked, elderly or other groups that have traditionally received tax refunds via paper check, they will receive their economic impact payments in this manner as well.

The below malicious campaign involves government relief payments. It claims to have come from the IRS and requests the user to verify the account number in the attachment. But the attachment “Attached doc.iso” is actually a malicious iso file that drops a remote access trojan onto the user machine.

IOC:

149d4bcdfd591de6eebbe9726ffbdaf6c02cc08b97dc7cd3bed4cf8a64d54cff
60a2f5ca4a5447436756e3496408b8256c37712d4af6186b1f7be1cbc5fb4f47

Bank payment relief notice scam:

The below phishing campaign is targeted towards customers of Absa, an African based financial services group. It claims to be the notice of payment relief plan for COVID-19 but the attached document is an html file, which when launched takes the user to the phishing webpage of Absa internet bank.

Medical supply scam:

The below campaign is targeted towards the medical supply businesses. It requests the medical supplier to supply the products specified in the attachment but the attached document is not a pdf file, it is a malicious executable that belongs to the malware family Agensla, that steals credentials from the victim’s browser, FTP and email clients.

Phishing Scam:

The below phishing campaign claims to have come from CDC, stating that it is closely monitoring the Intellectual property landscape while responding to the Covid-19 outbreak across the Asia-Pacific region. The link to COVID-19 updates in the stated mail is a phishing page pretending to be Spruson & Ferguson’s COVID-19 website. This is a phishing scam not affiliated with Spruson & Ferguson and in no way are they responsible for cyber criminals purporting to be them. 

Find the legitimate page of Spruson & Ferguson for COVID-19 updates here

Phishing emails look like legitimate company emails and are designed to steal your information. They usually contain a link to a website that will ask for your login credentials, personal information or financial details. These websites are cleverly designed to take your information and pass it back to the cybercrooks behind the scam.

  • Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes.
  • Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
  • Check the websites and email addresses offering information, products, or services related to COVID-19.
  • Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating.
  • For the most up-to-date information on COVID-19, visit the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) websites.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: Casur.A_9 ( Trojan )
GAV: Adload.A_220 ( Trojan )
GAV: MalAgent.H_16053 ( Trojan )

Cybersecurity News & Trends – 04-03-20

/0 Comments/in /by

This week, while remote workers and hospitals alike struggled to adjust to the new realities brought by the COVID-19 pandemic, hackers looked to exploit the upheaval for ill-gotten profit.

SonicWall Spotlight

There’s now COVID-19 malware that will wipe your PC and rewrite your MBR – ZDNet

  • Amidst the COVID-19 pandemic, some malware authors are releasing coronavirus-themed malware that destroys infected systems by either wiping files or rewriting a computer’s master boot record (MBR). The first of the MBR-rewriters was discovered by security researcher MalwareHunterTeam, as detailed in a report from SonicWall this week.

Cyber Security Threats Loom Large as Employees Work Remotely – The Week

  • According to SonicWall’s Capture Labs Threat Research Team, the risks of engaging with any coronavirus app—some of which purport to track infections or point to a vaccine—is very high, as hackers target newly minted remote workers in general, and those concerned about the virus in particular.

SonicWall Research Team Flags off 5 Top Cyberattacks in Times of COVID-19 Pandemic – CXO Today

  • The rise in employees working from home due to the COVID-19 pandemic is requiring that businesses provide employees secure access to remote infrastructure, networks and devices—and help safeguard against opportunistic cybercriminals preying on this new pool of remote workers.

Cybersecurity News

Marriott International Confirms Data Breach of Guest Information – Intelligent CISO

  • Terry Greer-King, VP EMEA at SonicWall, commented on the breach: “The Information Commissioner’s Office’s £99 million fine for Marriott in 2019 for a breach of GDPR was supposed to create much-needed reform on how the company processes and secures data. It appears that certain lessons are yet to be learned.”

Cyber Version of ‘Justice League’ Launches to Fight COVID-19 Related Hacks – Dark Reading

  • A group of cybersecurity experts from around the world—including from companies like Microsoft and Okta—have teamed to help organizations fight COVID-19-related hacking and phishing attacks, Dark Reading reports.

Hackers ‘Without Conscience’ Demand Ransom from Health Providers – Bloomberg

  • Bloomberg’s Ryan Gallagher reports on threats targeting the healthcare industry as healthcare providers deal with the massive influx of patients afflicted with COVID-19. Experts around the world are warning that hackers could keep doctors from vital patient data by encrypting records.

FBI warns Zoom, teleconference meetings vulnerable to hijacking – Cyberscoop

  • The warning comes after reports that Zoom—which is also under fire for leaking personal information to strangers and illegally selling user data to Facebook—isn’t securing communications as advertised.

Tech Giants Prepared for 2016-Style Meddling. But the Threat Has Changed. – The Wall Street Journal

  • The chairman of Huawei Technologies warned the U.S. to expect countermeasures from the Chinese government if it further restricts the technology giant’s access to suppliers, as the company’s profit last year grew at the slowest pace in three years.

Banking Malware Spreading via COVID-19 Relief Payment Phishing – Bleeping Computer

  • The Zeus Sphinx banking Trojan has recently resurfaced after a three years hiatus as part of a coronavirus-themed phishing campaign, one of many launched as hackers race to take advantage of the current pandemic.

FBI re-sends alert about supply chain attacks for the third time in three months – ZDNet

  • The FBI says a group state-sponsored hackers are now targeting the healthcare industry, which is currently grappling with the COVID-19 outbreak.

In Case You Missed It