Cybercriminals combine phishing and EV certificates to deliver ransomware payloads
Threat actors behind information stealers RedLine and Vidar have been observed turning to ransomware via phishing campaigns that spread initial payloads signed with Extended Validation (VE) code signing certificates.
“This suggests that threat actors are streamlining their operations by making their techniques versatile,” Trend Micro researchers said. said in a new analysis published this week.
In the incident investigated by the cybersecurity company, an anonymous victim allegedly first received information-stealing malware with EV code signing certificates, followed by ransomware using the same delivery technique.
In the past, QakBot infections have exploited samples signed with valid code signing certificates to bypass security protections.
Attacks begin with phishing emails that use well-known lures to trick victims into executing malicious attachments masquerading as PDF or JPG images, but are actually executables that restart the compromise upon execution. ‘execution.
While the campaign targeting the victim delivered stealing malware in July, a ransomware payload made its way in early August after receiving an email containing a fake attachment to a TripAdvisor complaint email (“TripAdvisor -Complaint.pdf.htm”), triggering a sequence of steps. which resulted in the deployment of ransomware.
“At this point, it should be noted that unlike the information stealer samples we investigated, the files used to drop the ransomware payload did not have EV certificates,” the researchers said.
“However, both originate from the same threat actor and spread via the same mode of transmission. We can therefore assume a division of labor between the payload provider and the operators.”
This development comes as IBM
DBatLoader’s new features make UAC bypass, persistence, and process injection easier, indicating that it is actively maintained to remove malware that may collect sensitive information and enable remote control of systems.
The recent series of attacks, detected since late June, are designed to also spread common malware such as Agent Tesla and Warzone RAT. The majority of emails targeted English speakers, although emails in Spanish and Turkish were also spotted.
“In several observed campaigns, threat actors exercised sufficient control over email infrastructure to allow malicious emails to pass SPF, DKIM, and DMARC email authentication methods,” the company said. said.
“The majority of campaigns leveraged OneDrive to organize and retrieve additional payloads, with a small fraction otherwise using transfer(.)sh or new/compromised domains.”
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
In related news, Malwarebytes revealed that a new malvertising campaign targets users who search for Cisco’s Webex video conferencing software on search engines like Google to redirect them to a fake website that spreads the malware BATLOADER.
BATLOADER, on the other hand, establishes contact with a remote server to download a second-stage encrypted payload, which is another known thief and keylogger malware called DanaBot.
A new technique adopted by the threat actor is the use of Tracking template URLs as a filtering and redirection mechanism to fingerprint and determine potential victims of interest. Visitors who do not meet the criteria (for example, requests from a sandbox environment) are directed to the legitimate Webex site.
“Because the ads appear so legitimate, there is no doubt that people will click on them and visit dangerous sites,” said Jerome Segura, director of threat intelligence at Malwarebytes. said.
“The type of software used in these ads indicates that threat actors are interested in victim companies that will provide them with useful credentials for subsequent network ‘penetration testing’ and, in some cases, for the deployment of ransomware.
