According to Microsoft's reserach, DEV-0569 relies on phishing and malvertising, but they have shown there are more ways than the traditional methods to get the big fish to bite.
Access providers or Initial Access Brokers (IABs) are the names we use for threat actors that gain and provide initial access to organizations and then sell that access on to other malicious actors, which are interested in deploying their own infections like ransomware, banking Trojans, and other assorted malware.
DEV-0569 has been known to work for the Royal ransomware group, which started out at the beginning of this year as a group of individuals that came from other ransomware operations and operates as a data leak gang. The Royal ransomware group is probably granted access to dropped Cobalt Strike Beacons. DEV-0569 have also reportedly delivered the Gozi banking trojan (detected by Malwarebytes as Trojan.Gozi) and the information stealer known as Vidar Stealer (detected by Malwarebytes as Spyware.Vidar).
One of the more novel phishing methods is using the targets own contact forms on their website. These can be used in two ways. The easiest one, if it works on that site, is to put a download link to the malware in the “message” section of the form and hope the receiver will click on it. Where sites disable the option to post URLs the attacker can post contact details and send the link later on in the email conversation. DEV-0569 posed as a national financial authority to make sure that targets would get in contact with them.
Contact forms have a few advantages for the phisher over direct email contact. Using a contact form on the website will usually bypass the email protections and appear trustworthy to the recipient. The malicious links in the contact forms led to a malware downloader called BATLOADER hosted on abused web services like GitHub and OneDrive.
Software download sites
Another proven effective tactic in use by DEV-0569 is to set up software download sites that are similar in name and appearance to legitimate download sites. They will send out phishing emails with links to downloads on those sites claiming to be installers for numerous applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. In reality the victim will download BATLOADER.
Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads. The threat actor used the traffic filtering provided by legitimate traffic distribution system Keitaro to redirect a selected group of visitors to one of the fake software download sites, while the rest ended up on the legitimate sites. By doing this they stay under the radar of security researchers and it allows them to deliver their payloads to specified IP ranges and targets.
There are several ways to protect yourself and your organization from phishing attacks. None of them will be airtight or even waterproof, but every blocked attempt is one less to worry about. If you have layered security in place for every step of the way, you have good chance to stay out of trouble. Here are several techniques to put in place:
- Use email filtering software to block phishing mails.
- Educate and train employees to recognize phishing attempts.
- Use a method to block known malicious domains and IPs so that even a click on a malicious link may fall short.
- Use an anti-malware solution with real-time protection so malware can get caught in the act or as soon as it’s downloaded.
- Limit and actively manage user permissions. Restricting administrative permissions to only those that need and know how to handle them can prevent lateral movement in the network.
- Enable tampering protection for your security software, because many Trojans will attempt to disable your security software as a first step.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.