Cybercrime Tactics & Techniques

Attack on Home Base

The corona virus pandemic has left the world looking very different at the end of the quarter than it did at the beginning. For starters, millions of workers are out of the office and working from their homes. This change in scenery, combined with safe social distancing efforts that help prevent the spread of COVID-19, has created a crisis for many, but an opportunity for some.

Employees are accessing company resources through VPNs, utilizing cloud based services, and spending countless hours chatting on communication tools, all while connecting through personal networks and machines. In response, cybercriminals have been deploying campaigns to trick users into installing malware that steals login information for these sites, aswell as provide remote control of the endpoint to the attacker

This special, COVID-19 themed CTNT report for January 2020 to March 2020 looks at the most prominently spread malware families taking advantage of this crisis, as well as other cybercriminal efforts we observed. We will give you a look into what the campaigns that spread these threats look like and the capabilities of the malware, along with information about card skimmers and APT attacks, wrapping up with some tips on staying safe.

Distributed Malware

Threats like Emotet and Trickbot are still a big concern for businesses all over the world, however, the threats we are going to cover in this section are specifically using COVID-19 themed campaigns to spread.

In fact, many of the families we have seen being installed by these campaigns have had very little success prior to the last few months. These changes represent a shift by cybercriminals to focus on a new target, your home base

Distributed Malware The threats we are going to cover in this section are specifically using COVID-19 themed campaigns to spread.

AveMaria

Malware Profile

Bug

Detection Name
Backdoor.AveMaria.*
Trajan.AveMaria Spyware.AveMaria

First Seen:
December 2018

Category:
Remote Access

AveMaria is a Remote Access Trojan used for taking over the systems of its victims and providing the attackers with remote control capability. It was first observed being spread through malicious phishing campaigns in 2018 and its presence on infected endpoints has been on the rise ever since.

Capabilities:

  • Remote desktop access
  • Remote webcam control
  • Password stealer
  • Downloader
  • Keylogger
  • Remote shell
  • Privilege escalation

AveMaria Capabilities

Recent Activity:

The AveMaria Remote Access Trojan is available for cybercriminals to purchase on the dark web for about $23 for a monthly “subscription.” Over the last three months, we have seen an increase in detections of this threat, with a 109.6 percent increase between February and March.

AveMaria Recent Activity

Spread Via:

AveMaria has been observed recently being spread through malicious phishing emails claiming to contain information about effective face masks as well as through other COVID-19 themed campaigns.

AveMaria Spread Via

NetWiredRC

Malware Profile

Bug

Detection Name
Backdoor.NetWiredRC.*

First Seen:
November 2014

Category:
Backdoor access

The backdoor NetWiredRC has been associated with numerous types of attacks and threat groups, including the state sponsored group APT33—Iranian-sponsored hackers with a focus on energy industries, since its discovery in 2014. This malware is incredibly capable and dangerous, armed with the ability to manipulate, spy on, and steal data and applications from the user.

Capabilities:

  • Downloader
  • Keylogger
  • Information stealing
  • System manipulation
  • Provide remote access

NetWiredRC Capabilities

Recent Activity:

We have observed a roughly 40 percent increase in NetWiredRC detections since the beginning of the year. During the summer of 2019, NetWiredRC was involved with a phishing campaign targeting the hotel industry in North America.

NetWiredRC Activity

Spread Via:

This malware has been observed primarily through malicious phishing campaigns, using numerous themes and ploys to get users to install the malware. A recent campaign claimed to be providing COVID-19 information from UNICEF, the children’s aid organization.

NetWiredRC Spread Via

LokiBot

Malware Profile

Bug

Detection Name
Backdoor.Lokibot.*
Spyware.Lokibot.*
Trojan.Lokibot.*

First Seen:
2015

Category:
Botnet, Information seeker

LokiBot is a well-known botnet which has been active since 2015. Its primary method of spreading has been through malicious emails or as a secondary payload for other downloader malware families. It is also known to use steganography to hide malicious code inside images.

Capabilities:

  • Keylogger
  • Password stealer

LokiBot Capabilities

Recent Activity:

In addition to impersonating banks and shipping companies, LokiBot has been seen by multiple security research groups as a possible payload for many of the COVID-19 themed phishing campaigns that are active today. During the coronavirus pandemic, we have seen a 61.8 percent rise in LokiBot detections.

LokiBot Activity

Spread Via:

LokiBot is most notably spread through malicious phishing campaigns. Recently, we’ve observed this malware being pushed as an invoice for a medical supply pusher.

LokiBot Spread Via

AZORul

Malware Profile

Bug

Detection Name
Backdoor.AZORult.*
Spyware.AZORult.*

First Seen:
July 2016

Category:
Information stealer

AZORult is a dangerous information stealing malware that has been on the scene since 2016. This malware can also act as a downloader for other malware and has previously been installed as a secondary payload to families like Emotet. The primary method of infection for this threat is through malicious phishing campaigns and drive-by exploits.

Capabilities:

  • Password stealer
  • Cryptocurrency theft
  • Downloader

AZORul Capabilities

Recent Activity:

The AZORult malware remained a steady threat throughout 2019. Then, starting in November, we began to see a larger increase in detections until around February.However, a comparison with March shows a 30.1 percent increase in detections of this threat, month over month, proving that this threat is likely not going away soon.

AZORul Activity

Spread Via:

AZORult has been observed recently as a possible payload for numerous COVID-19 themed attacks, including one asking the recipient for bulk quantities of ventilators as well as being one of the payloads attached to a fake Johns Hopkins University coronavirus map application.

AZORul Spread Via

DanaBot

Malware Profile

Detection Name
Backdoor.DabaBot
Spyware.DanaBot Trojan.DanaBot

First Seen:
May 2018

Category:
Banker trojan,
Information stealer

DanaBot is a family of banking trojan malware, first discovered being distributed by malicious emails, with a focus in Australia. It has recently been distributed through malicious advertisements using the RIG & Fallout exploit kits. However, DanaBot’s spread has expanded asof late, as infections have been spotted in various countries in Europe as well as North America.

Capabilities:

  • Bank credential theft
  • Password stealer
  • Downloader
  • Browser manipulation
  • Phishing website redirection

DanaBot Capabilities

Recent Activity:

DanaBot hasbeen active since September of 2019, with a dip in detections between January and February 2020. This dip resulted in a rise of 166 percent in detections between February and March 2020.

DanaBot Activity

Spread Via:

DanaBot is being spread in numerous ways, from exploit kit Malvertising attacks, to malicious email campaigns. The Polish CERT organization recently sent a warning to Polish citizen sabout a campaign pushing the DanaBot malware through malicious PowerPoint presentations. In addition, DanaBot is one of the possible payloads we may see installed by the fake Johns Hopkins coronavirus map which was first discovered in March.

DanaBot Spread Via

Other Efforts

Phishing emails and scary maps are not the only criminal operation we have seen taking advantage of the current state of the world. In fact, home shoppers are at a greater risk than ever with an increase in credit card skimmers found on webstore checkout pages. In addition, government sponsored actors are tryingto blend their attacks in with the flood of coronavirus themed scams.

Card Skimmers

Card Skimmers:

Panic buying, hoarding, and a drastic change in how we purchase goods—from in-store to delivery and pickup—has resulted in rushed deployments of online order forms, price manipulation, counterfeit goods and, of course, online scams. Cybercriminals focused on stealing financial data from users have increased the compromise of online order forms and installation of card skimming code on these web pages. We have seen a 26 percent increase in this kind of attack from February to March 2020.

Other Efforts

You can find out more about the rise in card skimmersand about some notable companies whose customers have become victims of this method of attack on the Malwarebytes Labs blog: “Online credit card skimming increased by 26 percent in March.

State Sponsored Attacks

State Sponsored Attacks:

Using COVID-19 as bait to trick users is not solely a trick of the commercial cybercriminal; in fact, numerous state-sponsored groups have used this theme in phishing attacks against relevant targets. From late January on, several cybercriminal and state-sponsored advanced persistent threat (APT) groups have been using coronavirus-based phishing as their infection vector to gain a foothold on victim machines and launch malware attacks.

Just like the spread of coronavirus itself, China was first hit by APTgroups and as the virus spread worldwide, so did the attacks. Their method of spreading threats with emails varies depending on the group—some use template injections, others use RTF exploits, and the majority use malicious macro scripts, like the modus operandi of non-state-funded attackers.

To read more about state-sponsored actors using COVID-19 as bait, check out the Malwarebytes Labs blog and a recent white paper we released: “APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure.

Protecting Home Base

The threat landscape of the last few months has been very different from the one we saw at the end of 2019. Attacks in the COVID-19 era are focused on stealing your information and using remote employees as doorways into more valuable networks. This means that we need to make sure to spread valuable security knowledge to protect people while they are working at home base.

Gain security through knowledge by:

  • Running security software on any system which is not only connected to your home network but is also used regularly. With this current flood of attacks, themalware families being deployed will change quickly to avoid detection and be difficult to defeat without updated security tools that monitor system applications and behavior.
  • Using a virtual private network or VPN. This will not keep you protected from malware; however, it will help to keep your online activities from your browser or connection revealing personal information or tracing your behavior. This creates an additional measure of layered protection when you shop online.
  • Using trusted sources for information, shopping, or applications. The spread of misinformation allows many of the attacks mentioned in this report to flourish. So, relying on certain trusted vendors, websites, and news sourcesis the best approach.
  • Avoiding repeated entries of credit card numbers into applications. Use something like PayPal, Apple Pay, Samsung Pay, or Google Pay, which can offer greater security of your financial information and reduce the chance that your card information will be spread online.
  • Changing online service passwords on a separate, trusted computer, then thoroughly cleaning the suspected system with an anti-malware application if there are identified active infections or suspected system or data compromise.

Conclusion

Themed phishing campaigns usually don’t last too long. In fact, once enough information about their existence has been distributed, the attacks will become less effective and we’ll see a return to regular attacks, like those pretending to be from a bank or shipping company. What is likely going to last is the capability of organizations to have their employees working remotely to cut down on overhead or as an alternative to working in an office. This reality also means that attackers who attempt to infiltrate organizations via their remote workers will continue to develop their tactics and techniques long into the future.

Select your language