ArcTitan

Babuk Ransomware Among new Cyberattack Threats in 2021

Babuk Ransomware Among new Cyberattack Threats in 2021

2021 has, so far, seen a massive rise in the introduction of new strains of ransomware being used to infiltrate the networks of enterprise organizations.

This represents a shift in the tactics of cybercriminals who spent most of 2020 trying to take advantage of workers who were forced into unsecured home-working environments by the COVID-19 pandemic. In the opening months of 2021 there is a clear surge in the amount of attacks that are concentrating on the employees who are slowly returning to large office settings.

One such strain of ransomware is called Babuk. This involves a request being sent to individuals, whose data has been encrypted, that seeks a $60k-$85k ransom to be transferred in order for the private keys to remove encryption to be handed over. Babuk, which is similar to regular ransomware campaign, includes a number of characteristics that have been designed specifically with companies in mind as a target.

Babuk disables many of the backup features available in Windows. The first feature to be made redundant is the Volume Shadow Copy Service (VSS) used to take backups of files in use. With this feature disabled, users cannot retrieve their current active files. It also disables file locking mechanism used on open and active files. For businesses using backup features in Microsoft Office, Babuk also turns off these features.

Babub then moves on to encrypting the database. This is completed by double-encrypting files that are smaller that 41MB, files larger than this are split prior to encryption. The encryption cipher being used is ChaCha8 which is generated from a SHA-256 hash – a cryptographically secure hashing algorithm. Unlike normal ransomware, Babuk only uses one private key as it is focused on infiltrating enterprise users.

There are a couple of ways that you can prepare for Babuk trying to attack and encrypt your databases. You will mitigate some of the danger by placing your own encryption on particularly important files. This will prevent Babuk from doing the same. Additionally, using a cloud backup will mean that there backups available for you to restore your information without handing over a ransom.

Monitoring software will weed out suspicious traffic on the network and, in doing so, prevent malware from encrypting files or exfiltrating data. System administrators will then be made aware of this and review the activity in question to gauge the threat level. Another strong security measure is using email filters with artificial intelligence (AI) that will allow you to spot potentially dangerous messages and attachments. They can then be quarantined and reviewed by an administrator. This method cuts out the possibility of human error leading to a malicious file being downloaded and initiating an encryption process.

Training and user education will also assist in preventing human error. This will involve providing staff with the knowledge required to spot threat. They will also be able to warn administrators about potential attacks and avoid running attachments on their local devices.

SpamTitan Email Security is a strong cybersecurity solution that will assist greatly in bring the risk of network infiltration down to an acceptable and manageable level. Call SpamTitan now to enquire about a free trial to witness the strength and value of the solution for yourself.

Malware Campaigns Being Shared Using Telegram Messaging Platform

The popularity of the Telegram messaging platform has grown a lot in recent years, with massive migration in WhatsApp users jumping ship following amendments to that service’s privacy and data management policies.

In particular Telegram has been widely used by hackers to conduct malware campaigns. Recently, a campaign has been discovered that shares a new malware strain called ToxicEye. ToxicEye malware is a Remote Access Trojan (RAT) that gives hackers complete management of an infected device. The malware is used to exfiltrate sensitive data and download other malware strains.

The malware takes advantage of the command and control server communications of Telegram accounts. Using the hacker’s Telegram account, an infected can be managed using ToxicEye to steal data and share more malicious payloads.

Telegram is a popular messaging service with over 63 million downloads and has approximately 500 million active users globally. IN particular there has been massive growth since the beginning of the COVID 19 pandemic with the app being implemented by many businesses who have been using it to allow their remote workers to communicate and collaborate. The app supports secure, private messaging and most companies allow Telegram to be implemented and do not block or audit communications.

Creating a Telegram account is simple and hackers can hide their identity. All that is needed to create an account is a mobile phone number, and the communication infrastructure permits hackers to easily steal data and send files to malware-infected devices unnoticed.

Telegram is also being implemented for sharing malware. Hackers can set up an account, use a Telegram bot to interact with other users and send files, and it is also possible to share files to non-Telegram users via phishing emails with malicious attachments. It is phishing emails that are being used to share ToxicEye malware. Emails are issued with a .exe file attachment, with one campaign using a file titled  “paypal checker by saint.exe” to download the malware.

If the attachment is opened and initiated, a connection will be made to Telegram which allows malware to be downloaded by the hacker’s Telegram bot. The attackers can carry out a variety of malicious activities once the malware is in place, with the main goals of the cybercriminals being gathering information about the infected device, locating and exfiltrating passwords, and exfiltrating cookies and browser histories.

ToxicEye malware can disable active processes and take management of Task Manager, capture audio and video, remove clipboard contents, and launch other malware strains – including keyloggers and ransomware.

TitanHQ has two solutions available that can safeguard your network and devices from ToxicEye and other Telegram-based phishing and malware campaigns. SpamTitan is a strong email security solution that will prevent malicious emails sharing the executable files that download the ToxicEye RAT and other malware. For even more security, SpamTitan should be connected to WebTitan web security. WebTitan is a DNS-based web filtering service that can be set up to prevent access to Telegram if it is not in use and review traffic in real time to discover possibly dangerous message.

To find out more about these solutions, how much it costs, and to register for a free trial, get in touch with TitanHQ now.

Phishing and Malware Distribution Campaigns focus on Discord

Cybercriminals have long targeted cloud-based instant messaging service which provide easily communication between users. One of the these services that was recently leveraged by hackers is Discord, The platform is now being extensively used to spread phishing and malware.

VoIP, instant messaging and digital distribution is available from Discord and, due to this, it was used by gaming community before gaining more popularity among a wider variety of users. 150 million users worldwide were registered during 2019 and the surge in membership has continued since then. Additionally, the service has, for some time, been use by cybercriminals vie the platform’s live chat feature for selling and trading stolen data, anonymous communications, and to act as C2 servers for communicating with malware-infected devices.

Throughout 2021, the service has been widely used for sharing malware variants including information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the cdn.discordapp.com service.

Similar to other collaboration apps, Discord uses content delivery networks (CDNs) for storing shared files within channels. Hackers can place malicious files on Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing begins with https://cdn.discordapp.com/ so anyone who is sent the link will see that the link is for a legitimate site. While there are controls to stop malicious files from being uploaded, in a lot of cases hackers can bypass those protections have get their malicious files hosted, and alerts are not always shown to users about the risk of clicking on files from Discord.  Since the malicious payloads are sent over  encrypted HTTPS, the downloads can be masked from security solutions.

Additionally, once uploaded, the malware can be removed from a thread, but it is still accessible using the public URL. Users are often fooled into installing these malicious files under the guise of pirated software or games. Gamers have been focused on as their PCs typically have a high spec for gaming, which makes them perfect for cryptocurrency mining.

This style of malware campaign means that malware developers and distributers can simply share their malicious payloads with a high degree of anonymity. A review by Zscaler discovered over 100 unique malware samples from Discord in the Zscaler cloud in just a two-month time space. Another review of Discord CDN results discovered approximately 20,000 results on VirusTotal.

The Discord app is also easy to configure to carry out malicious actions. Malicious JavaScript code can simply be added to the legitimated Discord client files and can be set up and run every time the client is initiated or when specially designed URLs are opened by the client.

Discord is not the sole communication and collaboration solution to be leveraged by hackers. Slack and Telegram are also being abused in phishing campaigns and for malware campaigns.

If you would like to enhance email security get in touch with TitanHQ now to discover more about these award-winning cybersecurity solutions.

Phishing Emails & Hijacked Web Forms Used to Boost IcedID Malware Campaigns

Cybercriminals are constantly coming up with new ways to infiltrate databases in order to maximise the return on the investment they make in these attacks.

Even so, campaigns involving the use of spam and phishing emails remain the most witnessed attack vectors for spreading delivering malware. However, a new method has been identified recently in a campaign conducted by the threat group managing the IcedID banking Trojan cum malware downloader. This new method involves hijacking contact forms on company web pages. Contact forms are a feature of the vast majority of websites and are used to gather information on website visitors for follow up contacts. More often than not these forms  have CAPTCHA security measures to safeguard the form from malicious campaigns.

Despite this those responsible for the IcedID banking Trojan have discovered a workaround to avoid the CATCHA security measures and, due to this, have been able to implement contact forms to deliver malicious emails. The emails the the contact forms transmit are normally sent to to inboxes that have whitelisted their email address. This means that that avoid email security gateways.

In the IceID campaign, the contact forms are being implemented to share messages claiming the recipient is going to be subjected to a legal action in relation to a copyright violation. The messages submitted claim the company has incorporated images on its web page, added without the image owner’s explicit authorization. The recipient is informed that a legal action will commence message if the images are not immediately removed from the website at once. It also provides a hyperlink to a Google Site that lists details of the copyrighted images and proof they are the intellectual property of the sender of the message.

If the hyperlink is visited to review the supplied evidence then the browser will install a zip file containing an obfuscated .js downloader that will send the IcedID payload. Once IcedID is placed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.

IcedID distribution has been on the rise recently, not only via this attack vector but also in phishing campaigns. A large-scale phishing drive has been discovered that employs a range of business-themed lures in phishing campaigns with Excel attachments that have Excel 4 macros that transmit the banking Trojan.

The surge in IcedID malware distribution is thought to be just one element of a campaign to infect large numbers of devices to evolve a botnet that can be rented out to other cybercriminal collectives under the malware-as-a-service model. Now that the Emotet botnet has been deactivated there is a gap in the market for something like this and IcedID seems to be trying to take advantage of this.

If you would like to discover how you can safeguard your company from IceID and other malware attacks, at a reasonable price, contact the TitanHQ as soon as you can to see how TitanHQ email and web security measures are give 5-star recommendations from users for security, cost, simplicity, and customer service and support.

How Can You Prevent Email Impersonation Attacks on Your Businesses?

In 2020, ransomware attacks increased and soaring and phishing and email impersonation attacks were witnessed at worryingly high levels.

Specialists in cybersecurity have already calculated that 2020 saw a global cost to businesses caused by ransomware will come in around $20bn. It has also be predicted that the ransomware will remain the main attack vector of hackers for years to come as it is a proven way of earning money for these groups.

The main focus of these attacks has always been large companies due to the huge amounts of personal data they manages and the potential for using this in identity theft campaigns. Smaller companies are a less attractive target. However, they also manage considerable amounts of customer data and attacks can still be return a lot of money for hackers. While the large enterprises are a lucrative target they can be tricky to infiltrate as they invest so much in cybersecurity measures. As smaller enterprises would not have a large budget to invest in cybersecurity they can have a number of weaknesses that would make them much easier for hackers to infiltrate.

This is why small to medium enterprises are often targeted with phishing campaign. Should a phishing email makes it to an employee inbox, there is a good possibility that he message will be opened and important details will  be compromised or malware will be downloaded.

The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.

In these phishing emails the sender of the message is spoofed so the email looks like it was shared from a known individual or company. The email will feature an authentic email address on a known business domain. Without proper security measures configured, that message will land in inboxes and many staff members are likely to be tricked into sharing their credentials or open an infected file which downloads malware. More often than not, they will not realize they have been tricked.

One way of blocking these phishing messages from landing in staff inboxes is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. Simply put, DMARC includes two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF is a DNS-based filtering security measure that helps to discover spoofed messages. SPF established authorized sender IP addresses on DNS servers. Recipient servers carry out lookups on the SPF records to make sure that the sender IP is one of the authorized vendors on the group’s DNS servers. If there is a match the message is sent to the requested inbox. If the check does not match, the message is rejected or quarantined.

DKIM includes the use of an encrypted signature to prove who the sender is. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that do not meet the authentication requirements. Quarantining messages is useful as it means network managers can review to see if genuine emails have not been flagged by mistake.

Reports can be made available d to monitor email activity and network managers can see the number of messages that are being rejected or dropped. A quick rise in the number of rejected messages indicates an attack is current.

DMARC might appear complicated. However, if it is set proper properly it will prove an invaluable security tool that defends against phishing and dangerous email content.

TitanHQ’s anti-phishing and anti-spam service used DMARC to prevent email impersonation attacks in addition to advanced anti-malware features such as a Bitdefender-powered sandbox. For more details about tackling  email impersonation on your organization contact TitanHQ now.

 

New Saint Bot Malware Dropper Shared using Phishing Emails

A new malware variant being referred to as Saint Bot malware is being shared using phishing emails that feature a Bitcoin-themed lure. As Bitcoin values continue surge upwards it is thought that the lure will be more effective than ever and fool many into clicking on the attached files to use the bitcoin wallet.

The phishing emails inform the recipient that a Bitcoin wallet in the included Zip file. The Zip file comes with a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader installs an obfuscated .Net dropper and downloader, which will then load a BAT script that disables Windows Defender and the Saint Bot malware binary. If someone should follows these instructions it will set off a process that will result in the Saint Bot malware being installed on the device.

A feature of the Saint Bot malware dropper is that is can deliver secondary payloads including information stealers, although it can be used to drop any possible strain of malware. This new strain was initially discovered by researchers at Malwarebytes. They found that there are no novel techniques at play with this malware. However, appears that the malware is being continually evolved. Currently, detections have been at a comparatively minimal but Saint Bot malware could grow into a serious threat for email users.

Once installed the malware can find out if it is in a controlled environment and will remove itself should that be the case. Conversely, should it not be a controlled environment the malware will communicate with its hard-coded command and control servers, send information collated from the infected system, and install secondary payloads to the infected device using Discord.

The malware is not characteristic of a particular threat group and could well be shared to multiple actors using darknet hacking forums, but it could well become a significant threat and be used in widespread campaigns to take advantage of the opportunity in the malware-as-a-service (MaaS) market created by the takedown of the Emotet Trojan.

Safeguarding your database from malware downloaders such as Saint Bot malware requires a defense in depth approach. The simplest method of preventing infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that spread the malware. Antivirus software should also be configured on all endpoints and set to update automatically, and communication with the C2 servers should be tackled using firewall rules.

Along with technical security, it is crucial to conduct security awareness training to the workforce to help staff spot malicious emails and show them how to react when a possible threat is discovered.