QRAT Malware Being Delivered by Trump-Themed Phishing Emails

The Qnode Remote Access Trojan (QRAT) is currently being distributed via a Trump-themed phishing campaign, masked as a video file that claims to be a Donald Trump sex tape.

A Java-based RAT, QRAT was initially witnessed during 2015 that has been used in many different phishing campaigns over the years, with a vast increase in distribution witnessed since August 2020. Interestingly, the malicious file attachment – titled “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no resemblance to the phishing email body and subject line, which provides a loan offer for an investment for a dream project or business strategy. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be supplied if there is a good return on the investment and between $500,000 and $100 million can be provided. It is not mentioned whether a mistake has been made and the wrong file attachment was placed in the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are trick to fool many end users, there may be sufficient interest in the video to spark the interest of some recipients.

The phishing campaign seems to be poorly composed, but the same cannot be said of the malware the campaign is trying to infiltrate networks with. The recent version of QRAT shared in this campaign is more sophisticated than earlier witnessed versions, with several enhancements made to bypass security solutions. For example, the malicious code deployed as the QRAT downloader is obfuscated and split across many different buffers inside the .jar file.

Phishing campaigns often aim for interest in topical new stories and the Presidential election, claims of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is possible that this will not be the only Trump-themed phishing campaign to be carried out over the coming days and months.

This campaign seems to be concentrated on companies, where the potential profits from a malware infection is likely to be far greater than an attack on consumers. Blocking threats such as this is simplest with an advanced email security solution capable of detecting known and new malware strains.

SpamTitan is an strong, inexpensive spam filtering for businesses and the leading cloud-based spam filter for managed service providers for the SMB sector. SpamTitan uses dual anti-virus engines to spot known malware threats, and a Bitdefender-powered sandbox to spot zero-day malware. The solution also supports the blocking of dangerous file types such as JARs and other executable files.

SpamTitan is excellent for preventing phishing emails without malicious attachments, including emails with hyperlinks to malicious web pages. The solution has many threat detection features that can spot and block spam and email impersonation attacks and machine learning technology and different multiple threat intelligence feeds that provide protection against zero-minute phishing campaigns.

One of the chief reasons why the solution is such as popular option for SMBs and MSPs is simple installation, use, and management. SpamTitan removes the complexity from email security to permit IT teams to focus on other key duties.

SpamTitan is the most highly rates solution on review sites such as Capterra, GetApp and Software Advice, is a top three solution in the three email security classifications on Expert Insights and has been a market  leader in the G2 Email Security grids for 10 consecutive quarters.

If you would like a spam filtering solution that is strong and simple to deploy, give the TitanHQ team a call to set up a free trial of SpamTitan.

Emotet Botnet Springs Back to Life and Delivers TrickBot Christmas Present

The Emotet botnet is back up and running, after an right-week absences, and has been witnessed carrying out a phishing email campaign that is sharing between 100,000 and 50,0000 emails to recipients daily.

Emotet was first tracked during 2014 and began life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now famous as a malware downloader that is used to send a range of secondary payloads. The malware payloads it sends also act as malware downloaders, so infection with Emotet often leads to multiple malware infections, with ransomware often shared as the final payload.

Once Emotet is downloaded on an endpoint it is added to the Emotet botnet and is used for spam and phishing attacks. Emotet sends copies of itself using email to the user’s contacts along with other self-propagation mechanisms to infiltrate other computers on the network. Emotet can be complex to remove from the network. Once one computer is managed, it is often reinfected by other infected computers on the network.

Emotet often goes inactive for many weeks or even months, but even with long gaps in operations, Emotet is still the chief malware threat. Emotet went dormant around February 2020, with activity back live five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it came back in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads like as Qakbot and ZLoader.

During the periods of inactivity, the threat actors responsible for the malware are not necessarily inactive, they just halt their distribution campaigns. During the breaks they update their malware and came back with a new and improved version that is more effective at evading security measures.

The most recent campaign uses similar tactics to past campaigns to maximize the probability of end users clicking on a malicious Office document. The phishing emails are usually personalized to make them look more authentic, with Emotet using hijacked message threats with malicious content included. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a better chance that the recipient will open the email attachment or click a malicious URL.

This campaign targets password-protected files, with the password to open the file supplied in the message text of the email. Since email security solutions cannot open these files, it is more likely that they will be sent to inboxes. The malicious documents shared in this campaign contain malicious macros. If the macros are turned on – which the user is told is necessary to view the content of the document – Emotet will be installed, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant like as Ryuk.

Earlier campaigns have not shown any additional content when the macros are turned on; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an mistake opening the file. This is likely to make the user think that the Word document has been corrupted. A variety of themes are used for the emails, with the most recent campaign using holiday season and COVID-19 related lures.

A review by Cofense identified several changes in the most recent campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been amended and now uses binary data rather than plain text, both of which make the malware harder to spot

Firms need to be particularly careful and should act swiftly if infections are detected and should take steps to ensure their networks are safeguarded with anti-virus software, security policies, spam filters, and web filters.

Beware of COVID-19 Vaccine Phishing Scams!

Hackers are attempting to use the roll our of COVID-19 vaccination programs around the world by launching a host of COVID-19 vaccine phishing campaigns in order to illegally obtain private protected data including passwords details for networks and databases and also to speed up the distribution of their malware emails.

A number of US-based government bodies have already made malwares warnings for businesses and consumers public. These agencies the Federal Bureau of Investigations (FBI), the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services.

These malware attacks will be disguised in a number of different ways. Those already identified include offers for early access to COVID-19 vaccine programmes, seeking a payment to skip the line and move to the head of the waiting list, and an offer for email recipients to register for another waiting once they hand over some private personal information – which will later be used to infiltrate personal account with contact details and financial information.

Email is the chosen vector for this COVID-19 vaccine phishing scams but it will be no surprise to see that there are also advertising being conducted across a spectrum of different websites, social media platforms, instant messaging platforms and even using phone calls or SMS messages. The vast majority of these campaigns will take aim at individual consumers but is is expected they they could infiltrate business databases should employees access any of the medium mentioned previously while using their work network – or if the email land in their corporate inboxes.

The scam emails will most of the time have links to web portals, hidden in email attachments to mask them from antivirus software, where information will be gathered that can be used to carry out fraud. In a lot of cases Office documents will be deployed to delivering malware through via malicious macros. Mostly, these emails will claim to be trusted entities or people. COVID-19 vaccine scam emails are likely to disguise themselves as healthcare providers, health insurance firms, vaccine centers, and federal, state, or local public health bodies. Since the outbreak of COVID-19 there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing campaigns.

Recently the U.S. Department of Justice revealed that two websites have been seized that claimed to be vaccine developers. The domains were practically identical to the authentic websites of two biotechnology firms working on vaccine development. The malicious content has been deleted but there is a strong chance that there are a huge number of other domains registered and used in COVID-19 vaccine phishing scams yet to be deployed.

Alerts have also been made public in relation to the dangers of ransomware attacks that take aim to leverage the interest in COVID-19 vaccines and supply the hackers with access to databases that will allow them to launch their attacks.

There are four important measures that companies should deploy to address the danger of being tricked by these scams. Since email is widely used, it is crucial to have a strong spam filtering solution configured. Spam filters access blacklists of malicious email and IP addresses to tackle malicious emails, but since new IP addresses are always constantly being created for these hacking campaigns, it is important to opt for a solution that features machine learning. Machine learning assists in spotting phishing attacks from IP addresses that have not previously been used for malicious purposes and to discover zero-day phishing threats. Sandboxing is also crucial in the fight against zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.

Even though spam filters can identify and block emails that include malicious links, a web filtering solution is also a very important tool for this. Web filters are used to manage the access to websites that employees wish to view and stops visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are always being updated through threat intelligence feeds to put protection in place against recently discovered malicious URLs.

Companies should not forget to conduct end user training and should constantly run refresher training sessions for staff to help them spot phishing attacks and malicious emails. Phishing simulation exercises are also good for evaluating the effectiveness of security awareness training.

Multi-factor authentication should also be implemented as an additional security measure. Should credentials be illegally obtained, multi-factor authentication will help to see to it that stolen details cannot be used to remotely log onto accounts.

Once these measures are put in place companies will be safe from the majority of malware attacks, including COVID-19 vaccine phishing attacks.

Contact the TitanHQ team as soon as you can to find out more about spam filtering, web filtering, and safeguarding your company from malware and phishing attacks.


Malicious Cobalt Strike Script Delivered in Malicious Word Documents

A malicious Cobalt Strike script campaign has been discovered that uses phishing emails, malicious macros, PowerShell, and steganography to take advantage of unsuspecting email recipients.

When the email first lands in an inbox it includes a legacy Word attachment (.doc) with a malicious macro that installs a PowerShell script from GitHub if it is permitted to run. That script then installs a PNG image file from the genuine image sharing service Imgur. The image includes hidden code within its pixels which can be executed with a single command to run the payload. In this instance, a Cobalt Strike script.

Cobalt Strike is a widely-implemented penetration testing tool. While it is used by security experts for legitimate security reasons, it is also of value to hackers. The tool premits beacons to be added to compromised devices which can be used to run PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the hackers bypass detection.

The hiding of code within image files is known as steganography and has been implemented for many years as a way of hiding malicious code, usually in PNG files to prevent the code from being discovered. With this campaign the deception doesn’t finish there. The Cobalt Strike script includes an EICAR string that is aimed at tricking security solutions and security teams into labelling the malicious code as an antivirus payload, except contact is made with the hacker’s command and control server and instructions are recognized.

This campaign was discovered by expert ArkBird who compared the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily carries out attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is not known whether this group is to blame for the campaign.

Of course one of the most effective ways to prevent these types of attacks is by stopping the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for reviewing attachments in safety will help to ensure that these messages do not get sent to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent using email.

A web filtering solution is also effective. Web filters like WebTitan can be set up to give IT teams full management over the web content that employees can access. Since GitHub is commonly used by IT expert and other workers for authentic reasons, a group-wide block on the site is not a wise move. Rather, a selective block can be implemented for groups of employees or departments that prevents GitHub and other possibly risky code sharing sites including PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of security.

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has released an official alert warning that experienced hackers are currently exploiting SolarWinds Orion IT monitoring and management software.

The cyberattack is thought to be the work of a highly complex, evasive, nation state hacking group who invented a Trojanized strain of Orion software that has been used to deploy a backdoor into customers’ systems labelled SUNBURST.

The supply chain attack has affected  approximately 18,000 customers, who are thought to have installed the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private groups and government bodies.

SolarWinds customers incorporate all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also implemented by 425 of the 500 largest publicly traded U.S. firms. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been targeted. The campaign was first discovered by the cybersecurity company FireEye, which was also attacked as part of this attack.

The attacks began during spring 2020 when the first malicious versions of the Orion software were launched. The hackers are thought to have been active in compromised networks since that time. The malware is evasive, which is why it has taken so long to discover the threat. FireEye commented: “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity”. Once the backdoor has been put in place, the hackers move laterally and steal data.

Kevin Thompson, SolarWinds President and CEO said: “We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state”.

The hackers obtained access to SolarWinds’ software development environment and placed the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were made public between March 2020 and June 2020.

CISA released an Emergency Directive ordering all federal civilian bodies to take swift action to block any attack in progress by immediately unlinking or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been forbidden from “(re)joining the Windows host OS to the enterprise domain.”

All users have been told to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A subsequent hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security measures.

If it is not possible to quickly upgrade, guidelines have been made available by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being included on antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to complete a full scan.

SolarWinds is working alongside FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the hacking attempts. SolarWinds is also working with Microsoft to remove an attack vector that results in the compromise of targets’ Microsoft Office 365 productivity tools.

It is currently not known which group is to blame for the attack; although the Washington Post claims to have contacted sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). An official representative for the Kremlin said Russia had nothing to do with the attacks, saying “Russia does not conduct offensive operations in the cyber domain.”

Vulnerability in VMWare Virtual Workspaces Attacked by Russian State-Sponsored CyberCriminals

The U.S. National Security Agency (NSA) has released a cybersecurity advisory alert informing the public that Russian state-sponsored hackers are focusing on a flaw in VMWare virtual workspaces used to support remote working.

The flaw, labelled as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being targeted to obtain access to enterprise networks and protected data on the impacted systems.

The flaw is a command-injection flaw in the administrative configurator component of the affected products. The vulnerability can be targeted remotely by a hacker with valid details and access to the administrative configurator on port 8443. If successfully taken advantage of, a hacker would be able to execute commands with unlimited privileges on the operating system and access sensitive data.

VMWare launched a patch to address the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been impacted, along with steps to eradicate threat actors who have already exploited the vulnerability.

The flaw may not have been allocated a high priority by system managers as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating as a result of the fact that a valid password must be supplied to exploit the flaw and the account is internal to the impacted range of products. However, as the NSA outlined, the Russian threat actors are already exploiting the flaw using stolen details.

In attacks reviewed by the NSA, the hackers targeted the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were produced and shared to Microsoft Active Directory Federation Services (ADFS), granting access to secured data.

The best manner of stopping exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to see to it that strong, unique passwords are set to safeguard from brute force attempts to reveal passwords. The NSA also advises administrators ensure the web-based management interface is not accessible via the Internet.

Strong passwords will not stop the flaw from being successfully targeted and will not provide protection if the flaw has already been exploited. NSA said: “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

If linking up with authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for safeguarding SAML assertions. Multi-factor authentication should also be configured.

The NSA has released a workaround that can be used to stop exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication suppliers.

Unfortunately, spotting exploitation of the flaw can be tricky. The NSA explained in the advisory that “network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface.

VMWare advises that all customers refer to VMSA-2020-0027 for information on this flaw.