October: A Month of Wickedware
October is the perfect month for scary stories, with darkness falling early, howling autumn winds, and signs of Halloween everywhere. While ghost stories may frighten children, there are few things scarier to a business than the story of a very real cyberattack.
October is also National Cybersecurity Awareness Month, an important opportunity to remind ourselves and others to stay vigilant online—checking links and attachments before clicking, making sure webpages and their URLs match, downloading apps only from trusted sites, and following best practices for passwords and privacy settings.
Cyberthreats have become big business and they’re getting more sophisticated all the time. In many cases they’re highly targeted—you may get an email that looks exactly like it came from the CEO of your company—only the link or attachment will hint that it’s an imposter. Recent landing pages and phishing sites we’ve seen look like the legitimate sites they’re imitating (“spoofing”). Attackers count on users to trust the links they get in emails from Amazon, UPS, Bank of America, DocuSign, and other well-known brands, and spoofing these senders is a tactic often used to trick victims into clicking a link that goes to a phishing page or entering their login credentials only to have them stolen and sent to an attacker’s server.
So, this October, we are sharing information about some of the more insidious threats we’ve detected and blocked in our cloud in the last few months. Zscaler researchers have captured this malware and detonated it to see how it was built and the mischief it was intended to cause.
Get ready for six gruesome tales of malware designed to infect websites and steal your personal information. Trojans that take control of your system remotely and watch what you do. Ransomware that takes your data hostage until you pay. It’s everywhere, creeping its way through the internet looking for a vulnerable system to attack. Don’t let it be yours.
Mean, Malicious Magecart
Magecart is the name of a hacker team that’s been active for years. It recently injected skimming scripts into scores of shopping sites to seek out and steal payment information and the shoppers’ personal information. In this recent campaign, the skimmer had the ability to collect a shopper’s information and send it to a server controlled by the attacker before the customer had even hit the “submit” button. Unfortunately, the e-commerce retailers rarely know that their sites have been compromised, and their customers are unaware that their information is ending up in a database that can be sold on the black market again and again. Read the Magecart analysis here.
In its first two months of activity, Ryuk ransomware hit at least three organizations for more than $640,000 in ransom. Several attacks followed with the attackers demanding even greater amounts of ransom. Why is this ransomware especially tricky? It was coded to be able to identify and encrypt network drives and delete shadow copies of data on a user’s device, making it impossible for users to recover from the attack without external backups—and making them more likely to pay the ransom or lose the data forever. Ryuk also halts services like antivirus tools, databases, and other software to help it go undetected. Read the technical analysis of Ryuk here.
Foul, Frightful Phishing
As users have become wise to phishing schemes in email, attackers have had to up their game. Zscaler researchers reported a rise in the use of Microsoft Azure domains to host phishing attacks, seeing more than 2,000 attempts in six weeks. More recently, they saw similar activity on the Google domains Appspot.com and Web.app. In these campaigns, the attackers used SSL certificates from the trusted domains, so that the URLs (in the case of the Microsoft attacks) included “microsoft.net” to avoid suspicion. But, when clicked, they served up spoofed login pages from popular business applications, such as Outlook, Dropbox Business, SharePoint, and others. As users log in, their credentials are stolen and sent to a remote server. From there, attackers can get to a company’s data. Read an analysis of these phishing campaigns here and here.
Creeping around for your cryptocurrency
Like all RATs, InnfiRAT, which we first detected in September, is designed to allow the attackers to snoop around and steal your personal information. Among other things, InnfiRAT looks for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data, which means it can find out exactly what you did online. In addition, this RAT has screenshot functionality so it can take pictures of your open windows, including documents and email, and send them to a remote server. How does it do so many activities undetected? It also checks for active antivirus programs. Read more about InnfiRAT here.
The Sinister Saefko RAT
In August, ThreatLabZ came across a new RAT for sale on the dark web. The RAT, called Saefko, turns over administrative control of a system so the intruder can monitor your activities through key-logging, which records keystrokes. This RAT works in the background, undetected, and starts up every time you log in. It fetches your browser history looking for credit card activities, social media use, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can instruct the malware to provide system information and the RAT will begin to collect a range of data, including screenshots and videos. Read the technical analysis of Saefko here.
The Nefarious Felipe
Felipe is an info-stealer trojan, which silently installs itself onto your system and connects to a C&C server to send information from your compromised system to the C&C, including the system IP, city, region, and country. Felipe also checks for bank cards by looking for strings of numbers that match those of Visa, Master Card, American Express, and Discover, and can even check the number’s validity. Once it has infected your machine, Felipe sets a date and time to start again and perform other malicious activities. Read about the Felipe trojan here.
Don’t be afraid. Be aware.
In recognition of National Cybersecurity Awareness Month 2019, Zscaler reminds you to be diligent about protecting your data and following security best practices, like those recommended by the NICCS.
ThreatLabZ is the research arm of Zscaler, the leader in cloud security. The Zscaler cloud processes 70 billion internet transactions and detects 120 million threats and policy violations every day. As ThreatLabZ researchers detect new threats, they detonate them in the Zscaler Cloud Sandbox to determine their origin, analyze their code, and watch their behavior for unique attack methods and techniques for evading detection. ThreatLabZ shares its research with partners and other research organizations to stay ahead of threats and create a safer internet.