I wanted to leave you all with one final traffic analysis quiz for Windows-based malware infection traffic. You can find the pcaps here. Today’s exercise has 6 pcaps of different Windows-based malware infections. Your task for this quiz? Determine what type of malware caused the infection for each pcap. I didn’t provide any alerts like I’ve done for previous quizes. Today’s quiz is just a casserole of pcap files, cooked up, and served piping hot!
Shown above: A food-based visual for this end-of-year traffic analysis quiz.
A PDF document of answers is also included on the page I linked to earlier. The answers contains associated IOCs for the infections that can be extracted from the pcaps. But don’t peek! First, see how much you can determine from examining the pcaps.
Requirements
This type of analysis requires Wireshark. Wireshark is my tool of choice to review pcaps of infection activity. However, default settings for Wireshark are not optimized for web-based malware traffic. That’s why I encourage people to customize Wireshark after installing it. To help, I’ve written a series of tutorials. The ones most helpful for this quiz are:
Furthermore, I recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic. Some of these pcaps contain HTTP traffic sending Windows-based malware. If you’re using a Windows host to review the pcaps, your antivirus (or Windows Defender) may delete the pcap or malware. Worst case scenario? If you extract the malware from the pcaps and accidentally run the files, you might infect your Windows computer.
So beware, because there’s actual malware involved in parts of this quiz.
Final words
Hope everyone has a happy and healthy year as we enter 2021.
Again, the pcaps and answers for this end-of-year traffic analysis quiz can be found here.
How K-12 IT Teams Are Becoming the New Line of Defense in Cyberbullying The statistics surrounding cyberbullying continue to be worrisome. A recent study by Pew Research discovered that about 60% of teens have been the victims of cyberbullying. But, even more disturbing is that the majority of students think that teachers, social media sites, […]
How K-12 IT Teams Are Becoming the New Line of Defense in Cyberbullying The statistics surrounding cyberbullying continue to be worrisome. A recent study by Pew Research discovered that about 60% of teens have been the victims of cyberbullying. But, even more disturbing is that the majority of students think that teachers, social media sites, […]
In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.
It was a stressful and confusing time, and during it, cybercriminals adapted–sometimes a little too well.
Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious–as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.
These are the most enticing–or the most impossible-to-ignore–cyberattack lures and cyberattack capabilities of 2020.
Coronavirus, coronavirus, coronavirus
Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.
One of the many impersonations found online immediately following the pandemic
We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.
Tupperware credit card skimmer just one of many similar attacks
In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.
But where online shopping increased, so did attempts to steal online credit card data.
In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.
To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.
The rogue payment form that greeted victims of the attack on Tupperware
After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late–the cyberthieves already had what they wanted.
Emotet blends into the crowd (of email attachments)
In 2020, one of the most devastating cyberthreats seriously improved its camouflage.
For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.
For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.
Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.
We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.
Ransomware grows fond of extortion
In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.
This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.
In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:
“I am writing to you because we have breached Allied Universal security firm (aus.com), downloaded data and executed Maze ransomware in their network.
They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”
We gave them time to think until this day, but it seems they abandoned payment process.”
The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.
Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.
If only threat actors didn’t look to other threat actors for inspiration.
Release the Kraken
In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.
The attack first came through a malicious document–that was likely spread through spearphishing campaigns–that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.
The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.
After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.
There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.
Phew!
Imposter syndrome
In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.
The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.
The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.
Scammers created a convincing copy of our site because they copied everything we wrote
The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.
If these cyberthieves were trying to flatter us, it didn’t work.
A very long year
In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.
It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.
Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.
Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold. Read More
In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.
It was a stressful and confusing time, and during it, cybercriminals adapted–sometimes a little too well.
Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious–as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.
These are the most enticing–or the most impossible-to-ignore–cyberattack lures and cyberattack capabilities of 2020.
Coronavirus, coronavirus, coronavirus
Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.
One of the many impersonations found online immediately following the pandemic
We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.
Tupperware credit card skimmer just one of many similar attacks
In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.
But where online shopping increased, so did attempts to steal online credit card data.
In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.
To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.
The rogue payment form that greeted victims of the attack on Tupperware
After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late–the cyberthieves already had what they wanted.
Emotet blends into the crowd (of email attachments)
In 2020, one of the most devastating cyberthreats seriously improved its camouflage.
For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.
For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.
Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.
We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.
Ransomware grows fond of extortion
In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.
This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.
In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:
“I am writing to you because we have breached Allied Universal security firm (aus.com), downloaded data and executed Maze ransomware in their network.
They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”
We gave them time to think until this day, but it seems they abandoned payment process.”
The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.
Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.
If only threat actors didn’t look to other threat actors for inspiration.
Release the Kraken
In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.
The attack first came through a malicious document–that was likely spread through spearphishing campaigns–that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.
The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.
After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.
There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.
Phew!
Imposter syndrome
In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.
The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.
The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.
Scammers created a convincing copy of our site because they copied everything we wrote
The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.
If these cyberthieves were trying to flatter us, it didn’t work.
A very long year
In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.
It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.
Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.
In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.
It was a stressful and confusing time, and during it, cybercriminals adapted–sometimes a little too well.
Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious–as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.
These are the most enticing–or the most impossible-to-ignore–cyberattack lures and cyberattack capabilities of 2020.
Coronavirus, coronavirus, coronavirus
Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.
One of the many impersonations found online immediately following the pandemic
We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.
Tupperware credit card skimmer just one of many similar attacks
In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.
But where online shopping increased, so did attempts to steal online credit card data.
In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.
To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.
The rogue payment form that greeted victims of the attack on Tupperware
After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late–the cyberthieves already had what they wanted.
Emotet blends into the crowd (of email attachments)
In 2020, one of the most devastating cyberthreats seriously improved its camouflage.
For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.
For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.
Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.
We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.
Ransomware grows fond of extortion
In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.
This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.
In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:
“I am writing to you because we have breached Allied Universal security firm (aus.com), downloaded data and executed Maze ransomware in their network.
They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”
We gave them time to think until this day, but it seems they abandoned payment process.”
The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.
Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.
If only threat actors didn’t look to other threat actors for inspiration.
Release the Kraken
In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.
The attack first came through a malicious document–that was likely spread through spearphishing campaigns–that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.
The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.
After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.
There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.
Phew!
Imposter syndrome
In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.
The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.
The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.
Scammers created a convincing copy of our site because they copied everything we wrote
The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.
If these cyberthieves were trying to flatter us, it didn’t work.
A very long year
In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.
It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.
Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.
In 2020, we experienced a major shift. Much of the world pitched in to limit the spread of the coronavirus, with people changing their daily routines to include a mixture of working from home, standing in socially-distanced lines, and awaiting local rules about what they could and could not do with members of different households.
It was a stressful and confusing time, and during it, cybercriminals adapted–sometimes a little too well.
Today, we’re going to talk about some of the most nefarious and shameful tricks we saw online in 2020. What we’re sharing is not a list of the most destructive attacks or the most serious–as that list would certainly be topped by the recent SolarWinds attack. Instead, this is a list of the cyberattacks and cyberattack techniques that surprised us, whether because of their near-imperceptibility, or because of their severe harshness.
These are the most enticing–or the most impossible-to-ignore–cyberattack lures and cyberattack capabilities of 2020.
Coronavirus, coronavirus, coronavirus
Beginning in February, Malwarebytes and many other cybersecurity researchers had already recorded a significant uptick in coronavirus lures being used to trick people into opening malicious emails and visiting dangerous websites.
One of the many impersonations found online immediately following the pandemic
We see this story during every major crisis: A panicked and confused public look for answers anywhere, including their inboxes. By taking advantage of this fear, threat actors are able to swindle countless victims who only wanted some guidance and clarity in their lives.
Tupperware credit card skimmer just one of many similar attacks
In the earliest days of responding to the coronavirus pandemic, local and state governments across the world began shutting down non-essential storefronts in an effort to limit the spread of COVID-19. While grocery stores and pharmacies remained open, other retail stores were sometimes forced to shift to an entirely online business model, since foot traffic became non-existent. This meant more stores selling more items online, and more people making their purchases on the Internet.
But where online shopping increased, so did attempts to steal online credit card data.
In March, Malwarebytes uncovered an active cyberattack against the food storage product-maker Tupperware. In the attack, threat actors managed to compromise Tupperware’s primary website by inserting a malicious code within an image file that would trigger a fraudulent payment form during the checkout process.
To unsuspecting users, the cyberheist was nearly undetectable. Upon trying to checkout from Tupperware’s online store, victims would first be shown a fraudulent, convincing payment form that asked for their credit card number, expiration date, and three-digit security code.
The rogue payment form that greeted victims of the attack on Tupperware
After victims confirmed their credit card details, they then received a warning notice that the website had timed out, and that they had to enter their credit card details a second time. Though this second payment form was actually legitimate, it was too late–the cyberthieves already had what they wanted.
Emotet blends into the crowd (of email attachments)
In 2020, one of the most devastating cyberthreats seriously improved its camouflage.
For more than two years, a dangerous malware called Emotet has proved to be one of the biggest threats facing businesses across the world. That’s because Emotet, which began as a banking Trojan, has evolved into a sophisticated threat that often serves as a first step into broader and longer-lasting cyber damage.
For most businesses today, an Emotet attack is no longer just an Emotet attack. Instead, a successful Emotet attack can go undetected for days or even weeks. In the meantime, threat actors can use Emotet to download a separate banking Trojan called Trickbot, and yet another ransomware called Ryuk.
Making matters worse is that, over the years, Emotet has become increasingly hard to spot on first read. The banking Trojan is primarily spread through malspam, which are malicious emails that contain dangerous attachments like macro-enabled documents or other dangerous links. While similar malspam efforts are easy to detect, like the one-off billing invoice from a never-seen email address, Emotet is different.
We don’t know when we’ll finally be rid of Emotet, but we know that day can’t come soon enough.
Ransomware grows fond of extortion
In November of last year, a security staffing firm based in Pennsylvania faced an impossible deadline. They had just been hit with a ransomware attack, and, in one of the first documented cases at the time, they were given an option: pay the ransom, or your confidential files get leaked online for everyone to see.
This was the work of the so-called “Maze Crew,” operators behind the Maze ransomware.
In Pennsylvania, the clock was ticking, and the Maze Crew began to signal that it wasn’t playing around. Using an email address connected to Maze ransomware attacks, someone from the Maze Crew emailed a reporter at Bleeping Computer and basically bragged about their attack. In their email, they wrote:
“I am writing to you because we have breached Allied Universal security firm (aus.com), downloaded data and executed Maze ransomware in their network.
They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.”
We gave them time to think until this day, but it seems they abandoned payment process.”
The security firm refused to pay Maze Crew’s ransom, and, true to its word, Maze Crew released 700 MB of data and stolen files from the attack.
Interestingly, the operators behind Maze ransomware claimed in November that they were retiring. Whether or not they’re to be believed, the damage they’ve done is everlasting. Following that extortion stint they pulled last year, other threat actors followed suit. In fact, according to one report in August, 30 percent of all ransomware attacks now involves extortion threats. In 22 percent of attacks, threat actors actually take the first step in fulfilling those threats, having exfiltrated data from their targets.
If only threat actors didn’t look to other threat actors for inspiration.
Release the Kraken
In October, our threat intelligence team published its findings on a cyberthreat that is as elusive and as slippery as its name: Kraken.
The attack first came through a malicious document–that was likely spread through spearphishing campaigns–that promised information about obtaining workers’ compensation. Opening the document enabling its content will then allow for a connection to “yourrighttocompensation[.]com” and it will result in a separate, downloaded image. Inside, a malicious macro starts a chain of events that loads and executes a payload from memory.
The payload is a .Net DLL that injects an embedded shellcode into the Windows Error Reporting service, WerFault.exe. But before the attack can actually trigger, the DLL performs a few, sly tricks to avoid detection. First, it checks for the presence of a debugger by measuring the time it takes to complete a certain set of instructions. Then, it checks for the presence of VMware or VirtualBox. It then checks for a processor feature, and the shellcode then also checks for a debugger. After one last, final debugging check, it creates its final shellcode in a new thread.
After all that work, the final shellcode in a set of instructions makes an HTTP request to download a malicious payload.
There is a bit of good news here, though. On further investigation, we found that this sneaky threat was not tied to any active APT group, but instead was the work of red team activities testing security.
Phew!
Imposter syndrome
In April, our team discovered that a group of threat actors had built a malicious website meant to serve as a gate to the Fallout exploit kit, which can distribute the Raccoon information stealer.
The method itself is nothing new, and threat actors build malicious websites all the time for just these types of attacks. What did surprise us, though, is the organization that the threat actors tried to impersonate: It was us, Malwarebytes.
The malicious domain, at malwarebytes-free[.]com, presented users with much of the same information on our own homepage, as that information was simply swiped and reposted.
Scammers created a convincing copy of our site because they copied everything we wrote
The domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and was, at the time, hosted in Russia at 173.192.139[.]27. When we looked closer, we found a short piece of JavaScript on the copycat site that checked a user’s web browser. If the user was visiting the site on Internet Explorer, they would be led to a malicious URL which belonged to the Fallout exploit kit.
If these cyberthieves were trying to flatter us, it didn’t work.
A very long year
In 2020, not only did the coronavirus prove to be one of the most long-running lures to trick people into having their machines infected, but the capabilities of malware increased dramatically.
It isn’t all doom and gloom this year, though. Malwarebytes has done an enormous amount of work to keep you safe, and we’re constantly tracking what goes bump in the night to make sure you’re safe throughout the day.
Also, we shouldn’t get ahead of ourselves and judge all cyberthreats this year by the most alluring ones. In fact, tomorrow, we’re going to take a look at the strangest cyber events of 2020, and, spoiler alert, sometimes threat actors mess up hard.
