Threat Report

Friday November 30, 2018

Welcome back. I don’t know if you celebrated the largely known U.S. holiday of Thanksgiving, but I did; and I’m grateful I had the week off. We’ve been keeping our ear to the ground. This week we want to tell you about an Emotet malspam campaign that cashed in on Black Friday, an indictment announced for the authors/distributors of SamSam ransomware, and a serious threat to journalists in Mexico.

Emotet Cashes in on Black Friday

You weren’t the only one shopping on Black Friday. ESET researchers found evidence of a large Emotet campaign occurring on Black Friday. Like prior campaigns, Emotet was distributed via spam. In this campaign, the attachments and links are to XML files with .doc extensions instead of DOC or PDF files.

Emotet is known to distribute various banking malware families known for stealing passwords, credit card details, and access to crypto-currency wallets. The United States is one of the top five targeted countries, while the UK and South Africa are in the top ten. Since this campaign was focused on Black Friday, it’s safe to say it was targeting U.S. shoppers getting ready to check their bank balance and do some online shopping.

Catch me if you SamSam

The chase is on for two Iranian nationals charged by a U.S. federal grand jury, following a 34-month long international computer hacking and extortion scheme. Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) face a total of six counts alleging that they authored and deployed SamSam ransomware to more than 200 victims, including hospitals, municipalities, and public institutions. The counts are as follows: one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

In the Department of Justice Indictment, two individuals, Exchanger 1 and Exchanger 2, are labeled in the Relevant Individuals and Entities section. In a U.S. Department of Treasury press release also published on November 28, 2018, Ali Khorashadizadeh and Mohammad Ghorbaniyan, are named as the financial facilitators in a malicious campaign involving SamSam ransomware. The press release states that they, helped exchange digital currency (Bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors.

According to the indictment, beginning in December 2015, the offenders reportedly accessed victim computers without authorization through security vulnerabilities. They then installed and executed SamSam, resulting in the unauthorized encryption of data on the victims’ computers. A Bitcoin ransom was demanded in exchange for decryption keys for the encrypted data. Collecting ransom payments from victim entities that paid the ransom and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchanges. The indictment alleges that the pair earned over $6 million USD in ransom payments to date and caused over $30 million USD in losses to victims.

Journalists Targeted with Mobile Malware After Cartel Journalist Gunned Down

Journalists in Mexico have faced some very real threats recently, and they can add nation-state level mobile spyware to the list. Somehow, peers of a journalist likely killed by a cartel, are being targeted with nation-state level mobile malware. Something strange is going on here.

Citizen Lab published the seventh report in a series detailing abuse of NSO Group Pegasus Spyware. Citizen Lab and partners have identified a total of 24 cases of abusive targeting by Mexico-linked NSO Group customers. Infection attempts are located in Canada, Mexico, the UAE, the United Kingdom, and the United States.

Pegasus is a sophisticated tool for spying on mobile phones and is exclusively sold to governments for the purposes of fighting terror and investigating crime. According to NSO Group, in the past two years, Pegasus had been used by repressive governments to spy on human rights defenders, journalists, and others who they deem as threats to their power.

In Citizen Lab’s most recent findings, they disclose an attack that occurred in May 2017. Journalist Javier Valdez Cárdenas was gunned down near his office. Shortly after the murder, Cárdenas’ colleagues, Andrés Villarreal and Ismael Bojórquez received suspicious messages saying, Cárdenas’ killers had been identified. The messages contained a malicious link that, once clicked, downloaded NSO spyware onto their mobile devices. Users and organizations should exercise caution when viewing messages from foreign or unknown senders. The malicious URLs are contained within the report.

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn