Wednesday January 16th 2019
A lot has happened over the last week, so we have a bit more to cover than usual. The malspam campaigns are getting more creative than ever and some recent news about Ryuk ransomware attribution could have a big impact on your cyber insurance coverage.
With Valentine’s day right around the corner, the “Love Letter” malspam campaign is using email subject lines engineered to tug user’s heartstrings into infection with GandCrab Ransomware, XMRig miner, and Phorpiex spambot. Here were some example subject lines:
32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20 f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285 ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87 99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349 27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3 99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645 12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8 f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc 72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b 0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040 06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769 9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45 6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002 0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698 d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2 7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
Zscaler security firm released a report for a variant dubbed “Mjag dropper” that is using decoy documents to deliver Remote Access Trojan (RAT). Mjag dropper is compiled in the Microsoft .NET framework and its original binary is obfuscated using Smart Assembly. Zscaler disclosed the flaw after they detected the infection cycle involving Punisher RAT. The malware is publicly available and can be configured with a range of features: Password stealing module, Anti-task manager, Keylogging, Persistence, Spreading vector, and AV checks. The following indicators of compromise were released with these findings.
The DarkHydrus campaign reemerged and is targeting Middle East entities. 360 Threat Intelligence Center identified that the attackers use VBA macros in the dropper, with DNS tunneling for C2 communication. The malware was uploaded to VirusTotal from Oman.
data-microsoft.services phicdn.world akamai.agency sharepoint.agency nsatc.agency akdns.live akamaized.live iecvlist-microsoft.live trafficmanager.live 0ffice365.services azureedge.today microsoftonline.agency hotmai1.com skydrive.services asimov-win-microsoft.services akamaiedge.live 0nedrive.agency skydrive.agency akamaiedge.services edgekey.live corewindows.agency akadns.live t-msedge.world cloudfronts.services microsoftonline.services onecs-live.services onedrive.agency 0ffice365.life
Multiple security intelligence communities, like CrowdStrike, report that Ryuk ransomware is most likely the creation of Russian financially-motivated cybercriminals, not North Korean state-sponsored attackers. The clarification came after several news outlets attributed a Ryuk ransomware infection targeting U.S. newspaper agencies to North Korean attackers. We have previously reported on Ryuk activities and the U.S. newspaper hack.
The ransomware was created by a threat actor, which Crowdstrike calls Grim Spider, who allegedly bought a version of Hermes ransomware from an underground forum and modified it into Ryuk ransomware. The confusion possibly stems from North Korea state-sponsored actors reportedly infected the Far Eastern International Bank (FEIB) in Taiwan with Hermes ransomware in October 2017.
Researchers believe that North Korean attackers purchased the same Hermes ransomware kit, similar to Grim Spider, and deployed it on the bank’s network as a distraction in an attempt to cover their tracks. Researchers believe there is no connection between North Korean state-sponsored attackers and the Ryuk ransomware strain. Researchers note that multiple Ryuk ransomware victims were infected with TrickBot before Ryuk was deployed on their systems and speculate that attackers selected machines infected with Trickbot to deploy Ryuk.
Since Ryuk’s appearance in August, threat actors have earned 705.80 Bitcoin across 52 transactions, for a current value of $3,701,893.98. The following indicators of compromise were released with these findings.
78c6042067216a5d47f4a338dd951848b122bbcbcd3e61290b2f709543448d90 795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b 5e2c9ec5a108af92f177cabe23451d20e592ae54bb84265d1f972fcbd4f6a409 501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9 ac648d11f695cf98993fa519803fa26cd43ec32a7a8713bfa34eb618659aff77
Bloomberg shared their findings with ZDNet after they reported a lawsuit against Zurich Insurance Group by Mondelez in a bid to seek $100M in damages after an insurance claim that was not paid out in NotPetya attack. NotPetya is a type of ransomware similar to Petya. Researchers noticed that the actors had been executing the exploit through the use of the much-discussed and patchable EternalBlue and EternalRomance exploits of yesteryear to launch attacks. (Yes, these attack vectors are still being exploited today.)
Once executed, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransom note which demands $300 in Bitcoin. Researchers note that NotPetya impacted business worldwide including TNT, Ukrainian banks, energy companies, airports, and shipping giant Maersk. Users and organizations should enforce strong security awareness, recognize phishing attacks, exercise caution when clicking on malicious links, and deploy two-factor authentication to mitigate cyber attacks. No indicators of compromise were released with this report.
Zurich chose not to cough up the money, citing the NotPetya was, “hostile or warlike action in time of peace or war,” which voided the claim. The security industry will be following this case closely to set precedent around this topic. With Ryuk’s move to Russia will Tribune’s cyber insurance policy cover fallout from a Russian cyber cold war?
Which brings up a question for you: What would your cybersecurity insurer say if your organization suffers a ransomware attack? Now is a good time to open the discussion before an incident might occur.
After several cups of perch-olated coffee and a blood sacrifice, the Perch SOC successfully reviewed the activity and IOCs listed for each threat and found zero Perch customers subjected or targeted by these active threats for the last 30 days.