CyberheistNews Vol 10 #11 [Heads-Up] New Ransomware Strain Evades AV and Injects Malicious Code Right Into Windows Explorer Process



 

CyberheistNews Vol 10 #11
[Heads-Up] New Ransomware Strain Evades AV and Injects Malicious Code Right Into Windows Explorer Process

Researchers at Quick Heal Security Labs discovered a new strain of the Mailto ransomware that uses a novel way to disguise itself to evade detection and stay invisible for Antivirus products.

The new strain targets Windows devices both of consumers and organizations worldwide using Windows' explorer[dot]exe (not to be confused with Internet Explorer) to achieve its evasive action act through an innovative form of “process injection.”

There are a lot of malware strains that use a technique called "process hollowing" to create a process in a suspended state and then unmap and replace its memory with malicious code. However, the operators behind the Mailto ransomware use new method to achieve the same result.

Instead of creating the 'scapegoat' process in suspended mode, Mailto ransomware will create it in Debug mode and use debug APIs such as WaitForDebugEvent to perform the actual malicious code injection and have the explorer process execute it.

After successfully injecting the malicious payload, the malware gains persistence on the compromised device by adding a registry RUN entry and deletes system shadow backup copies to prevent the victims from restoring their data after encryption.

This quite sophisticated Mailto strain stores its configuration data including the base64 encrypted ransom note, e-mail addresses used in the ransom note, processes that need to be killed if in execution, whitelisted paths, file names and extensions, and everything else it needs within the .rsrc section of the JSON payload it injects within the explorer process.

After the encryption pass, the infected explorer process kills its parent process, deletes the original sample including the file dropped at %ProgramFiles% and also the RUN entry, trying to eradicate all traces it was ever there.

Mailto ransomware is still being analyzed and it is not yet known if there are any weaknesses in its encryption algorithm that could be used to decrypt locked files for free.

More technical background of how this nasty operates at Bleepingcomputer:
https://www.bleepingcomputer.com/news/security/windows-explorer-used-by-mailto-ransomware-to-evade-detection/
Never Assume Breach: Build a Data-Driven Defense Strategy to Secure Your Organization's Most Valuable Assets

Even the world’s most successful organizations have significant weaknesses in their IT security defenses, which today’s determined hackers can exploit at will. There’s even a term for it: Assume Breach.

But assuming you’ll be hacked isn’t an option for you. Your organization can’t afford a loss of assets or downtime.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, for this informative webinar where you’ll learn not only the most common reasons for data breaches in organizations like yours but how you can determine your specific weaknesses.

You’ll walk away from this understanding:
  • What most organizations are doing wrong and how to fix it
  • How to build an action plan to improve your IT security effectiveness
  • Why security awareness training is a security layer you can’t afford to skip
Start creating your data-driven defense and earn CPE credit for attending.

Date/Time: TOMORROW, Wednesday, March 11 @ 2 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2201211/35A472D6C4E6527D41A2BC75555D82EA?partnerref=CHN2
Yet Another Utility Company Falls Victim to Ransomware Attack

The latest ransomware attack on yet another utility company echos the warnings from last year’s report on utilities’ readiness for a cyberattack.

Just two weeks ago, Massachusetts utility company, Reading Municipal Light Dept (RMLD), announced on their website that they had become the victim of a ransomware attack. Calling it a “targeted” attack, RMLD becomes just one of many utility companies to be the focus of cyberattacks by eleven different cybercriminal organizations.

Utility companies are known to be plenty aware of the threats, and are thinking about attacks in terms of both Information Technology and Operational Technology. But, according to Siemens, only 42 percent of utility companies rated their cyber-readiness as “high”, casting doubt on whether they are truly ready.

This gives cybercriminals the upper hand, as they are ready and willing to go on the attack. In the case of RMLD, no operational systems were impacted, and the attack was isolated. But attacks like these can go completely wrong, taking entire operations down.

With Operational Technology being rated as 10-20 years old, the possibility of vulnerable endpoints, applications, and browsers is high. Utility organizations need to work quickly to update any and all network endpoints. For example, hosting an older OS as a VM rather than as a physical endpoint could be one way to remediate the risk older environments pose.

In addition, educating users through security awareness training keeps them from engaging with suspicious and potentially malicious emails and web content – a leading attack vector for ransomware today. It appears that RMLD got off lightly, the next utility may not be so lucky.
https://blog.knowbe4.com/yet-another-utility-company-falls-victim-to-ransomware-attack
[Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, March 18 @ 2 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, March 18 @ 2 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2198118/DB71B4DDBCEEF6F7FE88CAB565CE29C3?partnerref=CHN1
Hackbusters Forum Discussion: "Have you started inoculating your users against Coronavirus scams?"

The bad guys are targeting communities impacted by Coronavirus with ongoing phishing and spear phishing campaigns. Italy is now seeing a focused phish campaign designed to prey on our primal fears by hacking the human through social engineering. KnowBe4 users should see the Current Events templates for the latest.

This isn’t going to go away. Best to be early. Have you started sending phishing tests with the Coronavirus theme? If so, how’s it going? Discuss with peers here:
https://discuss.hackbusters.com/t/coronavirus-phishing-is-gaining-traction-do-you-intend-to-inoculate-your-users/4856?preview_theme_id=3
[WEBINAR] New 2020 Phishing By Industry Benchmarking Report: How Does Your Organization Measure Up

As a security leader, you have a lot on your plate. Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up. IT security seems to be a race between effective technology and ever evolving attack strategies from the bad guys. However, there’s an often-overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

Join Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, and Joanna Huisman, KnowBe4's Senior Vice President of Strategic Insights and Research, for a review of our 2020 Phishing By Industry Benchmarking Study, a data set of nearly four million users across 17,000 organizations.

You will learn more about:
  • New phishing benchmark data for 19 industries
  • Understanding who’s at risk and what you can do about it
  • Actionable tips to create your “human firewall”
  • The value of new-school security awareness training
Do you know how your organization compares to your peers? Watch this webinar to find out!

Date/Time: Wednesday, March 25 @ 2 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2215297/19BEE92D64524409201825D6D58CF1BF?partnerref=CHN1

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc


PS: Cyberwire's podcast Hacking Humans interviewed Penn and Teller at RSA 2020! Great for a break & RT for your friends:
https://twitter.com/hackinghumanscw/status/1235606378086936579
Quotes of the Week
"Be brave. Take risks. Nothing can substitute experience."
- Paulo Coelho, Poet (born 1947)

"Be not afraid of life. Believe that life is worth living, and your belief will help create the fact."
- William James - Philosopher (1842 - 1910)



Thanks for reading CyberheistNews
Security News
KnowBe4 and Agari Announce New Partnership to Transform Phishing Protection

As market leaders, KnowBe4 and Agari have joined forces to help stop identity-based email attacks. Together, we have created a best-in-class approach to defend against phishing attacks at scale.

As a result of this new partnership, information security leaders now have access to the best phishing training content combined with the best science-based phishing defense capabilities the market has to offer.

In addition, data integration between the two capabilities will enable superior detection and decision-making on suspected phish reaching the enterprise. The pairing of the two capabilities fulfills an essential layered phishing defense strategy that provides the most effective controls for the modern enterprise. Continued:
https://blog.knowbe4.com/knowbe4-and-agari-announce-new-partnership-to-transform-phishing-protection
Penn & Teller Interviewed at Hacking Humans Podcast

Criminals shouldn’t be romanticized or admired for their social engineering skills, according to Penn and Teller. On the CyberWire’s Hacking Humans podcast, the pair of magicians emphasized that scammers aren’t criminal masterminds, they’re simply criminals who take advantage of unsuspecting people.

“It is not someone outsmarting you at a game,” Penn said, using a Three-card Monte scam as an example. “It is somebody who is a thug, a bully, a violent person operating outside of the trust of society who will hit you. So if you were able to say, that’s where the queen is, hold the person’s hand back, turn over the queen, show that to them triumphantly, they are not going to go, jolly good, well played; here’s our money. They’re not going to say that.

They’re going to have the three people who are standing beside you in the crowd who are shills. They’re going to have the two people who are lookouts. And they’re going to have the thrower just take you and move you into a place where there’s nobody around and beat you senseless.”

Penn asserted that white hat hackers and social engineers are more skilled than criminals who employ similar tactics.

“You know, most of your robberies are opportunist,” Penn said. “The idea of the clever heist, the ‘Ocean’s Eleven,’ is essentially a fiction. There’s a few stories of very clever robberies, but those stories are - there’s two dozen of them over the past hundred years....

Mostly, it’s people who are – most of your crimes are done by high, stupid, incompetent people who are willing to perpetrate violence on other people. I don’t think there’s any difference in the cyber world.”

Likewise, Teller pointed out that magicians have to operate at a higher skill level because their subjects are aware that they’re being tricked.

“When you see a magician, the magician has ahead of time said, I’m going to cheat you,” Teller said. “I’m going to do tricks. The person in real life hasn’t said that. So you’re on alert already when you see a magic trick. So the magic trick has to be better than the scam in real life.”

Scammers do have an advantage if people aren’t watching for their tricks. Some scammers are more skilled than others, but they all use tricks from the same playbook. If you know their playbook, you can beat them at their game. Penn said one of the signs to watch out for is if something seems too good to be true.

“It does come down to something for nothing,” Penn said. “And you have to be very careful of that, you know? You’re not going to be offered the deal that’s something for nothing. And it’s very hard to remember that because it’s very seductive.”

New-school security awareness training can enable your employees to identify these tricks when they encounter them in their daily lives. The CyberWire has the story:
https://thecyberwire.com/podcasts/hacking-humans/88/transcript
Anti-Virus, Identity Protection Phishbait

A phishing campaign is using fake NortonLifelock documents to trick victims into installing a remote access tool, according to researchers at Palo Alto Networks’ Unit 42. The documents state in large text, “You have received a protected document which contains personal information. To enter your password please Enable Macros.”

The researchers didn’t observe the phishing email itself, but they surmise that it instructed the recipients to open the document and then enter a password provided in the email. That password was presumably the letter “C,” since the macro would first trigger a password dialogue box that only accepted an uppercase or lowercase “C.”

If the user chooses to enable macros and then enters this password, a Visual Basic script will trigger a series of processes that will result in the installation of the NetSupport remote access tool. NetSupport is a legitimate tool that’s used by IT administrators to control computers remotely, but in the hands of an attacker, it can be used maliciously.

The researchers later identified additional files that appeared to be part of this campaign, which gave them more insight into the phishing lures themselves.

“Beginning at the end of November and continuing into January 2020, the mail attachments changed and were instead named as .doc and sent from email addresses using domains that were registered within one day of the observed activity,” they write. “The email subjects contained the same trend reusing themes associated with refunds, as well as transaction and order inquiries.”

It’s worth noting that the password dialogue step in this scheme was only included to make the victim less suspicious: the macro could have installed malware immediately after the user clicked “Enable Content.” As long as users know about this tactic, they can avoid falling for these attacks regardless of how persuasive the attackers are. Palo Alto Networks has the story:
https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
What KnowBe4 Customers Say

"Just wanted to give you a heads-up that I nominated KnowBe4 as a preferred vendor who has helped us with respect to cybersecurity training for our end users. I wanted to get this on your calendar now because when we win, KnowBe44 will receive the award as well.

We had an initial 14.9% failure rate with respect to our simulated phishing campaign. After that campaign we rolled out a fairly vigorous cybersecurity training initiative (mandatory for all employees.) We just completed our first campaign for 2020 and our failure rate dropped to 7.7%, a 50% reduction from the previous year, proving that KnowBe44 works as advertised.

I also just completed an interview with Wired magazine and shared those stats as well, so KnowBe4 will be getting a well-deserved shout-out at a Global level once that article goes live."
- M.J., Senior Director Cybersecurity & Compliance



"Hi KnowBe4, quick note on PhishER. I think this is fantastic! Easy to operationalize and saving us time daily responding to submitted phishing emails. Looking forward to see how it develops even further."
- L.R., Director, Cybersecurity & IT Ops



"We have been using KnowBe4 since October of 2019 and couldn’t be more happy. The trainings have had positive reviews and our click rate on bad stuff in emails is down about 70%. We have had no infections since we started using KnowBe4 and regularly have users asking questions now before clicking things.

In the past we would not have known about this kind of thing or at least not in a timely manner – now if I get a Phish Alert from multiple users and I can trace it back to a company we do business with we can block incoming emails within minutes usually.

We have recently started seeing attacks where the attackers are pulling our information off of customer’s website (we do a lot of work for government agencies and universities and they are required to disclose their vendor lists).

The bad actors are using these lists and people listed as our contacts to send us fake emails using the government or university email look. These emails look EXACTLY like an email being sent from the university itself.

Because of their training my users are able to usually spot these and when not they are still questioning things more and more. We have begun to recommend your service to our customers and vendors. Our feeling is that helping them stay safer helps to keep us safe."
- S.M., CIO



Hey Stu!, We’ve just started using your product, and love it so far. Being a software guy for over 25 years myself, I recognize good design, engineering and solutions. This is it. My CIO/CTO peer group had always spoken highly of your software, but I didn’t know how good it was until we got into it. Well done.

We outsourced this work in the past, but your tools and platform have allowed us to take it in house, use our existing labor, and run a better phishing and education program! You guys are the authority in this space, keep it up! Onward and upward,
- A.W., CTO/CIO
The 10 Interesting News Items This Week
    1. Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops!:
      https://www.theregister.co.uk/2020/03/04/microsoft_subdomain_takeover/

    2. Shark Tank' Star Barbara Corcoran Gets Back the Nearly $400,000 Stolen in Phishing Scam:
      https://www.etonline.com/shark-tank-star-barbara-corcoran-gets-back-the-nearly-400000-stolen-in-phishing-scam-142267

    3. Chinese cybersecurity company accuses CIA of 11-year-long hacking campaign:
      https://www.reuters.com/article/us-china-usa-cia/chinese-cybersecurity-company-accuses-cia-of-11-year-long-hacking-campaign-idUSKBN20Q2SI?

    4. US Charges Two With Laundering $100M for North Korean Hackers:
      https://www.bleepingcomputer.com/news/security/us-charges-two-with-laundering-100m-for-north-korean-hackers/

    5. Ransomware Attackers Use Your Cloud Backups Against You Backups Against You:
      https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/

    6. 'Malware-free' attacks now most popular tactic amongst cybercriminals:
      https://www.zdnet.com/article/malware-free-attacks-now-most-popular-tactic-amongst-cybercriminals/

    7. Concern over Coronavirus Leading to Global Spread of Fake Pharmacy Spam:
      https://www.imperva.com/blog/concern-over-coronavirus-leading-to-global-spread-of-fake-pharmacy-spam/

    8. RSA - The 5 Most Dangerous New Attack Techniques and How to Counter Them:
      https://www.youtube.com/watch?v=xz7IFVJf3Lk

    9. What to know about cyberattacks targeting energy pipelines:
      https://thehill.com/policy/energy-environment/485254-what-to-know-about-recent-cyberattacks-on-energy-pipelines

    10. Hackers Target Companies With Coronavirus Scams:
      https://www.wsj.com/articles/hackers-target-companies-with-coronavirus-scams-11583317802
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews