Go Back

ShadowTalk Update – 17.10.2018

December 17, 2018
ShadowTalk Update – 17.10.2018

Following from our recent research, Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It, the team discuss the phishing techniques favoured by all types of attackers, whether sophisticated criminal, nation state or low-level hacker. By looking at details revealed in law enforcement indictments, as well as the tips and tools being shared by actors on cybercriminal forums and messaging applications, the team discuss how organizations can prioritize the right controls and training policies to best protect themselves in the coming year.

 

Sextortion campaign shows attackers’ zeal for new tactics

A recent sextortion cyber campaign has been observed using new tactics to increase effectiveness. In a typical sextortion-themed email, attackers included a malicious URL that purportedly linked to a PowerPoint file with compromising images of the recipient. Instead, the link directed victims to a downloader that installed the “GandCrab” ransomware, prompting victims to pay in order to decrypt their files. Threat actors will likely continue to conduct similar campaigns within the next six months. They can further adapt techniques to install other malware, such as remote-access trojans, banking trojans or spyware, depending on an attacker’s objective. Using multi-pronged techniques can increase the potential payout of already-lucrative campaigns.

 

Phishing campaign exploits Adobe Flash zero-day vulnerability

An ongoing phishing campaign dubbed Operation Poison Needles has targeted a Russian healthcare facility attended by high-ranking members of the Russian Federation. The zero-day vulnerability, identified as CVE-2018-15982, exists in Adobe Flash and enables attackers to execute malicious code on a victim’s computer. To avoid detection, the attackers signed the malicious payload with a legitimate, but now revoked, security certificate. Attribution for the campaign is unconfirmed; zero-day vulnerabilities are usually associated with advanced persistent threat groups that have the technical sophistication to exploit such flaws.

 

Malicious botnet attacking WordPress websites

A botnet composed of infected WordPress websites has recently been used to attack other sites on the content publishing platform. The botnet campaign takes advantage of the “multicall” functionality of WordPress’s XML-RPC interface to gain access to privileged accounts and attack other vulnerable WordPress websites. A patch has been released to address this threat, and developers have blocked over five million malicious authentication attempts associated with this campaign. However, malicious actors are likely to target this flaw to exfiltrate data from vulnerable websites in the immediate future (next few days or weeks).

 

DanaBot adopts spam-sending capabilities

The DanaBot banking trojan reportedly has new functionalities that have been used to harvest email addresses and send spam messages. JavaScript is reportedly injected into a target’s webmail service and comprises two features. First, the added code harvests email addresses from the victim’s mailbox, and malicious script processes the victim’s messages, sending all identified addresses back to a command-and-control (C2) server. Second, if the targeted webmail service is based on the Open-Xchange suite, DanaBot injects a script that can use a victim’s mailbox to covertly send spam to harvested email addresses. This is part of a broader trend of banking trojans attempting to increase their effectiveness by adding new capabilities, making them more versatile and increasing their popularity among threat actors with differing motives and objectives.

 

To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.

Start Free 7-Day Test Drive of SearchLight
Start Test Drive