ShadowTalk Update – 2.25.19

ShadowTalk Update – 2.25.19
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
February 25, 2019 | 4 Min Read

This week, Phil and Alex join Harrison to discuss a new malware delivery technique using the Outlook preview panel. Also, threat actor Gnosticplayers was offering large data sets for sale on Dream Market, the Blind Eagle APT group swooped into the news, and Gandcrab is back trying to pinch its victims in new ways. Finally, the guys try to find a new nickname for Alex. 

Highlights from the week include: A new financially motivated threat actor advertised up to 841 million data records for sale on Dream Market; “APT-C-36” has targeted multiple Colombian sectors, including government, in an ongoing cyber espionage campaign; and the “Gandcrab” ransomware has been delivered through the Kaseya VSA plug-in vulnerability.

Explorer, Outlook allow malware downloads in Preview pane

Cyber-security researchers acquired a sample of unknown malware that uses a new delivery technique: exploiting the Preview function of Microsoft Windows Explorer and Outlook. The malware can be delivered without the need for human interaction, because the download is triggered by highlighting the attachment instead of manually opening it. The attack also exploited the Rich Text File (RTF) format feature that allows Microsoft Excel workbook files to be embedded within Word document footers, to bypass macro detection. Exploiting the Preview function is not a novel technique; however, combining it with the ability to bypass macro detection likely increases its effectiveness and efficiency. With additional testing and future developments, this is an approach that will likely gain significant traction and attention, attracting a variety of threat actor types.

Gnosticplayers advertises 841 million breached records on dark web

The financially motivated threat actor “Gnosticplayers” has advertised up to 841 million breached records for sale on the dark Web marketplace Dream Market. The recently released third batch of these records contains 92.76 million data records with email and password combinations from more than 30 companies in varying sectors and geographies. Gnosticplayers claims they breached the data and did not simply cull it from previous attacks; however, a portion of the data does seem to be from prior attacks, including the MyHeritage breach. Gnosticplayers is new to Dream Market (as of 06 Feb 2019) and has made frequent postings, so will likely make any additional data sets available in the near future.

APT C-36 aims cyber espionage campaign at Colombian organizations

An ongoing cyber espionage campaign targeting Colombian entities has been attributed to APT-C-36 (aka Blind Eagle). Active since April 2018, the attackers have sought to steal intellectual property and other available information via spoofed legitimate Colombian national institutions in Spanish-language spearphishing emails. The “Imminent Monitor” remote-access trojan (RAT) was subsequently delivered; this malware is typically used to establish a foothold within a system, likely providing a pathway into a network for future attacks. APT-C-36 is most likely a South American threat group, but has yet to be attributed to a particular state. Any accessed sensitive government information held by the Colombian state and associated sectors would be lucrative to intracontinental or global governments, considering that Colombia is gaining significant investment from multiple states. As the espionage campaign appears to be ongoing, additional attacks are likely in the near to mid-term future.

Grandcrab ransomware delivered through Kaseya VSA plug-in vulnerability

The Gandcrab ransomware has been delivered by exploiting Kaseya VSA plug-in vulnerability CVE-2017-18362. The Structured Query Language (SQL) injection flaw allowed attackers to create administrator-level accounts and bypass authentication on the main application, significantly elevating their user privileges. Reports of this exploitation have quickly followed a Valentine’s Day-themed phishing campaign that delivered Gandcrab, accentuating the ransomware’s prevalence and popularity in recent months. A patch for the Kaseya vulnerability was previously released; any relevant systems should be updated with that patch.


For more details, read the full Weekly Intelligence Summary here:
Weekly Intelligence Summary 14 Feb - 21 Feb 2019

To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Targets and Predictions for the COVID-19 Threat Landscape

Targets and Predictions for the COVID-19 Threat Landscape

January 14, 2021 | 7 Min Read

Note: This blog is part of our ongoing...
Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

January 13, 2021 | 9 Min Read

It’s often the case that a sequel to a...
ShadowTalk Update: SolarWinds Updates, TicketMaster Fraud, Apex Cyber Attack, and More!

ShadowTalk Update: SolarWinds Updates, TicketMaster Fraud, Apex Cyber Attack, and More!

January 11, 2021 | 2 Min Read

ShadowTalk hosts Stefano, Adam and Dylan...
ICYMI: SolarWinds Compromise Update

ICYMI: SolarWinds Compromise Update

January 8, 2021 | 7 Min Read

Note: This blog is a follow-up of our...