ShadowTalk Update – 2.25.19February 25, 2019
This week, Phil and Alex join Harrison to discuss a new malware delivery technique using the Outlook preview panel. Also, threat actor Gnosticplayers was offering large data sets for sale on Dream Market, the Blind Eagle APT group swooped into the news, and Gandcrab is back trying to pinch its victims in new ways. Finally, the guys try to find a new nickname for Alex.
Highlights from the week include: A new financially motivated threat actor advertised up to 841 million data records for sale on Dream Market; “APT-C-36” has targeted multiple Colombian sectors, including government, in an ongoing cyber espionage campaign; and the “Gandcrab” ransomware has been delivered through the Kaseya VSA plug-in vulnerability.
Explorer, Outlook allow malware downloads in Preview pane
Cyber-security researchers acquired a sample of unknown malware that uses a new delivery technique: exploiting the Preview function of Microsoft Windows Explorer and Outlook. The malware can be delivered without the need for human interaction, because the download is triggered by highlighting the attachment instead of manually opening it. The attack also exploited the Rich Text File (RTF) format feature that allows Microsoft Excel workbook files to be embedded within Word document footers, to bypass macro detection. Exploiting the Preview function is not a novel technique; however, combining it with the ability to bypass macro detection likely increases its effectiveness and efficiency. With additional testing and future developments, this is an approach that will likely gain significant traction and attention, attracting a variety of threat actor types.
Gnosticplayers advertises 841 million breached records on dark web
The financially motivated threat actor “Gnosticplayers” has advertised up to 841 million breached records for sale on the dark Web marketplace Dream Market. The recently released third batch of these records contains 92.76 million data records with email and password combinations from more than 30 companies in varying sectors and geographies. Gnosticplayers claims they breached the data and did not simply cull it from previous attacks; however, a portion of the data does seem to be from prior attacks, including the MyHeritage breach. Gnosticplayers is new to Dream Market (as of 06 Feb 2019) and has made frequent postings, so will likely make any additional data sets available in the near future.
APT C-36 aims cyber espionage campaign at Colombian organizations
An ongoing cyber espionage campaign targeting Colombian entities has been attributed to APT-C-36 (aka Blind Eagle). Active since April 2018, the attackers have sought to steal intellectual property and other available information via spoofed legitimate Colombian national institutions in Spanish-language spearphishing emails. The “Imminent Monitor” remote-access trojan (RAT) was subsequently delivered; this malware is typically used to establish a foothold within a system, likely providing a pathway into a network for future attacks. APT-C-36 is most likely a South American threat group, but has yet to be attributed to a particular state. Any accessed sensitive government information held by the Colombian state and associated sectors would be lucrative to intracontinental or global governments, considering that Colombia is gaining significant investment from multiple states. As the espionage campaign appears to be ongoing, additional attacks are likely in the near to mid-term future.
Grandcrab ransomware delivered through Kaseya VSA plug-in vulnerability
The Gandcrab ransomware has been delivered by exploiting Kaseya VSA plug-in vulnerability CVE-2017-18362. The Structured Query Language (SQL) injection flaw allowed attackers to create administrator-level accounts and bypass authentication on the main application, significantly elevating their user privileges. Reports of this exploitation have quickly followed a Valentine’s Day-themed phishing campaign that delivered Gandcrab, accentuating the ransomware’s prevalence and popularity in recent months. A patch for the Kaseya vulnerability was previously released; any relevant systems should be updated with that patch.
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.