Phil and newcomer Benjamin Newman join Harrison for another edition of the Weekly Intelligence Summary. The guys cover two distinct attack campaigns which used uncommon and underreported social engineering and malware delivery techniques, as well as attempts to automate these attacks in the future. Other highlights from this week include a cryptojacking campaigns using the ETERNALBLUE and DOUBLEPULSAR exploits, new reports of Magecart activity, and more extortionists leaking sensitive information following failed ransom attempts.
Highlights from the week include: New cryptojacking campaign dubbed Beapy identified targeting organizations in Asia, United States, and Jamaica; Puma Australia has been compromised with new digital skimming capabilities attributed to Magecart; and a threat actor has leaked sensitive information after failing to extort their target.
Social engineering and delivery mechanism TTPs enhanced
Cyber security researchers have reported on two separate campaigns that share an overarching theme of using uncommon and effective social engineering and delivery mechanisms to bypass security protocols, through legitimate services and utilities. Neither mechanism in either campaign provides a significant advantage to the threat actor; however, when coupled together, it is likely a successful and impactful process. The campaigns include an information stealing campaign distributing a new variant of the QBot trojan that utilized a Microsoft One Drive file that masqueraded as a continuous email chain, and a credential stealing campaign distributing the LoadPCBanker banking trojan via the Google site Template file sharing service. The techniques used in these attacks are not novel; however, the use of services such as Google add to the perceived legitimacy, which often use different security protocols through their utilities. Given the lack of technical skills needed to emulate these methods, there is a possibility that emulative actors will attempt them within six months.
New cryptojacking campaign targets organizations in Asia
A new file-based cryptojacking campaign dubbed Beapy has been identified targeting organization in Asia, United States, and Jamaica. Beapy was first observed in January 2019 and is distributed by a malicious document contained in an email, which attempts to download the EternalBlue and DoublePulsar exploits, as well as the credential stealing tool Mimikatz. Financially motivated groups originating from China are relatively underreported, however cryptocurrency mining is relatively popular, likely due to the monetary value associated with cryptocurrency.
Magecart umbrella attributed to skimming attack on Puma Australia website
The athletics brand, Puma Australia, has reportedly been targeted by an attack attributed to the Magecart umbrella. Magecart targeted sensitive customer details, including names, addresses and payment card information. Malicious code had been detected on au[.]puma[.]com which contained an embedded script designed to activate a keylogger. The attack was noted for its enhanced sophistication which was able to work with 57 different payment gateways, and introduced a polymorphic loader, designed to enhance its obfuscation techniques. The stolen information was subsequently sent to a server in Ukraine, however, the exact number of affected individuals was unknown.
Threat actor leaks sensitive data following failed third-party extortion attempt
An unidentified threat actor has publicly released sensitive data attributed to German branches of over 11 different companies following a failed extortion attempt. The details of the extortion demand were unreported, however as Citycomp did not meet the demands of the extortionists the data was subsequently released into the public domain on 30 Apr 2019. Extortionist actors have previously used such incidents to build up a reputation for legitimacy, which can then be used to further pressure victims into paying more.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest from Digital Shadows, subscribe below.