ShadowTalk hosts Viktoria, Adam, Dylan, and Stefano bring you the latest in threat intel. In this week’s episode they cover:
- The ever-popular Emotet – does this dangerous malware have a vaccine? Adam and the team discuss how researchers found a cure.
- What is the Drovorub malware and what is it trying to achieve?
- Takeaways from the U.S. Army’s report on North Korean tactics – what do we know about North Korea’s cyber activity and Bureau 121?
Listen below 👇👇
Corporate espionage group stole sensitive data for over three years
On 13 Aug 2020, security researchers reported that, beginning in 2018, the Russian-speaking threat group “RedCurl” had conducted 26 campaigns against 14 organizations worldwide, in multiple sectors. RedCurl specializes in corporate espionage, using spearphishing to gain initial access to a network, posing as a member of the human resources department and targeting multiple employees at once. RedCurl has remained undetected in infected networks for up to six months, allowing it to collect vast quantities of sensitive data, uninterrupted.
APT group attacks Linux operating systems with Drovorub malware
On 13 Aug 2020, the US FBI and National Security Agency released a joint cyber-security advisory, disclosing technical details about the “Drovorub” malware. The malware has been used by a Russian nation-state advanced persistent threat (APT) group to target Linux operating systems. Drovorub attempts to plant backdoors in compromised networks, which enables direct communication with the group’s command-and-control (C2) infrastructure. The malware has a wide range of capabilities, such as stealing files and remotely controlling a victim’s device. Drovorub avoids detection by using advanced rootkit technologies, which could allow attackers to implant the malware in many targets and conduct attacks at any time.
Researchers exploit bug in Emotet to stymie infections
On 14 Aug 2020, security researchers reported that a bug in the “Emotet” malware was being used to prevent new infections. The flaw was in Emotet’s persistence mechanism code and enabled the malware to create a new Windows registry key. “EmoCrash”, a PowerShell script created by the researchers, exploited the registry key and caused Emotet to crash, preventing infected machines from communicating with Emotet’s C2 server. The script reportedly reduced the number of infected bots available to Emotet, although on 06 Aug 2020 Emotet updated its persistence mechanism, rendering the script ineffective.
For more details, read the full Weekly Intelligence Summary here: