This week, Digital Shadows team Viktoria, Demelza, Adam and Stefano cover:
- PAN-OS Vulnerability (CVE-2020-2021): Impact & Mitigation
- Magecart Developments: Lazarus Group tied to Magecart
- FBI arrests “Hushpuppi” for alleged BEC Cybercrime Scheme
- Photon ATO Research: Overview + Key takeaways
Listen below 👇👇👇
TrickBot checks victims’ screen resolution to evade analysis
Security researchers found that the “TrickBot” banking trojan was checking the screen resolution of victims’ computers to see if a virtual machine (VM) was running. Malware commonly checks for files and processes used by VM guest software, so security researchers typically do not install the guest software, which improves screen resolution and offers other features. Being aware of this practice, TrickBot’s developers were likely using screen resolution checks as another anti-VM check, and would terminate TrickBot processes if a VM was detected.
Lazarus Group linked to Magecart-style web skimming
Security researchers reported that the North Korea-linked advanced persistent threat (APT) collective “Lazarus Group” has been conducting “Magecart”-style web skimming attacks against retail companies in the United States, allegedly including global fashion retailer Claire’s. The researchers speculated that Lazarus Group used spearphishing emails to achieve initial infection, aiming to obtain the passwords of retail staff and gaining access to inject skimming scripts, which they said aligns with the group’s financial motives.
Entities in Myanmar likely targeted by Chinese APT
Researchers have linked a cyber-threat campaign against entities in Myanmar to an unknown APT group associated with the People’s Republic of China (PRC). The campaign began in March 2020 and targeted victims via malicious LNK (Windows shortcut) files. After obtaining access to their targets, the attackers used the red-teaming tool “Octopus”3 for command-and-control (C2) communication. Elements of LNK files were similar to those used by the PRC-linked “Mustang Panda” APT group, although researchers did not attribute the attack to any specific threat group.
3An open-source tool, commonly used in red-teaming assessments that simulate attacks; Octopus is designed to covertly communicate with the C2 server