ShadowTalk Update – RIPlace, Trickbot, and Russian-language forum ProbivDecember 2, 2019
No ShadowTalk podcast episode this week, but updates from the Intelligence Summary are below.
Updates from this week’s Intelligence Summary
- In the spotlight this week is a technique that enables the bypass of security products to initiate ransomware infections. The technique abuses a legitimate, trusted function, rather than exploiting a security vulnerability, aiding threat actors in obscuring their attacks and hindering attribution efforts.
- Weekly highlights cover the “Trickbot” trojan, which has updated its credential-stealing module; the downloader “DePriMon”, which has been observed in the wild; and the Russian-language forum Probiv, which is offering a look-up service for cybercriminals seeking personally identifiable information (PII).
New evasive technique downplayed despite obvious threat
A new cyber-threat technique that can bypass the anti-ransomware features of several software security vendors―and Microsoft Windows 10―has been publicly disclosed by security researchers. Originally identified in 2018, “RIPlace” uses a flaw in a system (rather than a specific piece of software) and is reportedly easy to initiate. It has been disclosed to software vendors, although most do not consider it a security vulnerability, and only two have reportedly addressed the issue. History shows that cyber-threat actors regularly abuse legitimate services/functions as part of their malware campaigns. There has been no indication that RIPlace has been used in the wild so far, but security researchers confirmed it is effective; its adoption by threat actors is likely to be reported in the short-term future (next three months).
Trickbot developers persist in perfecting capabilities
Developers of the Trickbot malware have updated their password-grabber module to enable the theft of OpenSSH private keys (an access credential in the Secure Shell [SSH] protocol) and credentials or configuration files for the VPN software OpenVPN. Security researchers at Palo Alto Networks confirmed that although the new functionality exists, the active theft of these credentials has not yet been observed, indicating the capability is likely in an early testing phase.
New trojan downloader ignores traditional techniques
A newly identified trojan downloader, DePriMon, has reportedly been active since March 2017 and has been observed using a multi-stage infection process and several non-traditional techniques. They include port monitoring, dynamic link library (DLL) loading with system privileges, and use of Microsoft’s Security Socket Layer (SSL) and Transport Layer Security (TLS) for command-and-control communication. DePriMon has been detected targeting devices in Central Europe and the Middle East. On one occasion it was likely used to deliver the “ColoredLambert” malware, which is associated with the “Lamberts” cyber-espionage group.
Russian-language forums offer popular PII look-up services
The popular Russian-language forum Probiv is offering look-up (“probiv”) services that allow cybercriminals with one component of PII to obtain other, associated pieces of sensitive information. Examples of the type of information offered are passport details, social security numbers, criminal records, call and SMS message records, travel history details, financial details, and physical addresses. The information is likely acquired through intermediaries with the appropriate privileges to secure information from internal systems, such as telecommunications providers, the Russian tax service, and unnamed banks.
For more details, read the full Weekly Intelligence Summary here: