ShadowTalk Update – Texas Ransomware Outbreaks and Phishing Attacks Using Custom 404 pages
August 23, 2019
Charles Ragland (a brand new ShadowTalk-er!) and Christian Rencken join Harrison this week to discuss an outbreak of ransomware attacks impacting local government entities across Texas. The team also discusses some phishing attacks that are using custom 404 pages and how Google is starting to remove FTP support from Chrome.
They wrap up this episode with the question of the week: Which future technology most worries you from a cyber security perspective?
Listen below 👇👇👇
From the intelligence summary – Weekly highlights include: An additional 30 organizations were reportedly compromised alongside Capital One in the July 2019 breach; the “Danabot” banking trojan has been targeting financial, retail, and travel organizations in Germany; and a new version of the “Remcos” remote-access trojan (RAT) has been focusing on obfuscation, increasing the tool’s capabilities.
PRC-linked APT41 group targets American research university
The newly reported, Chinese-state–linked APT41 cyber threat group was observed attacking a United States-based research university in July 2019. Their motive remains unknown, but the tools they used can perform passive and persistent reconnaissance, information gathering, and/or intellectual property theft. APT41 has previously conducted financially motivated attacks and espionage concurrently, which is uncommon for presumed Chinese state-associated groups and bears similarities to the methods of the “Winnti” threat group umbrella. Whether APT41 and Winnti are linked is not known, but the shared methods and infrastructure could mean APT41 is a sub-set of the wider Winnti umbrella. Regardless, the involvement of the Chinese state—which could range from tacit to direct—is unconfirmed.
Additional entities breached alongside Capital One
After initial reports of the Capital One data breach that occurred in July 2019, investigators of the named perpetrator, “Paige Thompson”, have alluded to more than 30 other unnamed organizations potentially being compromised. The nature of these entities’ breached data has not been described; however, prosecution documents state that personally identifiable information was not accessed, unlike in the Capital One breach. Therefore, the breach will not likely affect those entities significantly.
Danabot trojan claims German banking, travel, retail victims
A cyber attack campaign delivering the Danabot banking trojan has been observed targeting financial, retail, and travel organizations in Germany since June 2019. Danabot is thought to be available as a malware-as-a-service tool, and an increasing number of incidents using it have been observed targeting non–finance-industry organizations in Germany, indicating it is likely successful there. Germany is considered a relatively cyber-mature region, but retail entities may not have the same security standards as financial entities.
New obfuscation mechanisms pop up in Remcos RAT variant
A new variant of the Remcos RAT was detected in a phishing attack campaign throughout July 2019. The functionality of this variant is similar to older versions, but it has received updates that focus on obfuscation and contains new capabilities that make reverse engineering more difficult, including: the ability to detect a virtual environment before executing, including junk code (to complicate reverse-engineering), and layering in AutoIt script. These features and obfuscation methods will likely increase its popularity with a range of cybercriminals, particularly those less technically sophisticated, and as Remcos is in active development, its popularity may further increase if features continue to be added.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.