Cybersecurity Week in Review: 1/04

As we ring in the new year, cybercriminals continue to be hard at work developing innovative malware and stealing data and money from individuals and companies. This week’s review of cyber events focuses on:

• A new malware RAT hidden in functional device applications and designed to drain cryptocurrency wallets;
• Ransomware that is particularly difficult to un-encrypt;
• Perimeter firewall and VPN devices with a vulnerable ‘backdoor’ that threat actors are already exploiting for cyber-espionage and malware purposes; and
• More updates on the SolarWinds breach.

Malware “RAT” draining cryptocurrency wallets

An ‘extremely intrusive’ remote access tool (RAT) has been discovered targeting cryptocurrency users. Dubbed ElectroRAT, the never-before-seen malware is written in the Go programming language and spreads via trojanized MacOS, Windows and Linux apps. The malware appears to be designed to collect private cryptokeys and then drain the infected user’s cryptocurrency wallet, however, the RAT can steal other sensitive information as well. It is estimated that at least 6,500 cryptocurrency users have been infected.

Although first found in December 2020, researchers believe the campaign may have started a year ago based on dates discovered in Pastebin pages used by the malware to retrieve the command and control IP address. 

Targets are initially lured into downloading trojanized applications that were promoted on cryptocurrency forums. The malicious applications — called Jamm, eTrade/Kintum and DaoPoker — are designed to look like cryptocurrency trade management applications or a cryptocurrency poker app. Researchers say that while the applications do function, the ElectroRAT malware runs hidden in the background as “mdworker”. 

Twitter and Telegram social media accounts exist for the trojanized poker application and it appears that the attacker also went so far as to pay a social media influencer to advertise it.

The apps were created using the app-building platform Electron, with the malware embedded inside. The RAT has a variety of capabilities to target the victim’s private cryptokeys, including keylogging, uploading and downloading files, taking screenshots, and executing commands on the victim’s device. 

Once the cryptokeys are obtained, the attacker steals funds in the cryptowallet. However, researchers caution that because of the various capabilities built into the malware, ElectroRAT can also gather other sensitive information on the victim’s machine — not just cryptokeys and cryptocurrency.

Researchers point out that it is extremely unusual to see cybercriminals go to these lengths just to steal cryptocurrency funds, including developing a media campaign, building malware and operational apps and creating a website. 

Cybersecurity professionals are advising any cryptocurrency users that have lost funds in the past year to check to see if they have the malicious applications installed. Potential victims should delete these apps and remove any files related to the malware. They should also move their cryptocurrency funds to a new wallet and change all user names and passwords on their system. 

You can read more on the ElectroRAT malware here and here.

New year brings new ‘Babuk Locker’ ransomware

With ransom demands ranging from $60,000 to $85,000, the Babuk Locker ransomware is emerging as a dangerous new threat to organizations in 2021. 

The ransomware uses a double-extortion approach and appears to have been customized for each victim, with a hardcoded extension, ransom note and a victim-specific Tor URL. While researchers feel the coding is crude, the ransomware does include a strong encryption component that uses an Elliptic-curve Diffie–Hellman algorithm that has proven extremely effective in the past in preventing victims from breaking the encryption code and recovering their files for free.

Once the ransomware is launched, information on the victim’s computer is captured and then encrypted using a command-line argument. The ransomware also terminates several Windows services and processes that are designed to keep files open and prevent file encryption. A ransom note called “How To Restore Your Files.txt” is then created containing information on what has happened and a link to a Tor site where the victim can negotiate with the cybercriminals. The ransom note includes the victim’s name and links to stolen file images to prove that the criminals are now in possession of the files.

The ransomware’s Tor site contains nothing more than a chat screen for negotiation. Interestingly, during negotiations, researchers have discovered that the cybercriminals are asking victims if they have cyber insurance and if they are working with a ransomware recovery company. The cybercriminals also use a double-extortion strategy, refusing to unencrypt the data and threatening to leak it unless the ransom is paid. 

Current known victims include an office furniture maker, an HVAC company, a car parts manufacturer, a medical testing products manufacturer and an elevator and escalator company. Researchers say at least one victim has paid a ransom of $85,000.

More on the emerging Babuk ransomware can be found here and here.

More than 100K security devices discovered to be vulnerable to attack 

A not-so-secret, hard-coded backdoor account in a brand of enterprise-grade firewalls, VPN gateways, and AP controllers has been discovered by cybersecurity researchers, and hackers are already using it to login and gain access to administrator privileges. An estimated 100,000 devices are believed to be affected by this vulnerability, enabling threat actors to infiltrate networks or port forward internal services for remote access and exploitation. Because the affected devices are so varied, researchers point out that attackers now have access to a wider range of victims, most of which are corporate targets.

The backdoor was relatively easy to find, according to researchers, since the plain text password was visible in one of the binaries on the system. The backdoor account appears to have been created and used originally to install firmware updates to other connected devices via FTP.

According to researchers, threat actors are already actively scanning for secure shell (SSH) devices and using brute-force hacking in an attempt to login using the brand’s ‘not-so-secret’ backdoor credentials. Also, it appears some of the threat actors are using a built-in SSH client for Cobalt Strike (a legitimate penetration testing toolkit) for scanning, as a way to evade threat intelligence security vendors.

The company that makes the devices released a patch last month for the firewalls and one last week for the AP controllers.

This incident is of particular concern because vulnerabilities in firewalls and VPN gateways were one of the primary avenues for cyber-espionage and ransomware attacks in 2019 and 2020.

Cybersecurity professionals are strongly advising all users of this brand to patch the devices immediately to prevent threat actors from gaining access, stealing information, or deploying malware.

You can read more on this device vulnerability here and here.

More on the SolarWinds breach

Continuing our updates to the ever evolving SolarWinds breach, CISA released updated guidance and Alert (AA20-352A) for Federal Agencies affected by the Orion Platform breach. This guidance confirms that an NSA static code review was conducted on the SolarWinds Orion Platform version 2020.2.1 HF2 update to ensure that both the vulnerabilities and the previously included malicious code had been remediated. The updated alert includes new information on initial access vectors, updated mitigation recommendations, and new indicators of compromise (IOCs). 

You can read more about CISA’s guidance as well as recommendations from GuidePoint’s DFIR team here.

Final Words

Sometimes it feels as if it’s the same news, just in different formats. “Ransomware stealing thousands…” “Malware found hidden in apps!” The list goes on. 

But, while the threats remain the same, what is notable is the increasing lengths cybercriminals will go to lure you into opening malicious files or installing apps embedded with malware on your devices. When it’s gotten to the point that cybercriminals are building functional applications (albeit with hidden malware) and creating full-blown social media campaigns to promote them…well you know things are changing.

And then there is the ongoing vulnerability and patching challenge—undoubtedly one of the biggest things keeping cybersecurity professionals awake at night. It is disturbing that with a history of past problems related to easily discoverable ‘backdoors’ on security devices, as well as the fact that perimeter hardware devices (like firewalls and VPN gateways) are one of the primary sources for cyber-espionage and ransomware attacks, that device makers are still being careless in creating easily discoverable backdoors that anyone can find and use.

Looks like we’re in for a wild ride over the next few years. This means it’s time to be as vigilant as ever and committed to protecting corporate systems, devices and data.