PRESENTS
Cybercrime tactics and techniques
Q2 2020 Table of contents
Attack on home base...... 4 Distributed malware...... 5 Avemaria...... 6 NetwiredRC...... 8 Lokibot...... 10 Azorult...... 12 Danabot...... 14 Other efforts...... 16 Card skimmers...... 16 State sponsored attacks...... 18 Protecting home base...... 19 Conclusion...... 20
Cybercrime tactics and techniques: Attack on home base 2 Attack on home base
The coronavirus pandemic has left the world looking very different at the end of the quarter than it did at the beginning. For starters, millions of workers are out of the office and working from their homes. This change in scenery, combined with safe social distancing efforts that help prevent the spread of COVID-19, has created a crisis for many, but an opportunity for some.
Employees are accessing company resources through VPNs, utilizing cloud- based services, and spending countless hours chatting on communication tools, all while connecting through personal networks and machines. In response, cybercriminals have been deploying campaigns to trick users into installing malware that steals login information for these sites, as well as provide remote control of the endpoint to the attacker.
This special, COVID-19 themed CTNT report for January 2020 to March 2020 looks at the most prominently spread malware families taking advantage of this crisis, as well as other cybercriminal efforts we observed. We will give you a look into what the campaigns that spread these threats look like and the capabilities of the malware, along with information about card skimmers and APT attacks, wrapping up with some tips on staying safe.
Cybercrime tactics and techniques: Attack on home base 3 Distributed malware
Threats like Emotet and Trickbot are still a big concern for businesses all over the world, however, the threats we are going to cover in this section are specifically using COVID-19 themed campaigns to spread. In fact, many of the families we have seen being installed by these campaigns have had very little success prior to the last few months. These changes represent a shift by cybercriminals to focus on a new target, your home base.
The threats we are going to cover in this section are specifically using COVID-19 themed campaigns to spread.
Cybercrime tactics and techniques: Attack on home base 4 AveMaria
Malware profile
AveMaria is a Remote Access Trojan used for taking over the systems of its Detection name:
victims and providing the attackers Backdoor.AveMaria.* with remote control capability. It was Trojan.AveMaria Spyware.AveMaria first observed being spread through malicious phishing campaigns in 2018 First seen: and its presence on infected endpoints December 2018 has been on the rise ever since. Category:
Remote access trojan
Cybercrime tactics and techniques: Attack on home base 5 Capabilities: A A A 350 • Remote desktop access 300 • Remote webcam control 250
200
• Password stealer 150 Detections • Downloader 100 50
• Keylogger 0 9 9 9 9 0 0 -19 -19 -1 -1 -19 -19 19 20 -19 y-19 -2 -2 pr ov-1 eb Jun -Jul ug an eb- -A -Ma - -A -Sep-1 -Oct -J 4-F 4-Mar 24 4-N 4-Dec- 4-F 4-Mar • Remote shell 2 2 24 24 24 24 24 24 2 2 24 2 2 • Privilege escalation Figure 1. AveMaria detections, February 2019 - March 2020
Recent activity:
A A A
The AveMaria Remote Access Trojan 1200 is available for cybercriminals to 1000 109.6% purchase on the dark web for about 800
600 $23 for a monthly “subscription.” 77.3% 400
Over the last three months, we have 200
0 seen an increase in detections of this Jan-20 Feb-20 Mar-20 threat, with a 109.6 percent increase Figure 2. Avemaria percentage change January - March 2020 between February and March.
Spread via:
AveMaria has been observed recently being spread through malicious phishing emails claiming to contain information about effective face masks as well as through other COVID-19 themed campaigns. Figure 3. COVID-19 themed phishing campaign spreading AveMaria
Cybercrime tactics and techniques: Attack on home base 6 NetWiredRC
Malware profile
The backdoor NetWiredRC has been associated with numerous types of attacks and threat groups, including Detection name: the state sponsored group APT33— Backdoor.NetWiredRC.* Iranian-sponsored hackers with a First seen:
focus on energy industries, since November 2014 its discovery in 2014. This malware is Category: incredibly capable and dangerous, Backdoor access armed with the ability to manipulate, spy on, and steal data and applications from the user.
Cybercrime tactics and techniques: Attack on home base 7 C Capabilities: 800
700
• Downloader 600
500
• Keylogger 400
• Information stealing Detections 300 200 • System manipulation 100 0
9 9 0 0 -19 -19 -19 -19 -19 -19 19 20 -19 y-19 -2 -2 pr ov-1 eb Jun -Jul ug an eb- -A -Ma - -A -Sep-1 -Oct -J 4-F 4-Mar 24 4-N 4-Dec- 4-F • Provide remote access 2 2 24 24 24 24 24 24 2 2 24 2 4-Mar 2
Figure 4. NetWiredRC detections, February 2019 - March 2020 Recent activity:
We have observed a roughly 40 C 3500 percent increase in NetWiredRC 3000 29.5% 2500 detections since the beginning of 2500
2000 the year. During the summer of 1500 2019, NetWiredRC was involved with 1000 500 a phishing campaign targeting the 0 Jan-20 Feb-20 Mar-20 hotel industry in North America. Figure 5. NetWiredRC percentage change January - March 2020
Spread via:
This malware has been observed primarily through malicious phishing campaigns, using numerous themes and ploys to get users to install the malware. A recent campaign claimed to be providing COVID-19 information from UNICEF, the Figure 6. Phishing email impersonating UNICEF, children’s aid organization. spreading NetWiredRC
Cybercrime tactics and techniques: Attack on home base 8 LokiBot
Malware profile
LokiBot is a well-known botnet which has been active since 2015. Its primary Detection name: method of spreading has been through Backdoor.Lokibot.* malicious emails or as a secondary Spyware.Lokibot.* Trojan.Lokibot.* payload for other downloader malware families. It is also known to use First seen: stenography to hide malicious code 2015 inside images. Category:
Botnet, Information seeker
Cybercrime tactics and techniques: Attack on home base 9 450
400
350 Capabilities: 300 250
200
• Keylogger Detections 150
100 • Password stealer 50 0
19 0 0 0 0 0 0 0 0 0 0 -19 20 -2 -2 -2 20 20 -2 20 -2 b- b- r-2 r-20 r-2 r-2 r-2 eb- eb Jan- Jan Jan Jan Fe Fe Ap Ap 5- 2- 9-F 1-Ma 8-Ma 5- 15-Dec 22-Dec- 29-Dec-19 12- 19- 26- 16-F 23- 15-Ma 22-Mar-2 29-Mar 12- Recent activity: Figure 4. LokiBot detections, December 2019 - April 2020
In addition to impersonating banks and shipping companies, LokiBot 1800
1600 has been seen by multiple security 40.6% 1400 research groups as a possible 1200 1000 payload for many of the COVID-19 800 600 themed phishing campaigns 400
200 that are active today. During the 0 Jan-20 Feb-20 Mar-20 coronavirus pandemic, we have Figure 8. LokiBot percentage change January - March 2020 seen a 61.8 percent rise in LokiBot detections.
Spread via:
LokiBot is most notably spread through malicious phishing campaigns. Recently, we’ve observed this malware being pushed as an invoice for a medical supply pusher. Figure 9. COVID-19 themed phishing campaign pushing LokiBot
Cybercrime tactics and techniques: Attack on home base 10 AZORult
Malware profile
AZORult is a dangerous information stealing malware that has been on Detection name: the scene since 2016. This malware Backdoor.AZORult.* can also act as a downloader for Spyware.AZORult.* other malware and has previously First seen: been installed as a secondary payload July 2016 to families like Emotet. The primary method of infection for this threat is Category: through malicious phishing campaigns Information stealer and drive-by exploits.
Cybercrime tactics and techniques: Attack on home base 11 Capabilities: 1600 A
1400
• Password stealer 1200
1000
• Cryptocurrency theft 800
600 Detections • Downloader 400
200
0
9 9 9 9 9 9 0 9 19 -1 19 19 20 20 v-19 r-2 ay-1 Jul- ug-1 eb-1 Apr Jan- eb- 4-Mar- 24- 4-Ma Recent activity: 24-F 2 24- 24-M 24-Jun-1 24-A 24-Sep-1 24-Oct- 24-No 24-Dec-1 24- 24-F 2
Figure 10. AZORult detections, February 2019 - March 2020 The AZORult malware remained a steady threat throughout 2019.
Then, starting in November, we A 6000 began to see a larger increase in 5000 30.1% detections until around February. 4000
However, a comparison with March 3000
2000 shows a 30.1 percent increase in 1000
detections of this threat, month 0 Jan-20 Feb-20 Mar-20 over month, proving that this threat Figure 11. AZORult percentage change January - March 2020 is likely not going away soon.
Spread via:
AZORult has been observed recently as a possible payload for numerous COVID-19 themed attacks, including one asking the recipient for bulk quantities of ventilators as well as being one of the payloads attached to a fake Johns Hopkins University Figure 12. COVID-19 themed phishing campaign pushing AZORult coronavirus map application.
Cybercrime tactics and techniques: Attack on home base 12 DanaBot
Malware profile
DanaBot is a family of banking trojan malware, first discovered being Detection name: distributed by malicious emails, with Backdoor.DanaBot a focus in Australia. It has recently Spyware.DanaBot Trojan.DanaBot been distributed through malicious advertisements using the RIG & Fallout First seen: exploit kits. However, DanaBot’s spread May 2018
has expanded as of late, as infections Category: have been spotted in various countries Banker trojan, in Europe as well as North America. Information stealer
Cybercrime tactics and techniques: Attack on home base 13 Capabilities: 1600 A A 1400 • Bank credential theft 1200 1000
• Password stealer 800
600 Detections • Downloader 400
200
• Browser manipulation 0 9 9 9 9 9 9 0 9 -1 -1 19 19 20 20 2 r-19 v-19 Jul- ug-1 eb-1 Apr Jan- eb- 4-Ma 24- 4-Mar- • Phishing website 24-F 2 24- 24-May 24-Jun-1 24-A 24-Sep-1 24-Oct- 24-No 24-Dec-1 24- 24-F 2 redirection Figure 13. DanaBot detections, February 2019 - March 2020
Recent activity:
DanaBot has been active since September of 2019, with a dip in detections between January and February 2020. This dip resulted in a rise of 166 percent in detections between February and March 2020.