Tech Information : Securelist

Showing posts with label Securelist. Show all posts

Spam and phishing in Q3 2020

Quarterly highlights

Worming their way in: cybercriminal tricks of the trade

These days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics (for example, about clicked links in emails), and the like. At the same time, such services attract both spammers, who use them to send their own mailings, and cybercriminals, who try to gain access to user accounts, usually through phishing. As a result, attackers also get their hands on user-created mailing lists, which allows them to disseminate mass advertising or phishing messages that filtering systems sometimes let through.

Accordingly, in Q3 we registered an increase in the number of messages sent using the Sendgrid platform. A significant portion of them were phishing attacks aimed at stealing login credentials for major resources. The emails were no different from traditional phishing, save for the legitimate headers and link to Sendgrid, which redirected the recipient to a phishing site. To the observant eye, the address bar and From field would reveal the messages to be fake.

Call me!

In our previous quarterly report, we talked about an increasingly common scam whereby fraudsters send emails purportedly from large companies with a request to urgently contact support at the given phone number. Users who contacted the operator were then asked for information, such as bank card details, which could then be used to empty their account. The most commonly used toll-free numbers have specific three-digit prefixes after the country code (for example: 800, 888, 844).

In Q3 2020, we observed new versions of such schemes warning not only about unauthorized account access, but about money transactions supposedly made by the user. The attackers’ calculation is that, on seeing a message about a financial transaction, the client will grab their phone and dial the support number highlighted in bold. Such emails do not contain links, and the message itself is an image, which makes it harder to detect.

Scammers like such schemes, because sending spam is much cheaper and easier than calling potential victims. To avoid swallowing the bait, either call the support service using the number on the organization’s official website (not the one in the email), or use an app that protects against telephone fraud by checking outgoing call numbers.

COVID-19 and spam topics

Facebook grants

In Q3 2020, many users of social networks and messengers saw a screenshot with some interesting news: CNBC, it said (in broken English — always a red flag), had reported that Facebook was paying out compensation to victims of COVID-19. To get yours, all you had to do was follow the link and fill out a number of documents.

The link had nothing to do with Facebook and led to a fake page resembling the website of Mercy Corps, an organization dedicated to helping victims of natural disasters and armed conflict. To apply, you had to enter your Facebook username and password, then verify your identity by providing personal information, including SSN (social security number, issued to US citizens). This last detail suggests that the attack was aimed at US residents. Users that entered all the requested data gave the cybercriminals not only access to their social network account, but also personal information that could then be used for identity theft or bank card fraud.

It should be noted that the scheme was based on official news that Facebook was indeed ready to provide support to victims of COVID-19. But it only concerned grants for companies, not individuals.

Tourist phishing

The coronavirus pandemic — which has decimated the tourist trade — has also had an effect on scammers: this quarter saw fewer emails offering attractive summer breaks than usual. However, the pandemic did not stop scammers, only redirected their attention.

In Q3, Airbnb and Expedia Group users were the most frequent targets of phishing attacks. Fake pages hungry for user credentials were very faithful to the design of the official websites, distinguishable only by looking closely at the address bar, where most often the domain was unrelated to the target company or belonged to a free hosting service.

So as not to reveal their cards too soon, scammers use URL-shortening services and distribute messages in social networks and messengers where shortened links look organic. In their messages, scammers offer cheap tickets or bargain hotel deals. And it is impossible to know where such links lead before clicking them, which is what attackers play upon. Accounts stolen in this way can be used, for example, for money laundering.

Phishers also forged pages with rental offers: visitors could view photos of apartments and read detailed information about the alleged terms and conditions. Lower down the page were rave reviews from past clients intended to lull the victim into a false sense of security.

The “landlord” in each case agreed to rent out the apartment, but asked for an advance payment. And then disappeared as soon as the money was deposited, together with the fake page. In this instance, the cybercriminals also banked on the fact that the juicy offer (low price, big discount) would distract the victim from looking at the URL and checking the information on the site.

Attacks on the corporate sector

Malicious mail

We already told about the distribution of malicious files disguised as notifications from delivery services. They continued this quarter as well: we uncovered a mailing targeting employees connected to sales in some capacity. The scammers persuaded recipients to open the attached documents supposedly to pay customs duties for the import of goods. Instead of documents, the attachment contained Backdoor.MSIL.Crysan.gen.

Malicious mailings with “reminders” about online meetups are worth a separate mention. For example, one of them asked the recipient to join a Zoom conference by clicking the attached link. Instead of a meeting, the user ended up on a WeTransfer phishing page. If the user fell for the trap and entered their WeTransfer credentials, the attackers gained access to the company’s files stored in this cloud.

Another mailing informed users that a Microsoft SharePoint document had been shared with them. After clicking the link, the victim was taken to a fake Microsoft login page that helped cybercriminals steal account usernames and passwords.

Far more dangerous were meeting notifications containing malicious files. For example, the at-first-glance harmless message below contained HEUR:Trojan-Downloader.Script.Generic.

And Trojan-Banker.Win32.ClipBanker, downloaded via the link in the email below, is used to steal financial (including cryptocurrency-related) information.

Mail scanner

To gain access to corporate accounts, cybercriminals distributed messages stating that a virus had been found in the recipient’s mailbox, and advising an urgent scan, otherwise the account would be disabled. The messages, disguised as notifications from infosec companies, were sent from a free mail address and employed neutral names like Email Security Team to avoid unnecessary specifics.

The cybercriminals reckoned on the combined threat of a computer virus and a deactivated work email account forcing the recipient to ignore some of the oddities of the message. For example, such emails could be from the company’s IT or security department, but not a third party. The page that opened on clicking the link did not resemble a corporate resource by either its address or layout. Plus, for added believability, the cybervillains placed on it the logos of all major infosec companies.

To start a “virus scan”, the user was asked to enter the username and password for their corporate mailbox. That said, the “scan” started even if arbitrary credentials were entered in the fields:

Statistics: spam

Proportion of spam in mail traffic

Proportion of spam in global mail traffic, Q2 2020 – Q3 2020 (download)

In Q3 2020, the largest share of spam was recorded in August (50.07%). The average share of spam in global mail traffic was 48.91%, down 1.27 p.p. against the previous reporting period.

Sources of spam by country

Sources of spam by country, Q3 2020 (download)

The Top 5 countries by amount of outgoing spam remained the same as in the previous quarter. Only their shares changed. The biggest increase came from Russia, which ranked first, jumping by 5 p.p. to 23.52%. The shares of the remaining top-fivers did not fluctuate by more than one percentage point. Second-place Germany gained 11.01%, the US in third picked up 10.85%, France 6.69%, and China in fifth 6.33%.

The bottom half of the Top 10 changed more significantly. For instance, it said goodbye to Turkey, which this time took 11th place (1.73%). Sixth place was taken by the Netherlands (3.89%), seventh by Brazil (3.26%), eighth by Spain (2.52%), ninth by Japan (2.30%), and Poland (1.80%) rounds out the Top 10, up one position on last quarter.

Spam email size

Spam email size, Q2 2020 – Q3 2020 (download)

The downward trend in the number of very small emails continued in Q3 2020; their share decreased significantly — by 13.21 p.p. to 38.09%. The share of emails sized 20–50 KB grew by 12.45 p.p. to 28.20% of the total number of registered spam emails. But the number of emails 10–20 KB in size fell to 8.31% (–2.78 p.p.). Also lower was the share of spam messages sized 100–200 KB; this time their share was 1.57%.

Malicious attachments: malware families

Number of Mail Anti-Virus triggerings, Q2 2020 – Q3 2020 (download)

Throughout Q3 2020, our security solutions detected a total of 51,025,889 malicious email attachments, which is almost 8 million more than in the previous reporting period.

Top 10 malicious attachments in mail traffic, Q3 2020 (download)

The most widespread malware in Q3 mail traffic was assigned the verdict Trojan-PSW.MSIL.Agensla.gen (8.44%). In second place was Exploit.MSOffice.CVE-2017-11882.gen (5.67%), while Trojan.MSOffice.SAgent.gen (4.85%) came third.

Top 10 malware families in mail traffic, Q3 2020 (download)

This quarter’s most widespread malware family was Trojan-PSW.MSIL.Agensla (12.67%), having ranked second in the last reporting period. While last quarter’s leader Trojan.Win32.Agentb finished second (8.78%). Third place, as in the previous quarter, went to Exploit.MSOffice.CVE-2017-11882 (8.03%).

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggerings by country, Q3 2020 (download)

Since the beginning of the year, Spain has led the way by number of Mail Anti-Virus triggerings. In Q3, users in this country accounted for 7.76% of attacks. In second place this time was Germany (7.05%), knocking Russia (5.87%) into third.

Statistics: phishing

In Q3 2020, the Anti-Phishing system prevented 103,060,725 attempts to redirect users to fake pages, which is almost 3.2 million fewer than in Q2. The share of unique attacked users amounted to 7.67% of the total number of users of Kaspersky products

Attack geography

This time, the country with the largest proportion of users attacked by phishers was Mongolia (15.54%).

Geography of phishing attacks, Q3 2020 (download)

Israel (15.24%) lies close behind in second place, with France (12.57%) this time in third.

Top-level domains

The most popular top-level domain with phishers this quarter, as before, was COM (40.09% of the total number of top-level domains used in attacks). Silver went to XYZ (5.84%), and bronze to NET (3.00%). RU finished in fourth place (2.93%), and BUZZ in fifth (2.57%).

Top-level domains most popular with phishers, Q3 2020 (download)

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by the Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

As before, the Online Stores category absorbed the most phishing attacks, despite its share dropping slightly against Q2 2020 (by 0.20 p.p.) to 19.22%. Global Web Portals (14.48%) in second position and Banks (10.89%) in third were also non-movers.

Distribution of organizations subjected to phishing attacks by category, Q3 2020 (download)

Conclusion

The COVID-19 topic, which appeared in Q1 this year, is still in play for spammers and phishers. In our view, the so-called second wave could lead to a surge in mailings offering various coronavirus-related treatments. Moreover, against the backdrop of the worsening economic situation, we could see a rise in the number of scam mailings promising a big payout in exchange for a small upfront sum.

The average share of spam in global mail traffic (48.91%) this quarter decreased by 1.27 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 103 million.

First place in the list of spam-source countries in Q3 again went to Russia, with a share of 23.52%. Our security solutions blocked 51,025,889 malicious attachments; the most popular malware family in spam mailings was Trojan-PSW.MSIL.Agensla, with a 12.67% share of mail traffic.

Targeted ransomware: it’s not just about encrypting your data!

When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – it’s primarily about data exfiltration. After that, it’s about data encryption and leaving convincing proof that the attacker was in the network, and finally, it’s extortion. And again, it’s not about the data loss itself but about publishing stolen data on the internet. Let’s call it “Ransomware 2.0”.

Why is it so important to state this? Because many organizations still believe that it’s all about malware, and if your anti-malware protection is good enough, you’ll be OK. As long as people think this way, the ransomware threat actors will continue to succeed again and again.

In most cases, the initial vector of attack is exploiting some already known vulnerabilities in commercial VPN software. Other cases involve abusing RDP-enabled machines exposed to the internet. Then there’s the exploitation of the vulnerable router firmware. As you can see, it’s not necessarily about malware but also bad practices, a lack of patching cycles, and general security procedures.

Sometimes ransomware threat actors may rely on traditional malware like botnet implants previously dropped by other cybercriminal groups. And finally, if we recall the Tesla story, the attempt to infect that factory was through someone working at the company. That means physical human access is also a vector. It is complex.

In all cases, the original entry point is to start network reconnaissance, then lateral movement, then data exfiltration. Once it is done, it finally comes to the “coup de grace” – the ransomware. By the time ransomware is deployed, the anti-malware product might be already deleted or disabled by the threat actor because they already had full control over the domain network and could operate as legitimate administrators. So it is about a full red team operation that relies on different hacking techniques, including those to disable anti-malware solutions mostly through legitimate tools and misc scripts. That way, the threat actor doesn’t bother if the ransomware itself will be detected or not.

Different ransomware groups use different TTPs and different encryption techniques. Today we want to talk about two of them: Ragnar Locker and Egregor – a veteran and a newbie. Both singular and distant at the same time.

Ragnar Locker

Early variants of this malware were discovered in 2019; however, Ragnar Locker gained notoriety in the first half of 2020 when it started to attack large organizations.

Ragnar Locker is highly targeted, to the extent that each individual sample is specifically tailored for the organization the actors are attacking. The group behind it loves to abuse RDP, while their preferred payment method is bitcoins.

This group owns three .onion domains available on Tor and one Surface Web domain registered on June 16, 2020.

If the victims refuse to pay, their stolen data is published in a so-called Wall of Shame section.

Screenshot of the Wall of Shame where stolen data is exposed

Curiously, this group is positioning itself as a bug bounty hunting group. They claim the payment is their bounty for discovering vulnerabilities that were exploited and to provide decryption for the files and OpSec training for the victim; and, finally, for not publishing the stolen data. Of course, if the victim refuses to pay, the data goes public. Besides that, if the victim chats with the Ragnar Locker threat actor and fails to pay, then the chat is exposed along with the stolen data.

In July 2020, Ragnar Locker made a public announcement that they had joined so-called “Maze Cartel” distraction concept. It means to say that the groups cooperated, exchanging information stolen from victims and publishing it on their websites.

Example of a victim allegedly provided by Maze and published on the Ragnar Locker Wall of Shame page

You can read more about Maze Ransomware here.

Based on the list of victims who refused to pay, the main target of Ragnar Locker are US based companies, while the type of industry varies.

Geography of Ragnar Locker victims (download)

Ragnar Locker victims by industry (download)

Technical description

For our analysis we chose a recently encountered sample of the malware: 1195d0d18be9362fb8dd9e1738404c9d

When started, Ragnar Locker checks the system locale of the machine it is executing on. If determines that it is the locale of one of the countries listed in the screenshot below, it will cease operation and exit without doing anything else.

For countries not on the above list, it will proceed to stop services with names containing any of the substrings hardcoded in the malware sample and obfuscated by RC4:

Afterwards, Rangar Locker will terminate running processes according to another substring list contained inside the Trojan body:

Finally, when all the preparation is done, the Trojan will search for available drives and encrypt the victim’s files.

For file encryption RagnarLocker uses a custom stream cipher based on the Salsa20 cipher. Instead of the standard initialization ‘magic’ constants sigma = “expand 32-byte k” and tau = “expand 16-byte k” normally used in Salsa20, the Trojan generates new random values for each processed file. This is an unnecessary step which makes the cipher incompatible with the standard Salsa20, but doesn’t in fact enhance its security.

The key and nonce values are also uniquely generated for each file, and will be encrypted along with the constants described above by RSA using the public 2048-bit key hardcoded in the Trojan’s body.

The RNG is based on the MS CryptoAPI function CryptGenRandom, which is considered secure, and the SHA-256 hash algorithm. The RNG implementation looks a bit awkward, but we haven’t found any critical flaws in it.

The RNG procedure pseudocode used by a recent Ragnar Locker variant

After encrypting the content of each of the victim’s files, Ragnar Locker will append the encrypted key, nonce and initialization constants to the encrypted file, and finalize by adding the marker “!@#_®agna®_#@!”

Trailing bytes of a file encrypted by Ragnar Locker

The ransom notes dropped by the Trojan contain the name of the victim organization which clearly indicates that the criminals utilize a targeted approach, identify their victim and carefully prepare the attack.

The ransom note also attempts to further scare the victim into paying by emphasizing that the threat actors have stolen confidential data in addition to the file encryption performed by the Trojan.

Egregor

Egregor ransomware is a new strain that was discovered in September 2020, and after the initial analysis we noticed code similarities between this new threat and Sekhmet ransomware, as well as the notorious Maze ransomware, which announced on November 1^st, 2020 that they shut down.

Egregor keeps at least one .onion domain and two Surface Web domains. The first Surface Web domain was registered on September 6, 2020 and the second one on October 19, 2020. At the time of writing, both Surface Web domains were intermittent. That is probably why on the main page of the Onion domain, there is a big disclaimer with this notice:

The Egregor ransomware is typically distributed by the criminals following a network breach. The malware sample is a DLL file that needs to be launched with the correct password given as a command line argument. The DLL is usually dropped from the Internet. On occasions, the domains used to spread it exploit names or words used in the victim’s industry.

Egregor is probably the most aggressive Ransomware family in terms of negotiation with the victims. It gives only 72 hours to contact the threat actor. Otherwise, the victim’s data is processed for publishing.

The ransomware payment is negotiated and agreed upon via a special chat assigned to each victim. The payment is received in BTC.

Example of a chat negotiating to pay the ransom

Technical description

b21930306869a3cdb85ca0d073a738c5

As mentioned above, the malware sample only works if a correct password is provided during launch. The packer of the malware will use this password to decrypt the payload binary. A missing or incorrect argument will result in an incorrect decryption of the payload, which will be unable to execute and will crash instead.

This technique is intended to hinder both automatic analysis in sandbox-type systems, and manual analysis by researchers: without the correct password it is impossible to unpack and analyze the payload binary.

After unpacking two layers of the malicious packer, we end up with an obfuscated binary which is still not suitable for static analysis. The obfuscation techniques used in Egregor strongly resemble those in Maze and Sekhmet: the code is ‘torn apart’ by control flow obfuscation using conditional and unconditional jumps, PUSH+JMP instead of RETN, and so on.

Control flow obfuscation example

When the payload starts executing, first of all, it will check the system and user language of the OS to avoid encrypting machines having one of the following languages installed:

Armenian (Armenia)

Azerbaijani (Cyrillic, Azerbaijan)

Azerbaijani (Latin, Azerbaijan)

Belarusian (Belarus)

Georgian (Georgia)

Kazakh (Kazakhstan)

Kyrgyz (Kyrgyzstan)

Romanian (Moldova)

Russian (Moldova)

Russian (Russia)

Tajik (Cyrillic, Tajikistan)

Tatar (Russia)

Turkmen (Turkmenistan)

Ukrainian (Ukraine)

Uzbek (Latin, Uzbekistan)

Then it will attempt to terminate the following processes:

This is intended to make writable potentially valuable files such as documents or databases that may have been in use at the moment of infection. In addition, some programs typically used by researchers, e.g., procmon or dumpcap, are also listed for termination to further hinder dynamic analysis.

Egregor uses a hybrid file encryption scheme based on the stream cipher ChaCha and the asymmetric cipher RSA.

The RSA-2048 master public key of the criminals is embedded in the trojan’s body.

When executing on a victim’s machine, Egregor generates a new unique pair of session RSA keys. The session private RSA key is exported and encrypted by ChaCha with a uniquely generated key + nonce, then the key and nonce are encrypted by the master public RSA key. The results are saved in a binary file (in our case it’s named C:\ProgramData\dtb.dat), as well as a base64-encoded string in the ransom notes.

For each data file Egregor processes, it generates a new 256-bit ChaCha key and 64-bit nonce, encrypts the file content by ChaCha, then encrypts them using the session public RSA key, and saves them along with some auxiliary information in the end of the encrypted file.

The last 16 bytes of each encrypted file are comprised of a dynamic marker: a random DWORD and this same DWORD xor’ed with the value 0xB16B00B5 which equals ‘BIGBOOBS’ in so-called leet speak, originally used by “hackers, crackers and script kiddies”, according to Wikipedia.

Part of the file encryption procedure pseudocode

The main page of the data leak website contains news about recently attacked companies along with some sarcastic remarks written by the ransomware group.

The archive section of the site lists the victims of the extortionists and the links to download the stolen data.

Based on the information of those victims who refused to pay, the geographic reach of Egregor is way more extensive than that of Ragnar Locker:

Geography of Egregor victims (download)

The same is true for the number of attacked industries:

Egregor victims by industry (download)

Conclusions

Unfortunately, Ransomware 2.0 is here to stay. When we talk about 2.0, we mean targeted ransomware with data exfiltration. The whole extortion process is primarily about the victims’ data not being published on the internet and only then about decryption. Why is it so important for the victims that their data is not published? Because possible lawsuits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense financial losses, reputational damage and potential bankruptcy.

As long as companies see ransomware threat actors as typical malware threats, they will also fail. It is not about just endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating the ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of problems in the end.

Our next chapter will cover something else – a perfect umbrella for different threat actors with different motivations operating under the aegis of Ransomware 2.0.

Ghimob: a Tétrade threat actor moves to infect mobile devices

Guildma, a threat actor that is part of the Tétrade family of banking trojans, has been working on bringing in new techniques, creating new malware and targeting new victims. Recently, their new creation, the Ghimob banking trojan, has been a move toward infecting mobile devices, targeting financial apps from banks, fintechs, exchanges and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.

Ghimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their antifraud behavioral systems. Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device. When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or open some website in full screen, so while the user looks at that screen, the criminal performs the transaction in the background by using the financial app running on the victim’s smartphone that the user has opened or logged in to.

From a technical standpoint, Ghimob is also interesting in that it uses C2s with fallback protected by Cloudflare, hides its real C2 with DGA and employs several other tricks, posing as a strong competitor in this field. But yet, no sign of MaaS (malware-as-a-service). Compared to BRATA or Basbanke, another mobile banking trojan family originating in Brazil, Ghimob is far more advanced and richer in features, and has strong persistence.

Multiplatform financial attack

While monitoring a Guildma Windows malware campaign, we were able to find malicious URLs used for distributing both ZIP files for Windows boxes and APK files, all from the same URL. If the user-agent that clicked the malicious link is an Android-based browser, the file downloaded will be the Ghimob APK installer.

The APKs thus distributed are posing as installers of popular apps; they are not on Google Play but rather hosted in several malicious domains registered by Guildma operators. Once installed on the phone, the app will abuse Accessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data, manipulate screen content and provide full remote control to the fraudster: a very typical mobile RAT.

Same link, different files: ZIP for Windows, APK for Android

Our telemetry shows that all victims of the Ghimob mobile banking trojan are located in Brazil at the moment, but like all other Tétrade threat actors, Ghimob has big plans to expand abroad.

Ghimob detections: Brazil for now, but ready to expand abroad

To lure the victim into installing the malicious file, the email is written as if from a creditor and provides a link where the recipient could view more information, while the app itself pretends to be Google Defender, Google Docs, WhatsApp Updater, etc.

A malicious message distributing the malware, written in Brazilian Portuguese

A persistent RAT in your pocket

As soon as the malware is launched, it tries to detect common emulators, checks for the presence of a debugger attached to the process and the manifest file, and also checks for a debuggable flag. If any of these are present, then the malware simply terminates itself. Newer versions of the malware have moved the emulator names to an encrypted configuration file. If those previous checks are passed, the user is then presented with the default Android accessibility window, as the malware heavily relies on accessibility to work.

“Google Docs” is asking you to provide Accessibility permissions

Once infection is completed, the malware proceeds to send an infection notification message to its notification server. This includes the phone model, whether it has a screen lock activated and a list of all installed apps that the malware has as a target including version numbers. Ghimob spies on 153 mobile apps, mainly from banks, fintechs, cryptocurrencies and exchanges. By analyzing the malware, it is possible to see all the apps monitored and targeted by the RAT. These are mainly institutions in Brazil (where it watches 112 apps), but since Ghimob, like other Tétrade threat actors, has been moving toward expanding its operations, it also watches the system for cryptocurrency apps from different countries (thirteen apps) and international payment systems (nine apps). Also targeted are banks in Germany (five apps), Portugal (three apps), Perú (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).

The malware also blocks the user from uninstalling it, restarting or shutting down the device. This is what happens when the user tries to remove Ghimob manually: video

Fallback C2s for complete remote control

Once installation is completed, Ghimob tries to hide its presence by hiding the icon from the app drawer. The malware will decrypt a list of hardcoded C2 providers from its configuration file and contact each in order to receive the real C2 address, a technique we call “fallback channels“.

The C2 providers found are the same across all samples we analyzed, but the directory parameters of the request to obtain the real C2 vary among different samples, returning a different set of real C2 addresses. All of the communication is done via the HTTP/HTTPS protocol.

Control Panel used by Ghimob for listing infected victims

Instead of recording the user screen via the MediaProjection API, like BRATA does, Ghimob sends accessibility-related information from the current active window, as can be seen below from the output of the “301” command returned from the C2. All the commands used by the RAT are described in our private report for customers of our Financial Threat Intel Portal.

Client:[TARGETED APP]
ID: xDROID_smg930a7.1.125_7206eee5b3775586310270_3.1 
Data:Sep 24
2020 3:23:28 PM 
Ref:unknown SAMSUNG-SM-G930A 7.1.1 25
KeySec:trueKeyLock:falseDevSec:trueDevLock:false 
com.sysdroidxx.addons - v:3.1 
Ativar Google Docs 
=======================================
Link Conexao:hxxp://www.realcc.com
Senha de 8 digitos:12345678
Senha de 6 digitos:123456

=======================================
============== LOG GERAL ==============
=======================================
22{< x >}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView]
22{< x >}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView]
22{< x >}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView]
16{< x >}[br.com.bb.android]--[TEXTO:]--[ID:null]--[DESCRICAO:Senha de 8 digitos]--[CLASSE:android.widget.EditText]
0{< >}[br.com.bb.android]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--[CLASSE:android.widget.FrameLayout]
1{< >}[br.com.bb.android]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--[CLASSE:android.widget.LinearLayout]
2{< >}[br.com.bb.android]--[TEXTO:null]--[ID:android:id/content]--[DESCRICAO:null]--[CLASSE:android.widget.FrameLayout]
3{< >}[br.com.bb.android]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--[CLASSE:android.widget.FrameLayout]


=======================================
================ SALDOS ===============
=======================================
[DESCRICAO: Rolando Lero Agencia: 111. Digito 6. Conta-corrente: 22222. Digito .7]--
[TEXTO:Account Rolando Lero]
[DESCRICAO:Agencia: 111. Digito 6. Conta-corrente: 22222. Digito .7]--[TEXTO:111-6 22222-7]
[DESCRICAO:Saldo disponivel
R$ 7000,00]--
[DESCRICAO:7000,00]--[TEXTO:R$ 7000,00]
[TEXTO:Saldo disponivel]
[DESCRICAO:Agendado ate 04/Out
R$ 6000,00 ]--
[DESCRICAO:6000,00 ]--[TEXTO:R$ 6000,00 ]
[TEXTO:Agendado ate 04/Out]

This is likely due to low Internet speeds in Brazil: sending text information from time to time consumes less bandwidth than sending a screen recording in real time, thus increasing the chances of successful fraud for the cybercriminal. While BRATA uses an overlay with a fake WebView to steal credentials, Ghimob does not need to do that, as it reads the fields directly from the target app through accessibility features. The following words in Portuguese are monitored: saldo (balance), investimento (investment), empréstimo (lending), extrato (statement).

Conclusions

It took some time for Brazilian crooks to decide to try their hand at creating a mobile banking trojan with a worldwide reach. First, we saw Basbanke, then BRATA, but both were heavily focused on the Brazilian market. In fact, Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion.

We believe this campaign could be related to the Guildma threat actor, a well-known Brazilian banking trojan, for several reasons, but mainly because they share the same infrastructure. It is also important to note that the protocol used in the mobile version is very similar to that used for the Windows version.

We recommend that financial institutions watch these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate all of the risks that this new mobile RAT family poses. All the details, IoCs, MITRE ATT&CK Framework data, Yara rules and hashes relating to this threat are available to the users of our Financial Threat Intel services. Kaspersky products detect this family as Trojan-Banker.AndroidOS.Ghimob.

Indicators of Compromise

Reference hashes:
17d405af61ecc5d68b1328ba8d220e24
2b2752bfe7b22db70eb0e8d9ca64b415
3031f0424549a127c80a9ef4b2773f65
321432b9429ddf4edcf9040cf7acd0d8
3a7b89868bcf07f785e782b8f59d22f9
3aa0cb27d4cbada2effb525f2ee0e61e
3e6c5e42c0e06e6eaa03d3d890651619
4a7e75a8196622b340bedcfeefb34fff
4b3743373a10dad3c14ef107f80487c0
4f2cebc432ec0c4cf2f7c63357ef5a16

RansomEXX Trojan attacks Linux systems

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.

After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year.

RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

Several companies have fallen victim to this malware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.

Technical description

The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic scheme using functions from the open-source library mbedtls.

When launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the Trojan’s body and appended to each encrypted file.

Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually only differ every second.

Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans: no C&C communication, no termination of running processes, no anti-analysis tricks, etc.

Fragment of the file encryption procedure pseudocode; variable and function names are saved in the debug information and must match the original source code

Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.

Original names of source files embedded in the trojan’s body

Execution log of the trojan in Kaspersky Linux Sandbox

Similarities with Windows builds of RansomEXX

Despite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows OS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint that both ELF and PE may be derived from the same source code.

In the screenshot below, we see a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb used in the TxDOT attack.

Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.

We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code.

What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.

Parallels with a recent attack in Brazil

As reported by the media, one of the country’s government institutions has just been attacked by a targeted ransomware Trojan.

Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.

Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f

Ransom note from the Bleeping Computer post about the most recent attack in Brazil

Our products protect against this threat and detect it as Trojan-Ransom.Linux.Ransomexx

Kaspersky Threat Attribution Engine identifies Ransomexx malware family

Indicators of compromise

Recent Linux version: aa1ddf0c8312349be614ff43e80a262f
Earlier Windows version: fcd21c6fca3b9378961aa1865bee7ecb

Attacks on industrial enterprises using RMS and TeamViewer: new data

Download full report (PDF)

Executive Summary

In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.

We reported these attacks in 2018 in an article entitled “Attacks on industrial enterprises using RMS and TeamViewer“, but recent data shows that the attackers have modified their attack techniques and that the number of enterprises facing the threat of infection is growing.

Before publishing this report, we waited for the vendor of the RMS software to make changes to its services to ensure that the results of this research could not be used to exploit vulnerabilities.

This report in a nutshell:

From 2018 to at least the early fall of 2020, attackers sent phishing emails laced with malware.
The attacks make use of social engineering techniques and legitimate documents, such as memos and documents detailing equipment settings or other industrial process information, which have apparently been stolen from the company under attack or its business partners.
The attacks still use remote administration utilities. The graphical user interface of these utilities is hidden by the malware, enabling the attackers to control infected systems without their users’ knowledge.
In the new version of the malware, the attackers changed the notification channel used after infecting a new system: instead of malware command-and-control servers, they use the web interface of the RMS remote administration utility’s cloud infrastructure.
Stealing money from the organization under attack remains the main objective of the attackers.
During an ongoing attack, the cybercriminals use spyware and the Mimikatz utility to steal authentication credentials that are subsequently used to infect other systems on the enterprise network.

The full article is available on Kaspersky Threat Intelligence.

For more information please contact: ics-cert@kaspersky.com.

Technical Analysis

Since we described the technical details of this series of attacks in our previous report, Attacks on industrial enterprises using RMS and TeamViewer, in this document we only list the main stages of an attack and describe the changes to the attackers’ tactics and toolset that have been implemented since the publication of the previous report.

Spreading

Phishing emails used in this attack are in most cases disguised as business correspondence between organizations. Specifically, the attackers send claim letters on behalf of a large industrial company.

Phishing email disguised as a claim letter

In the earlier attack series, the attackers used a sender email address with a domain name that was similar to the official website address of the organization on whose behalf their phishing emails were sent. Now they use public email services to send their phishing emails and they use a different technique to mislead message recipients and persuade them to open a malicious attachment: they pretend to be a real business partner or to represent a real subsidiary of the company under attack and ask the recipient to view the documents attached by the deadline specified in the email, explaining the request by the approaching end of a purchase tender, possible penalties or the need to review equipment configuration data as soon as possible.

It should also be emphasized that the phishing emails are individually crafted for each specific company that is attacked. This is demonstrated by the fact that the name of the company under attack is mentioned in the email text, as well as by the documents used by the attackers as attachments (descriptions of the documents are provided below). In some of the cases identified earlier, the attackers also addressed the recipient by his or her full name.

Phishing email sent on behalf of a contractor

Attachments used in phishing emails are password-protected archives, with the password provided in the message body. The attackers explain this method of sending information by referring to confidentiality considerations in the message body, but in reality password protection prevents files stored in the archive from being scanned with antivirus tools.

Malware Features

The archive attached to a phishing email contains several malicious obfuscated JS scripts that have an identical functionality but slightly different structure due to different code obfuscation techniques being used. The script names are usually disguised as document names.

If a user runs one of these scripts, two files are unpacked and opened: a malicious program detected as HEUR:Backdoor.Win32.Generic, and a legitimate PDF file. Some JS script variants found in phishing emails download these files from a remote server rather than extracting them from the script’s body.

In earlier attacks, to ensure that the user didn’t have questions regarding the absence of the documents mentioned in the message body and to distract the user while installing the malware, the attackers opened a damaged PDF document or image or launched a legitimate software installer.

Image opened by the malware in earlier attacks

In their later attacks, the threat actor began to use actual documents related to the attacked organization’s area of work. A document can look like one created by a business partner or even the attacked organization itself. Specifically, documents used in attacks include scan copies of memos, letters to subsidiaries and contractors, as well as procurement documentation forms that were apparently stolen earlier.

PDF document containing instructions for subsidiaries, used by the attackers

A fact of particular interest is that in some cases, the attackers used documents containing industrial equipment configuration data and other information related to the industrial process.

Specifically, screenshots from the DIGSI application have been used. The application is designed to configure relay systems manufactured by Siemens.

DIGSI software screenshot 1

DIGSI is used by electric power facilities, such as substations, to configure their relay protection systems.

DIGSI software screenshot 2

Screenshot of a relay system’s configuration matrix. List of setpoints

We also found screenshots with transformer oscillograms in documents used by the attackers:

Vector diagrams with oscillograms

It is worth noting that the last screenshot shows oscillograms for a system at the moment of an accident.

Phishing emails with such screenshots do not call for the settings shown in attached documents to be implemented. It is most likely that the attackers use documents with the above screenshots to distract the personnel while the malware is being installed. Since the data mentioned above can provide a relay protection expert with information on standard settings used at the facility, the fact that the attackers have such screenshots at their disposal is cause for concern.

The JS script then launches the malware, which installs a version of TeamViewer, a remote administration tool (RAT), modified by the attackers. As in earlier attacks, the attackers use a malicious DLL library to hide the graphical user interface in order to control the infected system without the user’s knowledge.

If additional information needs to be collected, the attackers download an additional set of malware selected specifically for each victim. This can be spyware designed to collect credentials for a variety of programs and services, including email clients, browsers, SSH/FTP/Telnet clients, as well as recording keypresses and making screenshots. In some cases, the Mimikatz utility is used to collect account credentials for Windows accounts entered on the compromised system. The use of Mimikatz poses a particular danger, because it can provide the attackers with access to a large number of systems on the enterprise’s network.

In most cases, the attackers disguise malware components as Windows components to hide traces of malicious activity on the system.

Infrastructure

While analyzing the new series of attacks, we noticed two ways in which the infrastructure is organized differently from that used in earlier attacks.

First, the attackers use resources disguised as websites of existing Russian-speaking companies to store files downloaded by malicious JS scripts at the system infection stage.

The second and more important difference is that the attackers no longer use a malware command-and-control server in their communication with infected systems.

The main reason for having a malware command-and-control server in this type of attack was the need to get the infected machine’s ID in the TeamViewer system. The attackers already had any other information they needed (the password required to connect was provided in a special configuration file). In the new series of attacks, the attackers sent the infected machine’s TeamViewer ID using the legitimate infrastructure of the RMS remote administration system.

This was possible because the RMS remote administration infrastructure has a dedicated web service designed to notify the administrator that an RMS distribution package has been installed on a remote system. To send the notification, the RMS server generates an email message that contains the machine’s ID in the RMS system in the message body. For the message to be generated, it is sufficient for the RMS client to send an HTTP POST request to the dedicated web page, providing the following data: product name, ID of the language pack used in the system, user name, computer name, email address to which the notification should be delivered, and the machine’s ID in the RMS system assigned after installing the program.

Attack kill chain

The underlying mechanism of the web service contained a vulnerability: it did not use any kind of authorization procedure. The malicious DLL responsible for hiding the TeamViewer graphic interface included code for sending the request described above to the RMS server. However, it sent the machine’s ID in the TeamViewer system instead of its ID in the RMS system. The ID length in the TeamViewer system is different from the ID length in the RMS system; however, since there is no verification of the contents of fields sent to the server in the HTTP POST request, a notification message with information on a newly infected machine was successfully delivered to the attacker’s address.

Kaspersky ICS CERT has notified RMS developers that their infrastructure is being used for criminal purposes, providing them with all the technical details needed to close the vulnerability. To date, the vulnerability has not been closed by the developers, but a workaround, filtration based on an address whitelist, has been implemented.

In other words, the functionality still works, but notification emails are only sent to email addresses included in a special list of customers ‘verified’ by RMS developers.

For technical details about this vulnerability please contact: ics-cert@kaspersky.com

Victims

As mentioned above, the vast majority of attacked systems are industrial enterprises in Russia representing various sectors of the economy. We identified attacks on companies from the following industries:

Manufacturing
Oil and gas
Metal industry
Engineering
Energy
Construction
Mining
Logistics

Consequently, this is not a case of an attack narrowly targeting one specific industry; however, since most legitimate documents used in the attacks are from the energy sector, it can be assumed that the attackers have a particular interest in the sector.

Attribution

We are convinced that a Russian-speaking group is behind these attacks.

The main arguments in favor of this theory were offered in our previous report, “Attacks on industrial enterprises using RMS and TeamViewer“.

Note also that the code used to send requests to the RMS server, which was identified in the process of analyzing the new version of the malicious DLL, contains a language ID for the Russian localization of the operating system.

According to available information, the main objective of the criminals is to steal money from victim organizations’ accounts. This means that the attackers must have a good understanding of the financial workflow, which differs in some of its aspects from country to country, and support the appropriate infrastructure for cash withdrawal.

The group does not use any sophisticated tactics or technologies, but it carefully prepares each attack and expertly uses social engineering techniques, as well as technologies that are already known from attacks staged by other criminal groups.

We believe that the group includes people responsible for the technical aspect of infecting victims’ systems, as well as people responsible for financial operations, i.e., for stealing money from the group’s victims.

Conclusions

The threat actor continues to attack industrial enterprises successfully using relatively simple techniques, but its methods are evolving. To persuade users of the legitimacy of phishing emails, criminals have begun to use documents that were apparently stolen during earlier attacks. It is worth noting that some of the documents used for this purpose contain information on industrial equipment settings and industrial process parameters. This is one more reason to believe that these attacks specifically target industrial enterprises.

The main technical change in the attacks is that the attackers have discarded the most vulnerable stage in data collection and transmission – that is, malware command-and-control servers, which can be disconnected by the hosting provider or blocked by information security systems. Instead, new system infection notifications are delivered via the legitimate web interface of the RMS remote administration utility’s cloud infrastructure. Resources disguised as legitimate websites of existing organizations are used to store malware samples.

The attackers have full control of an infected system from the moment it becomes infected. Stealing money from the organization’s accounts remains their main objective. When the attackers connect to a victim’s computer, they look for financial and accounting software (1C accounting software, bank-client, etc.). In addition, they find and analyze procurement-related accounting documents and peruse the email correspondence of the enterprise’s employees. After that, the attackers look for various ways in which they can commit financial fraud. We believe that the criminals are able to substitute the bank details used to pay invoices.

Clearly, the attackers’ remote access to infected systems also poses other threats, such as the organization’s sensitive data being leaked, systems being put out of operation, etc. As the latest events have shown, the attackers use documents that were probably stolen from organizations to carry out subsequent attacks, including attacks on victim companies’ partners.

If you have encountered an attack of this kind, you can report it to us through a form on our website.

Recommendations

Train employees at enterprises in using email securely and, specifically, in identifying phishing messages
Restrict the ability of programs to gain SeDebugPrivilege privileges (wherever possible)
Install antivirus software with support for centrally managing the security policy on all systems; keep the antivirus databases and program modules of security solutions up to date
Use accounts with domain administrator privileges only when necessary. After using such accounts, restart the system on which the authentication was performed
Implement a password policy with password strength and regular password change requirements
If it is suspected that some systems are infected: remove all third-party remote administration utilities, scan these systems with antivirus software and force a change of passwords for all accounts that have been used to log on to compromised systems
Monitor network connections for any traces of remote administration utilities installed without proper authorization. Make a special emphasis on the use of RMS and TeamViewer utilities
Use network activity filtration systems to block connections to servers and IP addresses listed in Appendix I – Indicators of Compromise
Never use obsolete versions of the TeamViewer utility (versions 6.0 and earlier). To discover any instances of obsolete versions of TeamViewer being used, the YARA rule provided in Appendix I – Indicators of Compromise can be used
It should be noted that, since the attack uses legitimate remote administration software, that software can remain on the victim’s computer and continue operating even when the malicious downloader has been removed. If remote administration software has been identified at the stage of scanning corporate systems, it should be determined in each case whether it was installed legitimately

For more information please contact: ics-cert@kaspersky.com

Appendix I – Indicators of Compromise

File Hashes (malicious documents, malware, emails etc.)

386a1594a0add346b8fbbebcf1547e77
203e341cf850d7a05e44fafc628aeaf1
3b79aacdc33593e8c8f560e4ab1c02c6
ea1440202beb02cbb49b5bef1ec013c0
1091941264757dc7e3da0a086f69e4bb
72f206e3a281248a3d5ca0b2c5208f5f
da4dff233ffbac362fee3ae08c4efa53
d768a65335e6ca715ab5ceb487f6862f
9219e22809a1dff78aac5fff7c80933c
86e14db0bcf5654a01c1b000d75b0324

File Names

Акт.js
Запрос 17782-09-1.js
Перечень документов.js
спецификация на оборудование xls.js
tv.dll
tv.ini

Some malware modules installed on the system have randomly generated names that follow a specific format. The following regular expression can be used to search for such files:

%TEMP%\\[a-z]{2,3}[0-9]{2}.exe

These files are saved in the temporary file directory (%TEMP%); the first part of the file name consists of two or three Roman characters; the second is a two-digit number followed by the extension .exe

Domains and IPs

timkasprot.temp.swtest[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)
77.222.56[.]169 (RemoteAdmin.Win32.RemoteManipulator.vpj)
z-wavehome[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)
dncars[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)

Yara Rules

rule TeamViewer_ver6_and_lower {
meta:
    description = "Rule to detect TeamViewer ver 6.0 and lower"  
    hash = "4f926252e22afa85e5da7f83158db20f"
    hash = "8191265c6423773d0e60c88f6ecc0e38"
    version = "1.1"    
condition:
                uint16(0) == 0x5A4D and 
                pe.version_info["CompanyName"] contains "TeamViewer" and 
                (pe.version_info["ProductVersion"] contains "6.0" or
                pe.version_info["ProductVersion"] contains "5.1" or
                pe.version_info["ProductVersion"] contains "5.0" or
                pe.version_info["ProductVersion"] contains "4.1" or
                pe.version_info["ProductVersion"] contains "4.0" or
                pe.version_info["ProductVersion"] contains "3.6" or
                pe.version_info["ProductVersion"] contains "3.5" or
                pe.version_info["ProductVersion"] contains "3.4" or
                pe.version_info["ProductVersion"] contains "3.3" or
                pe.version_info["ProductVersion"] contains "3.2" or
                pe.version_info["ProductVersion"] contains "3.1" or
                pe.version_info["ProductVersion"] contains "3.0")
}

The attackers use outdated versions of the TeamViewer client that contain a vulnerability enabling them to hide the utility’s graphic interface. This YARA rule can be used to determine whether there are outdated versions of the TeamViewer software installed on the system. Checking whether any such software found was installed legitimately is a first-priority task.

If instances of outdated versions of the TeamViewer client being used legitimately are identified, it is recommended that the software in question be updated to the latest version.

Registry keys

Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\rundll32
Value:
rundll32.exe shell32.dll,ShellExec_RunDLL
“%AppData%\Roaming\TeamViewer\5\TeamViewer.exe”
Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\CCFTray
Value:
rundll32.exe shell32.dll,ShellExec_RunDLL “%temp%\TeamViewer.exe”

Threat actors’ email addresses

timkas@protonmail.com
smoollsrv@gmail.com
nataly@z-wavehome.ru
info@dncars.ru

Appendix II – MITRE ATT&CK Mapping

Tactic	Technique/Subtechnique	Description
Initial Access	T1566.001	Phishing: Spearphishing Attachment The attackers use phishing emails with archives containing malicious scripts
Execution	T1204.002	User Execution: Malicious File Malicious software is executed when the user opens the file
Execution	T1059.007	Command and Scripting Interpreter: JavaScript/Jscript Used to execute malicious PE and open bait PDF files
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder The malware creates a registry value to run automatically after system restart
Defense Evasion	T1027.002	Obfuscated Files or Information: Software Packing To make analysis more difficult, files of the malware are packed and its code is obfuscated
	T1564.001	Hide Artifacts: Hidden Files and Directories The attributes “hidden” and “system” are assigned to malware files
	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking To hide the GUI of the TeamViewer remote administration utility, a malicious program is loaded into the process instead of a system library
	T1036.005	Masquerading: Match Legitimate Name or Location In most cases, attackers disguise malware components as Windows operating system components to hide the traces of malicious activity in the system
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory The attackers use the Mimikatz utility in cases where they need authentication credentials to infect other systems in an organization
Credential Access	T1056.001	Input Capture: Keylogging In some cases, malware (class: Spyware) designed to collect logins and passwords for various different programs and services, record keypresses and capture screenshots is downloaded to an infected system
Discovery	T1057	Process Discovery The malware collects information on antivirus software running on the system
	T1018	Remote System Discovery The attackers explore the organization’s other systems to which they can gain access over the network
	T1518	Software Discovery The attackers take notes on which software associated with financial operations is installed on an infected system
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol RDP connections with account credentials obtained earlier using the Mimikatz utility are used for lateral movement
Collection	T1005	Data from Local System The attackers analyze documents found on infected systems; these documents can be used in subsequent attacks
	T1114.001	Email Collection: Local Email Collection The attackers analyze the business correspondence of the organization under attack in order to use it for subsequent attacks on the victim’s business partners
	T1056.001, T1113	Input Capture: Keylogging and Screen Capture In some cases, malware (class: Spyware) designed to collect logins and passwords for various different programs and services, record keypresses and capture screenshots is downloaded to an infected system
Command And Control	T1071.001	Application Layer Protocol: Web Protocols To send the TeamViewer ID, an HTTP POST request is sent to the RMS server
	T1071.003	Application Layer Protocol: Mail Protocols The RMS server sends an email to an address controlled by the attackers. The email contains the infected machine’s TeamViewer ID
	T1219	Remote Access Software The attackers use the TeamViewer remote administration utility to connect to the infected system
Exfiltration	T1020	Automated Exfiltration The attackers use malware to receive information collected on the infected system
Impact	T1565.001	Data Manipulation: Stored Data Manipulation Substitution of bank details in payment forms