It’s a Malware Maelstrom in this week’s Threat Thursday, with many of this week’s cyber security headlines covering malware old and new.
With many major operating systems affected, now’s the time to familiarise yourself in this especially woeful week of wares.
HMRC: Hustlers Making Riches off Covid
Before we dive, noses held, into the stagnant ooze of this week’s malware, self-employed readers might want to take note of a new HMRC scam.
Specifically targeting business owners and the self-employed, this recent scam targets recipients with text messages purporting to be from Her Majesty’s Revenue and Customs. Claiming that the victim is due a tax refund, the messages then link users to a bogus “Coronavirus (COVID-19) guidance and support” page. Here, personal details – including passport numbers – are requested under the guise of a verification system. As you may have guessed, it is anything but.
The discovery was first reported by Griffin Law; as you can see from the screenshots they’ve provided, the bogus HMRC form is startlingly convincing. Your humble Threat Thursday author should know this, having spent hours on the official gov.uk site resolving an unpaid tax debacle in April. But I digress.
Remember, Her Majesty’s Revenue and Customs will only ever tell you about Her Majesty’s Tax Refunds through Her Majesty’s Royal Mail; never through text message. If ever an SMS pops into your inbox that’s too good to be true…. Then it probably is.
The Devil’s in the DDoS: Lucifer Cryptojacking Malware Leverages Windows Weaknesses
Earlier this week, researchers at Palo Alto’s ‘Unit 42’ discovered a new hybrid cryptojacking malware with DDoS attack capabilities. They’ve given this malware the slightly drastic name of ‘Lucifer’.
Dramatic title aside, Lucifer does boast a pretty nasty repertoire. It can infect systems with XMRig, a tool for the purposes of mining the Monero cryptocurrency. It can also brute force its way through credentials, exploit multiple operating system vulnerabilities and even spread through intranets with an absolute tidal wave of backdoors, including DoublePulsar, EternalBlue and EternalRomance.
What’s interesting is that Lucifer doesn’t appear to be attaching itself to any phishing campaigns or outlets; of the instances witnessed so far, these are targeted attacks on network systems. Furthermore, it’s evolving at a pretty rapid rate. Following Palo Alto’s successful blocking of Lucifer on June 10th, it returned the following day with a revised version which was successfully targeting Windows operating systems and vulnerabilities once again.
In the link above is a list of all the known vulnerabilities that Lucifer is exploiting. We absolutely must echo Palo Alto’s sentiments here; these exploits demonstrate the importance of keeping your systems up to date, as developers such as those behind Lucifer are observing and exploiting their vulnerabilities diligently.
EvilQuest is the Latest Entry to the Mac Malware Party
Move over Shlayer; it seems EvilQuest is an upcoming challenger to the throne of Mac OS malware.
First revealed by the delightfully named Dinesh Devadoss, a Malware Researcher at K7 Lab, EvilQuest has quite the repugnant repertoire: keylogging, cryptocurrency theft and even full control over an infected system. Yeesh.
EvilQuest has so far been discovered in pirated software most commonly shared on dodgy internet sharing portals. Patrick Wardle, the Principle Security Researcher at Jamf, names the Mixed in Key music software as one such infected program, while Davadoos discovered a software package with the seemingly innocuous name of ‘Google Software Update’ to also be infected. Meanwhile, Thomas Reed of Malwarebytes shares his discovery of an infected copy of macOS security software, Little Snitch.
Thus far, then, it appears EvilQuest’s….er, quest, has only just begun. But just because it’s only been spotted on less-than-reputable sites (and within some rather niche software) doesn’t mean it hasn’t yet spread. We have a feeling we’ll be hearing more from EvilQuest in the coming months, if experience is anything to go by.
Sodinokibi Unveils Bidding Campaign; Neglects to Name It “Sodinokibids”
What do you do when there’s thousands of terabytes of stolen data just taking up space on your server? Enterprising hackers and recurring Threat Thursday villains Sodinokibi have the answer; auction it off on your Darkweb domain.
Yep, that’s right; when victims of the hacking group refuse to pay up the ransom, Sodinokibi fills its pockets with the cash of willing bidders. That’s according to a downloadable report from the folk at CyberInt, released earlier this week. Bids are payable in the Monero cryptocurrency and, as you might expect, are made anonymously.
And it’s bringing in some grand figures too. According to Forbes, a starting price of $30,000 could net some hopeful hagglers 50 gigs of data from an American law firm.
At this point, don’t ever doubt the lengths that criminals will go to in order to make a few quid – nor that they won’t make good on their promise to compromise data. Now more than ever, prevention is far more effective than a cure.
Tighten Up That CMS: DarkCrewFriends Are Making a Comeback
Time to review your Content Management Systems; the anything-but-friendly DarkCrewFriends are making a comeback. The freelance hacker group is building a botnet across multiple systems for the purposes of all sorts of sabotage; data theft, infection, DDoS and remote code execution are just a few of the tricks these freelance fraudsters have up their sleeves.
This time last week (and just moments after that week’s Threat Thursday went up, annoyingly), Checkpoint Research released a report unveiling an ‘ongoing, evolving campaign’ designed to monetise and compromise critical online services.
As explained in the report (another one we must credit for its transparency and presentation), the attackers target CMS systems with unrestricted file upload vulnerabilities: in this instance, the CMS might allow for the uploading of various media types without filtering them for recognised file extensions. If so, an unrestricted file could be uploaded that allowed for remote code execution on the system. The report’s authors, Liron Yosefian and Ori Hamama, note that the methods and exploits are synonymous with the once-dormant hacker group.
Well, that wraps up another week of web-transmitted woes, but try not to lose too much sleep. As one of our recent eBooks Layering Your Cyber Security explains, there’s more than one way to prevent cyber threats.
Fancy the latest Threat Thursday reports delivered straight to your inbox?
Simply stick your email address in the little box on the right ➡️ and we’ll send the latest edition directly to your inbox!