Time for another rundown of those vicious viruses, fiendish phishers and miserable malware. Yep -it’s Threat Thursday!
This week: Trickbot grows an extra leg and Hackers stoop to further lows amid a worldwide pandemic crisis.
Surprising Nobody, Coronavirus is the Latest Global Panic that Hackers are Taking Advantage of
Well, it was inevitable, wasn’t it? Hackers, the bastions of moral decency that they are, are employing the panic surrounding the Coronavirus in their latest spate of phishing emails. As one might expect, these incidents aren’t isolated, and spam campaigners from as far afield as Japan and America are in on the act; even the World Health Organisation (WHO) has been mimicked in a spate of malicious emails, forcing them to issue a statement on their legitimacy.
Individuals, businesses…everyone and everything is preparing itself for the virus, and as such these spam emails will be sent far and wide, either indiscriminately or via targeted campaigns. Some emails will be catered to individuals – perhaps claiming that a relative has been afflicted – while others will be targeted at businesses; a viral fake news gag on social media, claiming that the virus will affect UK sick pay laws, is proof already of the public’s willingness to believe.
If anything, this scheme’s an interesting example of how a real-life phenomenon has a knock-on effect on the internet, and how successful spam campaigns rely more on human trickery than technical wizardry. Remember to always check the sender address of any unexpected emails; if they end in anything other than a short, recognisable domain, treat them with extreme caution. And for goodness sake, don’t open any ambiguous attachments.
Ostap That, it’s Silly: Trickbot Infects Word Documents with Elusive Malware Downloader
Word documents are the latest attack vector for the Trickbot trojan, which is hitching a ride on the OStap downloader in order to bypass protections.
Bromium, the security firm behind this latest campaign, noticed in September last year that the OStap ‘dropper’ was hiding within macro-enabled Microsoft Word 2007 documents, delivered – say it with me! – via malicious emails. Once activated, OStap drops Trickbot onto the system, where it’s free to run amok.
Those macro-enabled documents are the crucial component; not only are they how the sinister payloads are delivered, but they’re designed to withhold supposedly important content until macros are enabled. Like we mentioned in our Coronavirus article, it’s the social, not the technical wizardry, that lets the hackers get their foot in the door.
The campaign has now been spotted in the wild once again, making particular use of Windows Remote Desktop Protocol’s ActiveX controls to enable these macros automatically. Be aware of any unexpected documents – these ones are commonly disguised as sales invoices – and look out for some tell-tale signs. For example, much of the dodgy code text is hidden within the Word document itself, resulting in a suspiciously high character count. In a humorously crude twist, the code text is in a pure white font, rendering it invisible against Word’s default page colour.
Griiiifts iiiin Spaaaaaace! Aerospace Experts Targeted by Burgeoning Ransomware
Visser Precision, a car, aerospace and industry component manufacturer, has been hit by another ransomware group using threats and extortion to further encourage ransom payments.
DoppelPaymer, which sounds like the name Rumpelstiltskin might adopt after that first failed attempt at anonymity, is a breed of ransomware which not only holds business systems to ransom, but slurps up their important credentials in the process. Through these stolen assets, the DoppelPaymer group adopts a ‘name and shame’ policy on their website, listing companies yet to pay the ransom and even threatening to share their sensitive documents online if the payment deadline isn’t met. It’s a similar tactic adopted by the Maze ransomware we covered back in December, suggesting this ‘take no prisoners’ approach could soon become the norm for hackers.
The Malware Wiki (which is brilliant, by the way) suggests that DoppelPaymer was first discovered in April of last year, but since November has begun a more rigorous campaign of carnage. As the malware seemingly targets English-speaking countries, this could be one emerging threat worth keeping an eye on.
Pray Your Card’s Right: Boots and Tesco Loyalty Cards Compromised by Data Breaches
It’s a bad week for loyal British shoppers. In this past week, both Boots and Tesco have been targeted by data breaches, with the details of both company’s loyalty card holders being made available online. 620,000 Tesco Clubcard accounts have been compromised, while it’s estimated less than 150,000 Boots Advantage Card holders were hit in a recent breach.
Anyone with a base-level understanding of cyber crime can draw a logical, if unproven conclusion here. While the 620,000 Tesco accounts were compromised using stolen credentials, the far fewer 150,000 Boots accounts were accessed, according to the BBC, with passwords stolen ‘from other sites’.
Considering the Boots breach was far less successful than the attack on Tesco, and happened only a few days after, it’s reasonable to assume that the attempts on Boots’ customers were made with the stolen Tesco credentials. Both are popular British outlets, so it’s likely customers will hold loyalty cards for each. With so many of the public still using the same login credentials across online accounts, it’s natural that holders of the stolen credentials would try them across other retailers.
This theory, if true, is a textbook example on the importance of varied passwords, and how repeating credentials across accounts makes you especially vulnerable. Keep your passwords varied, and try to use a combination of upper and lower case text and symbols to keep it hard to guess. If you’re struggling to commit your passwords to memory (and nowadays, who can blame you?), you might consider a reputable password manager; Remembear, LastPass and Dashlane are three popular choices.
As you might have noticed, it’s been a thankfully quiet week for immediate threats to businesses - but these stories are the perfect cautionary tales on password security, social engineering and the evolving techniques of cyber criminals.