Phishing campaigns, Covid-19 scams and yet more Zoom-related shenanigans. It’s a fairly predictable week for cyber security – but no less dangerous.
Let Threat Thursday guide you through the ever-growing scourge of cyber crime set to be targeting businesses this week.
Botnet Boom Soon to Doom Zoom
The latest strand of malware eager to capitalise on Zoom’s popularity has emerged.
There’s not exactly a gap in the market for Zoom exploits; the hugely popular conferencing app has seen incredible success in the wake of home working and Covid-19. Yet the large pool of potential victims is still no less alluring to opportunist hackers. Take the Devil Shadow botnet, for example, whose fake Zoom installer software is actually a backdoor into a victim’s systems, allowing for keylogging, screen grabbing and the pilfering of email details.
This fake installer is a convincing one, and even runs the official Zoom installer once it’s successfully infiltrated the targeted system; however, this is little more than a ploy to convince the user of its legitimacy, and the app is never successfully installed on the target machine – it just runs endlessly in the background.
So far, no instances of this botnet have been discovered lurking on any official channels; you’re unlikely to inadvertently download this one from the App Store. Google Play may have had numerous dodgy apps purged from its pages in the past but again – there’s no evidence of this one existing on there as of now. Needless to say, if you receive an invite to download Zoom from anything other than its official site, we’d advise not to touch it with the proverbial ten-foot barge pole, and seek a more official avenue for download.
ZLoader Gets Ten Points for Potency, Zero for Originality
Thanks, ZLoader, for turning Threat Thursday into another ‘Greatest Hits’ episode with your less-than-unique approach to malware distribution.
There’s absolutely zero points awarded for guessing that ZLoader, a strain of banking malware, is supplementing its viral campaign with Covid-19-related phishing emails; lord knows they’re the baiting method du jour for any malware campaign in 2020.
What’s more of note, however, is the rate at which ZLoader is spreading itself.
Since 2020, ZLoader’s been spotted in more than 100 phishing campaigns. March and April’s most prominent examples both leveraged infected Excel spreadsheets, accompanied with the usual bluster about Covid-19 testing occurring in the recipient’s area, to get unwitting victims to click links and open themselves up to infected files.
ZLoader is an offshoot of Zeus, a banking malware that’s seen numerous iterations over the years, including Zeus Sphinx and Gameover Zeus. The Zeus code was made available online shortly after its first appearances in 2006 and, like the average cold virus, the internet usually weathers the latest strain only for a new one to rear its head.
Whatever its incarnation, it’s an infamous banking malware that began targeting financial institutions in Canada before spreading its wings to America, Australia and Europe. Wherever it pops up, its MO remains the same; snatching the banking details of hapless customers online. As always, we’ll impart the usual wisdom: don’t open any unexpected emails, take any unofficial Covid-19 statements with a pillar of salt, and above all, leave those ambiguous file attachments alone.
Silent Night is Anything but Holy
Speaking of Zeus, there’s another variant doing the rounds using the popular Malware-as-a-Service format.
Silent Night, first discovered in November last year, sits on the much steeper end of the malware pricing scale with a monthly subscription rate of $4,000; clearly, the developer is confident in its money-making capabilities. Its release announcement on underground Russian hacking forums coincides with its discovery in the wild by HYAS and Malwarebytes in November of last year. Their excellent white paper on this new strain is available to download here, detailing everything from the malware’s history to its coding structure.
Well, if one Zeus variant wasn’t enough for you this week…
Dodgy URLs Hiding Behind Google Firebase
It’s rare we’d honour a phishing campaign for its ingenuity, but we’ll take what we can get in this week’s thus-far typical parade of cyber threats.
While not quite having widespread use – and likely to be nipped in the bud once Google creates the adequate defences – a new technique sees cyber criminals hosting their data-stealing webpages on Google Firebase, a cloud-based mobile platform designed for developing business apps.
While the technical reasoning for this is rather creative – as we’ll cover in just a moment – redirecting victims to these nefarious pages still relies on the tried-and-tested methods. Yep - we’re looking at another phishing scam here folks, this time redirecting the hapless recipients to false Office 365 or banking logon pages, where their details are promptly snaffled up by cyber-thieves.
The Google name, it’s reasoned, means both victims and their security software are less likely to flag the page as a threat. In an interview with Threatpost, Karl Sigler of Trustwave’s SpiderLabs explains:
“Since it’s using Google Cloud Storage, credential-capturing webpages hosted on the service are more likely to make it through security protections like Secure Email Gateways, due to the reputation of Google and the large base of valid users”.
Karl notes that the technique seems to have taken effect as recently as March, with the phishing emails using a variety of different ‘lures’ to get the bait a-bitin’. These include the usual account verifications, password reset warnings and – say it with me now! - false Covid 19 updates.
And Finally, Another Phishing Email Leveraging…. Ah, Yes. Covid 19. Jolly Good.
I mean, sure, we at Threat Thursday know the key to any good threat campaign is exploit threats, crazes and common software. But strewth - the hackers this week have been unrelenting in their exploiting of the worldwide pandemic.
Look, we’ll meet you half way with this one. To spice up yet another Covid-19 related phishing campaign, we’ll present this week’s final report via the beloved medium of limerick….
A recent spear-phishing campaign
Is becoming a bit of a pain.
The old tactic endures
With the usual lures,
Of Covid-19 – once again.
The first instance of this one was seen
By Microsoft’s security team,
And since the 12th day
Of this month of May,
Its growth has been rather extreme.
The emails, from one lurid sender
Claim to be from the Johns Hopkins Centre
Who research the virus
But we here at Mirus
Know it’s false - with a hostile agenda.
For attached is an Excel spreadsheet,
Which is hiding a threat most discreet,
If you were to click ‘open’
A remote access trojan,
Is unleashed from its web of deceit.
Our advise is the same old reprieve;
Don’t open all mail you receive.
Check the sender, the file;
Do those links look hostile?
Would you rather be safe, or deceived?
Well, it’s been something of a Groundhog Day this week, with several recurring themes and techniques. All the more reason to familiarise yourself and stay ever-more vigilant.
In the meantime, why not sign up to our weekly Threat Thursday emails?
All the latest cyber security news sent straight to your inbox; simply drop your email address in the column on the right ➡️ of this page, and we’ll add you to the mailing list.