Lorenz Ransomware — One More Threat To the Enterprise Security
One more security threat has emerged in the ransomware ecosystem targeting businesses. Identified as Lorenz, this is yet another ransomware that applies a double extortion strategy for money-making. About Lorenz Ransomware Bleeping Computer has recently shared details of a Lorenz ransomware that has recently appeared on the radar. The ransomware is active for about a month and has since targeted numerous firms. In brief, ransomware, just like all others, aims at extracting money from businesses by taking over their networks. After infection, Lorenz spreads laterally on the target network to reach Windows domain admin credentials. As it spreads, it keeps harvesting unencrypted data from the victim and sends it to its own servers. That’s how Lorenz clearly joins the list of other ransomware that practice double or triple extortion. After establishing itself and stealing the data, Lorenz encrypts the data while appending a “.Lorenz.sz40” extension to the file names. While all of this sounds common for ransomware, Lorenz exhibits some unique strategies as well. At first, it delivers a customized malware executable for a specific victim. Also, the malware gang sets up a dedicated Tor payment site for every victim. Besides, the malware does not kill processes or Windows services before encryption, unlike other ransomware. As for the ransom, the gang usually puts up a huge demand ranging between $500,000 and $700,000. Failure to pay this ransom compels the attackers to start releasing the stolen data on the dark web. At first, the Lorenz gang considers selling the data to the competitors. Then, they start leaking password-protected data archives until the deadline for ransom payment crosses. After that, they simply release the password as well, thus making the data publicly available. Again, what makes Lorenz unique is that they not only leak the stolen data. Rather they also leak access to the victim’s internal network. Malware Appears To Be ThunderCrypt Variant While Loren exhibits a somewhat distinct behavior, it appears that Lorenz is basically a variant of another ransomware ThunderCrypt. For now, not many details are available about Lorenz as the analyses continue. Nonetheless, within a short time, their leak site suggests the ransomware has targeted around 12 different victims. Among these, they have leaked the data stolen from 10 of them.
Microsoft Warns Of RevengeRAT Under Distribution Via Spearphishing Emails
Microsoft Warns Of RevengeRAT Active In The Wild Recently, the Microsoft Security Intelligence team has shared insights about a new security threat in the wild. Specifically, Microsoft warns of a loader malware that targets users with the notorious RevengeRAT. As revealed, the malware, under distribution via spearphishing emails, typically aims at the aerospace and travel sectors. The phishing emails usually mimic messages about cargo contracts and other related stuff that people from the said industries would likely consider to open. Like always, these emails often include attachments that, upon clicking, deliver the malware. But, specifically, the malicious executable in this campaign is actually a ‘loader’. The security firm Morphisec has identified this loader as Snip 3 Cryptor. It exhibits evasive techniques to bypass detections. This loader, upon reaching the target device, then delivers a remote access trojan. The trojan lets the attackers gain access to the infected device. Explaining how Snip3 does that, Morphisec stated in the blog post, The Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic file. In some cases, however, the attack chain starts with a large install file, such as an Adobe installer, which bundles the next stage. Microsoft has identified this trojan as RevengeRAT or AsyncRAT. Regarding its functionality, Microsoft explained in its tweet, Attackers use the remote access Trojans for data theft, follow-on activity, and additional payloads, including Agent Tesla, which they use for data exfiltration. The type of data the attackers may steal include credentials, webcam data, screenshots, browser data, clipboard, system and network information. Whereas, the attackers use SMTP Port 587 to exfiltrate this data.
70 European and South American Banks Under Attack By Bizarro Banking Malware
Dubbed «Bizarro» by Kaspersky researchers, the Windows malware is «using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping with transfers». The campaign consists of multiple moving parts, chief among them being the ability to trick users into entering two-factor authentication codes in fake pop-up windows that are then sent to the attackers, as well as its reliance on social engineering lures to convince visitors of banking websites into downloading a malicious smartphone app. «When Bizarro starts, it first kills all the browser processes to terminate any existing sessions with online banking websites,» the researchers said. « Another step Bizarro takes in order to get as many credentials as possible is to disable autocomplete in a browser».
While the trojan’s primary function is to capture and exfiltrate banking credentials, the backdoor is designed to execute 100 commands from a remote server that enables it to harvest all kinds of information from Windows machines, control the victim’s mouse and keyboard, log keystrokes, capture screenshots, and even limit the functionality of Windows. Bizarro is only the latest example of how Brazilian banking trojans are increasingly affecting Windows and Android devices, joining the likes of malware such as Guildma, Javali, Melcoz, Grandoreiro , Amavaldo, Ghimob, and BRATA, while simultaneously expanding their victimology footprint across South America and Europe.
https://thehackernews.com/2021/05/70-european-and-south-american-banks.html
Experts Reveal Over 150 Ways to Steal Control of 58 Android Stalkerware Apps
A total of 158 privacy and security issues have been identified in 58 Android stalkware apps from various vendors that could enable a malicious actor to take control of a victim’s device, hijack a stalker’s account, intercept data, achieve remote code execution, and even frame the victim by uploading fabricated evidence.
The new findings, which come from an analysis of 86 stalkerware apps for the Android platform undertaken by Slovak cybersecurity firm ESET, highlight the unintended consequences of a practice that’s not only unethical but in the process could also expose private and intimate information of the victims and leave them at risk of cyberattacks and fraud.
Stalkerware, also called spouseware or spyware, refers to invasive software that enables individuals to remotely monitor the activities on another user’s device without the individual’s consent with the goal of facilitating intimate partner surveillance, harassment, abuse, stalking, and violence.
Based on telemetry data gathered by ESET, Android spyware detection surged by 48% in 2020 when compared to 2019, which witnessed a five-fold increase in stalkerware detections from 2018. 19 apps store sensitive information, such as keystroke logs, photos, recorded phone calls, and audio, calendar events, browser history, contact lists, on external media. This could allow any third-party app with access to external storage to read these files without additional permission.
17 apps expose user information stored in the servers to unauthorized users without requiring any authentication, granting the attacker full access to call logs, photos, email addresses, IP logs, IMEI numbers, phone numbers, Facebook and WhatsApp messages, and GPS locations.
Source — https://thehackernews.com/2021/05/experts-reveal-over-150-ways-to-steal.html
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT