Phishing Archives

A new malware attack has been discovered which uses the SnipBot malware to dig deep into the victim’s network and harvest data.

SnipBot is a variant of the RomCom malware, which has previously been used for data harvesting and financially motivated attacks such as the Cuba ransomware attack. SnipBot’s malicious campaign has been widespread, with victims identified in multiple industries including legal, agriculture, and IT sectors. SnipBot performs what is referred to as a pivot, a process by which malware moves between compromised systems on the same network to access as many workstations as possible. This maximizes the amount of data SnipBot can steal and marks it out as a major threat.

SnipBot Unleashed

With 3.4 billion phishing emails sent daily, it’s clear that phishing attacks are incredibly popular with threat actors. And this is the exact approach adopted by SnipBot.

The SnipBot malware attack starts with phishing emails which trick recipients into downloading fake files disguised as legitimate PDFs. When the victim clicks on a link contained within the PDF, a malicious downloader is activated. As these downloaders are signed using real security certificates, they avoid detection by security software.

The malware can then inject itself into core system processes such as explorer.exe, and it can maintain this presence even after a reboot. Once inside the victim’s system, SnipBot sets about collecting sensitive data from popular folders, like Documents and OneDrive. This harvested data is then sent back to the attacker via a remote server.

Palo Alto Networks researchers, who discovered the SnipBot campaign, are unsure as to the true objectives of SnipBot. At present, there appears to be no financial motive present in the attack, so it has been labelled purely as an espionage threat.

How Can You Stay Safe from SnipBot?

Luckily, phishing attacks such as SnipBot can be easily managed. By following these best practices, you’ll not only prevent malware being executed, but also avoid it in the first place:

Verify the Sender: it’s paramount that you always check and double check the sender’s email address, especially when the email is laced with a sense of urgency to perform an action. Phishing emails will often use addresses which look genuine but contain slight errors e.g. admin@0phtek.com where the letter O has been replaced with a zero. If you’re unsure, you can always Google the company to find their official website and verify the domain used.
Don’t Click on Suspicious Links: instead of clicking on suspicious links, the safest option to take is to hover over any links to preview the URL. Embedded links can easily be faked to appear genuine, but contain a link to a different, malicious website. Again, you can Google websites directly to navigate your way to any sections referenced in the email. This prevents you from accessing a malicious website loaded full of malware.
Contact the Sender: legitimate businesses and clients will never request sensitive information – such as login credentials – over emails, so these requests should always ring alarm bells. If you do receive such a request, the best option to take is contact the sender via telephone to confirm whether the email is genuine.
Use Spam Filters: one of the best ways to stop phishing emails reaching your inbox is to activate your emails spam filters. These use vast databases to identify potential threats and redirect them to your spam folder. You can also use your spam filters to block repeat offenders, enhancing the safety of your inbox.

For more ways to secure and optimize your business technology, contact your local IT profe ssionals.

Macros make our lives easier when it comes to repetitive tasks on PCs, but they’re also a potential route for malware to take advantage of.

The most up to date version of MS Office prevents macros from running automatically, and this is because macros have long been identified as a major malware risk. However, older versions of MS Office still run macros automatically, and this puts the PC running it at risk of being compromised. Legacy software, such as outdated versions of MS Office, comes with a number of risks and drawbacks, but budgetary constraints mean many businesses are unable to update.

Malicious MS Office Macro Clusters

A macro is a mini program which is designed to be executed within a Microsoft application and complete a routine task. So, for example, rather than taking 17 clicks through the Microsoft Word menu to execute a mail merge, you can use a single click of a macro to automate this process. Problems arise, however, when a macro is used to complete a damaging process, such as downloading or executing malware. And this is exactly what Cisco Talos has found within a cluster of malicious macros.

Several documents have been discovered which contain malware-infected macros, and they all have the potential to download malware such as PhantomCore, Havoc and Brute Ratel. Of note is that all of the macros detected so far appear to have been designed with the MacroPack framework, typically used for creating ‘red team exercises’ to simulate cybersecurity threats. Cisco Talos also discovered that the macros contained several lines of harmless code, this was most likely to lull users into a false sense of security.

Cisco Talos has been unable to point the finger of blame at any specific threat actor. It’s also possible that these macros were originally designed as a part of a legitimate cybersecurity exercise. Regardless of the origins of these macros, the fact remains that they have the potential to expose older versions of MS office to dangerous strains of malware.

Protect Your Systems from Malicious Macros

The dangers of malicious macros require you to remain vigilant about their threat. Clearly, with this specific threat, the simplest way to protect your IT systems is to upgrade to the latest version of MS Office. This will enable you to block the automatic running of macros and buy you some thinking time when you encounter a potentially malicious macro. As well as this measure, you should also ensure you’re following these best practices:

Always Verify Email Attachments: a common delivery method for malicious macros is through attachments included with phishing emails. This is why it’s crucial that you avoid opening macros in documents which have been received from unknown sources. As with all emails, it’s paramount that you verify the sender before interacting with any attachments.
Install All Security Updates: almost all software is regularly updated with security patches to prevent newly discovered vulnerabilities from being exploited. Macros are often used to facilitate the exploitation of software vulnerabilities, so it pays to be conscientious and install any security updates as soon as they’re available.
Use Anti-Malware Software: security suites, such as AVG, perform regular, automated scans of your PCs to identify any potential malware infections. In particular, many of these security suites target malicious macros, so they make a useful addition to your arsenal when targeting the threat of macros.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

A malware infection is always bad news but imagine being infected with multiple strains at once. Welcome to the new threat of malware cluster bombs.

Researchers at the cybersecurity firm KrakenLabs have revealed the dangers of a new malware technique launched by Unfurling Hemlock, a new threat actor group. Their malware cluster bombs have been verified as active in at least 10 countries, but most Unfurling Hemlock’s targets have been US-based. This attack has also been active for some time, with evidence of the earliest infections going back to February 2023.

The mere concept of malware cluster bombs is enough to worry any IT professional, so that’s why we’re going to delve a bit deeper and discuss how you can keep your IT systems safe.

Understanding Unfurling Hemlock’s Attack

This new attack starts, as with many malware attacks, through malicious emails or malware loaders. It would appear, perhaps to cover their own tracks, Unfurling Hemlock are paying other hackers to distribute their malware. The initial attack is focused around a malicious file named WEXTRACT.EXE. Within this executable is a collection of compressed cabinet files, each of which contains a strain of malware.

The final part of the attack comes when all of the malicious files have been extracted and are executed in reverse order. Each cluster bomb is believed to contain multiple strains of malware, so while the number is varied, the impact is always significant. Among these malware strains are a cocktail of different attacks, with botnets, backdoors, and info stealers all detected so far. Unfurling Hemlock’s ultimate aim, aside from causing digital chaos, is unknown, but KrakenLabs believe the threat actor may be harvesting sensitive data to sell.

The malware cluster bomb approach is innovative and effective for two reasons: the opportunities for monetization are increased and the multiple strains in use mean that persistence is enhanced. Ultimately, dropping ten strains of malware onto one device is more likely to provide opportunities for threat actors than a single strain.

Staying Safe from Malware Cluster Bombs

It’s clear that malware cluster bombs represent a serious threat to your IT infrastructure, and that’s why you need to keep your defenses secure. You can put this into action by following these best practices:

Regular Software Updates: ensure that all software, including operating systems and applications, is regularly updated and patched. Automated patch management tools can help make this easier, and Windows allows you to set automatic updates for Microsoft apps. Regular updates protect against known vulnerabilities and exploits which malicious actors often target with malicious files.
Antivirus and Anti-malware Solutions: always use reputable antivirus and anti-malware software across your network. These tools should be regularly updated to recognize and handle the latest threats. High-level security solutions will provide real-time protection, scanning, and removal of malicious files. This is conducted by regular scans and monitoring to ensure potential threats are detected and dealt with promptly.

Employee Education: carry out regular training sessions for employees to recognize phishing attempts, suspicious emails, and other potential threats. Training should include best practices for safe internet use, identifying social engineering tactics, and reporting suspicious activities. Your employees are your first line of defense, so it’s crucial you reduce the likelihood of attacks due to human error.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Threat actors have compromised 70,000 previously legitimate websites and created a powerful network capable of distributing malware.

Named VexTrio, this network of compromised websites appears to have started in 2017, but it’s only more recently that details around its activity have emerged. As well as distributing malware, the VexTrio network also utilizes phishing pages, and allows the VexTrio hackers to harvest login credentials. The campaign is a significant one, and one which is powerful enough to cause harm to anyone who gets caught up in its operations. Therefore, it’s time to take a look at the VexTrio campaign to see what we can learn.

Understanding the VexTrio Network

The VexTrio campaign relies on a malicious traffic distribution system (TDS) to lead unsuspecting internet users to compromised websites. A TDS is, in simple terms, a web application used to analyze and filter incoming traffic and, following the analysis, redirect it to a specific page. Typically, the activities of a TDS are facilitated by malvertising activities or malicious websites. VexTrio favors using malicious websites.

Working with a number of affiliates, many of whom offer access to hijacked websites, VexTrio has managed to amass a sizeable network over the last seven years. And VexTrio are very much the middle-man in the operation. For a fee, VexTrio will feed incoming traffic through their TDS and forward innocent victims towards the websites they’re mostly likely to be interested in. It’s very similar to legitimate advertising networks, but with a vicious sting in its tale.

The malicious websites which comprise the VexTrio network contain a wide range of threats. For example, one of the affiliates, known as ClearFake, tricks users into downloading what is claimed to be a browser update, but is little more than malware. SocGholish, another well-known malware threat, is part of the VexTrio network and uses it to push unauthorized access to corporate websites.

Don’t Fall Victim to VexTrio

The threat of VexTrio is a substantial one, and organizations need to be aware of the damage it can cause. Luckily, you can protect yourself and your IT systems by implementing the following best practices:

Use an adblocker: you can minimize the risk of being lured to a malicious website by installing an adblocker on your systems. Not only will this block annoying popups, but it will also block any malvertising threats from being activated. These adblockers are usually available as browser extensions e.g. Ghostery and AdBlock for Chrome.
Disable JavaScript: attacks launched through VexTrio often rely on JavaScript to execute their malicious tasks. Accordingly, disabling JavaScript will eliminate the chances of such an attack taking place on your system. However, JavaScript is essential for many legitimate websites, so it’s recommended that you allow it to run only on trusted sites.
Install anti-malware tools: if you install an anti-malware app, such as AVG, you benefit from tools which block malicious websites. These tools are connected to databases which are constantly updated to identify and block malicious websites, such as those featured in the VexTrio network.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Russian hackers are using a fake PDF decryption tool to trick innocent PC users into downloading Spica, a new strain of malware.

Discovered by Google’s Threat Analysis Group (TAG), Spica is a backdoor malware which has not been identified previously. It’s believed that the malware is the result of ColdRiver, a Russian hacking team with a proven track record in deploying malware. The attack, as with so many contemporary threats, is delivered by email and relies on malicious PDF files. Now, with close to 350 billion emails sent per day in 2023, it’s clear that email is hugely popular. And it’s estimated there are 2.5 trillion PDF files currently in circulation. Therefore, the chances of your business running into a similar attack is high.

The Threat of Spica

The Spica attack begins when the threat actors send a series of PDF files to their targets. Using phishing email techniques, they attempt to trick the targets into believing that these have been sent by legitimate contacts. These files appear encrypted and, if the target bites, they will email back to say they can’t open the files. This is where the threat actors are able to launch their payload.

By sending a malicious link back to the target, the threat actors can trick them into downloading what they claim is a decryption tool. However, this executable tool – going under the name of Proton-decryptor.exe – is far from helpful. Instead, it will provide backdoor access to the target’s PC. With this access in place, the malware can communicate with a control-and-command server to receive further instructions.

And Spica comes loaded with a wide range of weaponry. As well as being capable of launching internal shell commands on the infected PC, it’s also programmed to steal browser cookies, send and receive files, and create a persistent presence on the machine. Google believes that there are multiple variants of Spica, and the current targets of the malware seem to be high ranking officials in non-governmental organizations and former members of NATO governments.

Shielding Yourself from the Threat of Spica

While your organization may not be listed high on ColdRiver’s target list, the attack methods are familiar and could easily be launched against you at some point in the future. Therefore, it’s in your best interests to integrate the following advice into your cybersecurity measures:

Always double check attachments: with email attachments representing one of the surest ways to transmit malware, it’s vital you remain vigilant. If you have even the slightest inkling that something seems suspicious with an email from a known contact, don’t email them back. Instead, contact them by phone to confirm the email is genuine, as it may be that their email account has been hacked.

Check for spelling/grammar errors: phishing emails are prone to poor grammar and spelling, especially when they originate from non-English speakers. Accordingly, poorly composed emails should be scrutinized closely. Also, watch out for generic and unusual greetings such as “Dear customer” as these may indicate that the email is part of a mass-campaign against unknown targets.

Use email filters: by using email filters, often included with anti-malware software such as McAfee, you can provide your organization with an extra layer of security. Connected to databases which are regularly updated, these email filters can identify malicious files before they’re downloaded to your PC.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 8 Next »

SnipBot Malware Used to Steal Data from Victims

Malicious Macros Target Old Versions of MS Office

Malware Cluster Bombs: A New Threat

VexTrio Uses 70,000 Hijacked Websites to Spread Malware

Spica: New Malware Launched by Russian Hackers

Category Archives: Phishing