Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which, we here at Neuways, bring attention to the latest cybersecurity threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords

Microsoft users are being targeted by cyber criminals, as part of an ongoing attack to steal their Microsoft 365 credentials. Businesses have received thousands of emails over the past few months as part of a phishing campaign which leverages a fake Google reCAPTCHA system and landing pages that include the victim’s company logos.

Over 2,500 emails have been unsuccessfully sent to senior employees in the banking and IT sector’s among other industries. The communications initially take recipients to a fake Google reCAPTCHA system page – the service helps keep websites safe from spam and abuse by using a test to tell humans and bots apart. Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Microsoft 365 credentials.

It is thought that the criminals are targeting those in senior roles, with titles such as Vice President and Managing Director, as they are likely to have a higher degree of access to sensitive company data. These would then fall into the hands of these cyber criminals, allowing them to cause disruption to businesses.

The phishing emails purport to be automated emails from victims’ communications tools, which tell them they have a voicemail attachment. For instance, one email tells users that they must, “REVIEW SECURE DOCUMENT”. When the victim clicks on the attachment, they encounter the fake Google reCAPTCHA screen, which contains a typical test, a checkbox the user must click that says, “I’m not a robot”. The landing page then has a Microsoft login screen with different logos from the companies which victims work at, showing that the cyber criminals have done their homework and created customised landing pages to dupe their victims into making a mistake. Victims are asked to input their credentials into the system, before receiving a message telling them that the validation was “successful” and they are finally redirected.

We would advise to check the web address of any landing page you are sent a link or redirected to. The phishing pages associated with this campaign were hosted using generic domains such as .xyz, .club and .online, which are typically used by cyber criminals in spam and phishing attacks.

Compromised Website Images Camouflage ObliqueRAT Malware

Neu Cyber Threats

The ObliqueRAT malware is now disguising its payloads as image files that are hidden on websites already compromised in earlier cyber attacks. The remote access trojan (RAT) has been operating since 2019 and spreads via phishing emails, which have malicious Microsoft Office documents attached.

If recipients click on the attachment, they’re redirected to malicious URLs where the payloads are hidden with steganography. Steganography is a well-known tactic used by cyber criminals to evade the detection of filters, designed to catch spam communications. Images have been used on this occasion as many filters allow image file formats to pass without too much scrutiny, as opposed to Word documents. The goal of the cyber criminals is to ultimately send victims emails with malicious Microsoft Office documents, which, once clicked, deploy the payloads and exfiltrate data from the victim’s system.

Changes made to ObliqueRAT over time have added new file enumeration and stealing capabilities, as well as enabling the the ability to take webcam and desktop screenshots and recordings. This type of invasion is worrying, as many employees are remote working, so cyber criminals are effectively able to see within their homes through spying on their webcam.

Ensure your employees are aware of ongoing phishing email campaigns that are encountered, as above. The warning signs are often the emotive messaging that encourages urgent action, before it is ‘too late’, as well as email addresses not matching who the sender is claiming to be. Anything that requires you to input any credentials, such as Microsoft, should not be engaged with, as the likelihood is that it is a cyber criminal attempting to steal confidential information.

Neu Cyber Threats

Mobile Adware Booms, Online Banks Become Prime Target for Attacks

Over the past 12 months incidents of mobile adware nearly tripled as businesses had to implement emergency working from home measures. It found that while mobile threats have dipped slightly over the past year, criminals have focused on the quality of mobile attacks versus mass infections.

2020’s leading mobile threat type was adware, accounting for 57% of attacks. Fortunately, for users, adware is more of a nuisance to the user experience by placing adverts across the user’s screen, as opposed to ransomware, which is able to steal credentials and company data. Risk tools came second, with 21% of attacks, while trojan droppers and mobile trojans each represented 4.5% of attacks and SMS-based trojans saw the least amount of usage, bringing in 4% of actual mobile criminal activity. Risk tools are potentially dangerous or unwanted programmes that are not inherently malicious, but are used to hide files or terminate applications and could be used with malicious intent. Interestingly, though, adware was the only attack that saw a rise in the amount of usage in 2020.

Businesses should not take mobile cyber attacks lightly. Some employees use mobile devices to carry out work duties, and so have access to business hard drives, cloud operations and information that would be of interest to cyber criminals. The Ewind adware is thought to have been the originator of nearly 2 million Ewind.kp Android installer packages issued within legitimate applications, such as icons and resource files. These seemingly safe downloads are readily available at trustworthy third-party Android application sites. This isn’t the case for Apple users, as the platform’s closed hardware and software ecosystem poses unique challenges for criminals.

Even though they weren’t the top attack of choice for cyber criminals, there were over 150,000 installation packages found for mobile banking trojans in 2020. This suggests criminals were placing a larger emphasis on targeting user’s banking information, as more had to switch to online/mobile banking, due to the COVID-19 pandemic restricting in-person banking options. Researchers are concerned at whether there is a link between the large rise in adware and malware. Adware helps in obstructing the removal of malware from a mobile device, as well as allowing access privileges on a device, placing adware in the system area and make the user unable to remove them without outside help.

For mobile device users, they are encouraged to check their devices for any errant applications or programmes. If they are experiencing adware, then it might be an appropriate time to restore their device. This could help aid them in removing the adware, which may have been delivered in the downloading of an application.

Ryuk Ransomware: Now with Worming Self-Propagation

Neu Cyber Threats

The notorious Ryuk ransomware has received an update and is now capable of worm-like self-propagation within a local network. The variant first emerged in Windows-focused campaigns earlier this year, and it’s believed to achieve self-replication by scanning for network shares and copying a unique version of the ransomware executable to each of them as they’re found.

Once launched, it will spread itself on every reachable machine through which Windows Remote Procedure Call access is possible. This new version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP and MAC addresses of any network devices that the system communicates with. It then sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers. The ransomware will then attempt to mount possible network shares using Windows function SMB, which allows the sharing, opening or editing of files on remote computers and servers.

Once all of the available network shares have been identified or created, the payload is installed on the new targets and is self-executed using a scheduled task, allowing Ryuk to encrypt the targeted content and delete any copies that would otherwise allow for file recovery. The files are encrypted before they are exfiltrated to the cyber criminals. The malware also interrupts multiple programmes, with a list of 41 processes to be killed (task kill) and a list of 64 services to stop.

Ryuk ransomware is usually deployed through an initial “dropper” malware that acts as the tip of the spear; which includes Emotet, TrickBot, Qakbot and Zloader, as well as others. From there, attackers look to escalate privileges in order to set up for lateral movement.

Businesses should look at preventing ransomware such as Ryuk from breaching their systems. Multi-factor authentication (MFA) works as part of a multi-layered Business Continuity and Disaster Recovery plan to give companies an extra outward level of protection. Once users have signed up for it, they will be prompted to input a code that is generated and sent to their second device, such as a phone or tablet. This proves that the person trying to sign in is who they are claiming to be. MFA when teamed with a strong knowledge of phishing campaigns that are currently thriving is important. By ensuring your entire business is aware of the latest ongoings in the cyber security world, you are protecting your business in the best way possible, as they will be the ones that may have to deal with potential scams the company receives from cyber criminals.

Researchers believe that Ryuk is commonly sold as a tool kit on the Dark Web, but it’s believed that the ransomware has brought in at least $150 million for cyber criminals throughout its lifetime of use – don’t be the next victims!

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.