Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including malware and PowerPoint trojans, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Phishing campaigns target Ukraine aid

Cyber attackers have utilised a compromised Ukrainian military email address to phish EU government employees, who’ve been involved in managing the logistics of those refugees fleeing Ukraine.

Ukraine has been at the centre of an unprecedented wave of cyber attacks in recent weeks and months, from distributed denial-of-service (DDoS) campaigns against organisations and citizens to attacks national infrastructure and more. This time, attackers went after aides in the EU, leveraging breaking news in the Russian invasion of Ukraine to entice targets into opening emails containing Microsoft Excel files laced with malware.

Researchers attributed the phishing attempt to TA445 (aka UNC1151 or Ghostwriter). TA445 has previously been linked with the government of Belarus. On 25th February, researchers detected a suspicious email making the rounds. Its subject: “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.” It contained a macros-enabled Microsoft Excel (.xls) spreadsheet titled “list of persons.xlsx” that, when opened, delivered malware called SunSeed.

The email originated from a ukr.net address, which is a Ukrainian military email address. Oddly enough, researchers were able to trace the address to a publicly available procurement document for a Stihl-brand lawn mower, purchased back in 2016. The order was made by a military unit based in Chernihiv, Ukraine. Exactly how the attackers obtained access to a military email address is not yet clear.

This phishing campaign targeted a very specific group of European government personnel involved in managing the outflux of refugees from Ukraine. Though the targets “possessed a range of expertise and professional responsibilities,” the report noted, “there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.”

The goal in targeting these specific individuals was “to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries,” according to the report.

The report noted that no “concrete” evidence can “definitively” tie this campaign to a particular threat actor. Still, the researchers noted a bevy of similarities between this phishing campaign and another campaign from July of last year that targeted cyber security and defence companies.

The July campaign “utilised a highly similar macro-laden XLS attachment to deliver MSI packages that install a Lua malware script,” according to researchers. Lua is the programming language in which SunSeed is coded. “Similarly, the campaign utilised a recent government report as the basis of the social engineering content,” they added.

The file name in that campaign – “list of participants of the briefing.xls.” – bears a striking resemblance to the one used in this new campaign. Furthermore, “the Lua script created a nearly identical URI beacon to the SunSeed sample, which was composed of the infected victim’s C Drive partition serial number. Analysis of the cryptography calls in both samples revealed that the same version of WiX had been utilised to create the MSI packages.”

These overlaps allowed the researchers to conclude with moderate confidence that the two campaigns were perpetrated by the same threat actor: TA445. According to researchers, the cyber crime group is based in Minsk, has connections to the Belarusian military, and conducts its business in the interests of the Belarusian government.

The researchers concluded with a disclaimer. On balancing “responsible reporting with the quickest possible disclosure of actionable intelligence,” they wrote, “the onset of hybrid conflict, including within the cyber domain, has accelerated the pace of operations and reduced the amount of time that defenders have to answer deeper questions around attribution and historical correlation to known nation-state operators.”

This phishing campaign isn’t the worst Ukraine-oriented cyberattack in recent weeks, or even recent days. Still, the researchers noted that “while the techniques in this campaign are not groundbreaking individually, if deployed collectively, and during a conflict, as they currently are, they possess the capability to be quite effective.”

Botnet embeds ransomware notes

Notes that were threatening to tank targeted companies’ stock price were embedded into DDoS ransomware attacks as a string_of_text in the URL.

Hey ‘webop_geeks, you_are_already_dead’, was a note claiming to be left by the REvil ransomware gang, it was embedded into the attack itself as a string of text in the URL for the extortion demand. Researchers reported the interesting twist on Friday – one of several it has seen in the evolution of distributed denial-of-service (DDoS) attacks so far this year.

In a post that detailed mitigation of a recent attack that hit up to 2.5 Mrps (millions of requests per second) on a single website, researchers shared several ransom notes that its targeted customer received before the attack started.

“We are observing more cases like this where the ransom note has been included as part of the attack itself, perhaps as a reminder to the target to send their bitcoin payment,” Klepfish wrote. “Of course, once the target receives this note, the attack is already underway, adding a sense of urgency to the threat.”

This was only one of several threatening ransom notes the target received before the 2.5 Mrps DDoS attack began, and the specific message shown was one of more than 12 million embedded requests that targeted random pages on the same site. Researchers noted: “While ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and each new phase.”

Another threatening message told “webops_geeks” to inform their bosses that they’d need to start coughing up 1 Bitcoin a day – worth around £30,000 – if they wanted to stay online. It, and other embedded messages, were signed “revil_this_is_our_dominion.”

Whether or not the attacks have anything to do with the REvil ransomware-as-a-service (RaaS) gang or are coming from an imposter is anybody’s guess. Russia dismantled REvil in January, with its Federal Security Service (FSB) claiming to have raided gang hideouts; seized currency, cars and personnel; and neutralised REvil’s infrastructure. As these things go, cyber criminal gangs even when broken up, usually end up reforming elsewhere.

REvil does have a history of DDoS ransomware, though. In October 2021, a British voice-over-IP (VoIP) firm – Voice Unlimited – was still recuperating a month after a series of apparent sustained DDoS attacks that were attributed to REvil.

The next day, attackers sent over 15 million requests to the same site, this time with a new message that warned the CEO that the attackers would eviscerate the company’s stock price by “hundreds_of_millions_in_market_cap.”

The attacks kept coming for several days, lasting up to several hours and, in 20% of cases, hitting between 90-750 thousand requests per second (Krps). Evidence points to the DDoS attacks coming from the massive Meris botnet. Meris sucks its power out of the thousands of internet-of-things (IoT) devices that have been hijacked thanks to a years-old vulnerability, tracked as CVE-2018-14847, in MicroTik routers.

“Although CVE-2018-14847 was published a while ago, attackers can still take advantage of it,” researchers added.

The Meris botnet was behind the record-breaking DDoS attack that targeted Russia’s search engine of choice – Yandex – in September 2021. Other targets for Meris in 2021 included: cybersecurity media sites Krebs on Security and Infosecurity, as well as New Zealand banks, its post mail service and the country’s MetService weather service.

They’re all cases in point for the fact that DDoS attacks shattered records in Q3. While the largest attack to hit this particular customer reached 2.5 Mrps, the researchers blocked over 64 million requests in under one minute. The attacks took only seconds to mitigate, given that the sources, which impersonated legitimate browsers or a Google bot, were known to be malicious.

Threat actors focused on business sales and communications sites, that had the commonality of being exchange-listed. Researchers again noted that this was a specific tactic: “The threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the stock price of the company.”

Now is the time to prepare for organisations to prepare for an attack, particularly given the threat actors’ promise – be they REvil or REvil wannabes – to continue to hurt businesses.

Trojan haunts Google Play store – again

Malicious Google Play apps have circumvented censorship by hiding trojans within software updates.

The TeaBot banking trojan – also known as “Anatsa” – has been spotted on the Google Play store, researchers have discovered. The malware is designed to intercept SMS messages and login credentials from unwitting users. Users of “more than 400 banking and financial apps, including those from Russia, China, and the US,” have been affected, the report claims.

This isn’t the first time TeaBot has terrorised Android users. The trojan was first discovered last year. As a relatively straightforward malware, it was designed to siphon banking, contact, SMS and other types of private data from infected devices. What makes it unique and gives it such staying power is the clever means by which it spreads.

TeaBot requires no malicious email or text message, nor a fraudulent website or third-party service. Instead, it typically comes packaged in a dropper application. Droppers are programmes that seem legitimate from the outside, but act as vehicles to deliver a second-stage malicious payload.

TeaBot droppers have masked themselves as ordinary QR code or PDF readers. Researchers explained via email that attackers “usually stick to utility apps like QR code scanners, flashlights, photo filters, or PDF scanners because these are apps that people download out of necessity and likely won’t put as much time into looking at reviews that might impact their decision to download.”

This tactic is certainly an effective one. In January, an app called QR Code Reader – Scanner App was distributing 17 different Teabot variants for over a month. It managed to pull in over 100,000 downloads by the time it was discovered. Other TeaBot droppers have been packaged under many names, such as QR Scanner 2021, PDF Document Scanner and CryptoTracker. The latest, according to researchers, was a QR Code & Barcode Scanner.

App stores have policies and protections aimed at combatting malware. For example, Google Play Protect, helps root out malicious apps before they’re installed and scans for evidence of malware on a daily basis. However, TeaBot droppers aren’t obviously malicious. They might seem perfectly uninteresting, at least on the surface – but once a user opens one of these nondescript apps, they’re prompted to download a software update. The update is, in fact, a second app containing a malicious payload.

If the user gives their app permission to install software from an unknown source, the infection process begins. Like other Android malware, the TeaBot malware attempts to leverage Accessibility Services. Such attacks use an advanced remote access feature that abuses the TeamViewer application – a remote access and desktop sharing tool – giving the bad actor behind the malware remote control over the victim’s devices.

The ultimate goal of these attacks is to retrieve sensitive information such as login credentials, SMS and 2FA codes from the device’s screen, as well as to perform malicious actions on the device, the report said.

TeaBot attacks have grown fast. As the report noted, “In less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.”

How can they be stopped? “Real-time scanning of app downloads – even if the app doesn’t originate from Google Play – would help to mitigate this issue, while additional warning messages when installing app add-ons that aren’t on Google Play would be useful, too.”

Users will have to remain aware of the problems, until app stores finally stop them from being downloaded. While the general rule of thumb is that users need antivirus and anti-malware applications on their computers, mobile devices shouldn’t be treated any differently.

Conti ransomware decryptor has been leaked

A pro-Ukraine member of the Conti ransomware gang has revealed yet more secrets after they pledged support for the Russian government. The latest dump includes source code for Conti ransomware, TrickBot malware, a decryptor and the gang’s administrative panels, among other core secrets.

The first of what ‘ContiLeaks’ promised would be a series of “very interesting” leaks included 60,000 of the Conti gang’s internal chat messages. Then, even more of Conti’s common tactics, techniques and procedures (TTPs), were shared. Researchers evaluated the leaked content and stated why it is so important. This intel is vital as Russian tanks roll through Ukraine and cyber attacks fly in support of either aiding the besieged country or tripping up the aggressor.

Analysis pointed to a cyber security bulletin issued jointly over the weekend by the Cybersecurity and Infrastructure Agency (CISA) and the FBI: an advisory that warned that Russia’s attack on Ukraine – which has included cyber attacks on the Ukrainian government and critical infrastructure organisations – may spill over Ukraine’s borders, particularly in the wake of sanctions imposed by the United States and its allies.

Here’s a selection of the repositories and what researchers can do with them: “As far as the leaked chats go, they span internal communications of the Conti gang between June and November 2020. The chats enable us to see a good chunk of Conti gang usernames in one place, allowing us to enumerate all the people in the Conti group.”

The Conti Pony Leak 2016 repository contains a collection of email accounts and passwords – including from mail services such as gmail.com, mail.ru and yahoo.com – that were apparently stolen from various sources by the Pony credential-stealing malware: a credential stealer that, at least as of 2018, was the criminals’ favourite stealer.

It also contains credentials from FTP/ RDP and SSH services, plus credentials from different websites. The Conti Rocket Chat Leaks contains a chat history of Conti members swapping tips about targets and carrying out attacks via: Cobalt Strike, the legitimate, commercially available tool used by network penetration testers and by crooks to sniff out vulnerabilities. The Conti gang chatters talked about these techniques:

  • Active Directory Enumeration
  • SQL Databases Enumeration via sqlcmd.
  • How to gain access to Shadow Protect SPX (StorageCraft) backups.
  • How to create NTDS dumps vs vssadmin
  • How to open New RDP Port 1350

And these tools:

  • Cobalt Strike
  • Metasploit
  • PowerView
  • ShareFinder
  • AnyDesk
  • Mimikatz

The dump also contains the source code for Conti Locker v2, which was first leaked as a password-protected zip file but then again without any password.

Besides the source code for the second version of the ransomware encryption source code, the leak also contained source code for the decryptor – a decryptor that reportedly won’t work, as pointed out on Twitter. The released decryptor might be a version that Conti sends to victims who’ve paid the ransom, he suggested.

Decryptors act kind of like unzipping a password-protected file, he suggested, except that they’re more complex, given that they vary by the ransomware family.

The leaked documents also contain training materials, including videos of online courses in Russian, as well as how-tos about this list of TTPs:

  • Cracking
  • Metasploit
  • Network Pentesting
  • Cobalt Strike
  • PowerShell for Pentesters
  • Windows Red Teaming
  • WMI Attacks (and Defenses)
  • SQL Server
  • Active Directory
  • Reverse Engineering

One of the leaked files is a dump of chats from the forums used by the operators of the TrickBot trojan/malware, spanning forum messages from 2019 until 2021. Most of the chats are about how to move laterally across networks and how to use certain tools, but researchers also found out quite a bit about the TrickBot and Conti gang’s TTPs.

Also included are evidence from early July 2021 that the group used exploits such as Zerologon: not surprising, given that starting in September 2020, at least four public proof-of-concept (PoC) exploits for the flaw were released on Github, along with technical details of the vulnerability.

Other TrickBot leaks include server-side components written in Erlang, a trickbot-command-dispatcher-backend and trickbot-data-collector-backend, dubbed lero and dero.

As far as the leak of Conti code goes, it would be nice to think that the gang’s operators were frustrated by the leak – but that’s not reported to be happening. Researchers said that “none of the firm’s primary source intel demonstrates that this will affect Conti”. They explained: “The leak was related to only one group out of six, and even though this group was likely the most important one, the rest of the teams were not impacted at all – Conti relaunched all of its infrastructural capacities and kept operating.”

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.