Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including malware and PowerPoint trojans, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Microsoft Teams hit by takeover trojans

Threat actors are targeting Microsoft Teams users by planting malicious documents in message threads. Researchers have found that these documents execute Trojans that can ultimately take over end-user machines.

In January, researchers began tracking the campaign. They said: “Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer. By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.”

Cyber criminals have long targeted Microsoft’s document-creation and sharing suite, Office and its cloud-based version, Office 365, with attacks against individual apps in the suite such as PowerPoint, as well as business email compromise and other scams. As the usage of Microsoft Teams has been so large during the COVID-19 pandemic, it seems it is emerging as an increasingly popular attack surface for cyber criminals.

Indeed, the number of daily active users of Teams nearly doubled over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021. The latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume.

In order to plant malicious documents in Teams, researchers first have to get access to the application. This is possible in a number of ways, typically involving an initial email compromise through phishing to gain credentials or other access to a network.

Researchers said: “They can compromise a partner organisation and listen in on inter-organisational chats. They can compromise an email address and use that to access Teams – they can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.”

Once an attacker gains access to Teams, it’s fairly easy to navigate and slip past any security protections. This is because default Teams protections are lacking, as scanning for malicious links and files is limited, as well as many email security solutions not offering robust protection for Teams. Teams is also easy for hackers to compromise right now, because end users inherently trust the platform, sharing sensitive and even confidential data without a second thought while using it.

Further, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform. There is often “minimal oversight” over these requests because of the trust people have, researchers added.

In the attack vector researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network. Then, the threat actor attaches a .exe file to a chat – called “User Centric” – that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.

Researchers said: “When someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of ‘User Centric,’ many users won’t think twice and will click on it”. If that happens, the executable will then install DLL files that install malware as a Windows programme and create shortcut links to self-administer on the victim’s machine. As the ultimate goal of the malware is to take over control of the machine and perform other nefarious activities, this particular attack vector is worrisome for businesses.

To protect your business from further attacks like this, ensure that your Business Continuity and Disaster Recovery plans are in place. This will help your business to recover from any kind of inevitable cyber attack or phishing campaign, which may well reach your business as part of the ongoing boom in cyber attacks.

Malware attacks customers of top brands

Neu Cyber Threats

Researchers have discovered that cyber attackers are targeting 60 different high-profile companies with the TrickBot malware. The goal is to attack those companies’ customers which are being cherry-picked for victimisation. TrickBot has been targeting well-known brands, which include Amazon, Microsoft, PayPal, Yahoo and others.

Researchers added: “Trickbot attacks high-profile victims to steal credentials and provide its operators access to portals with sensitive data where they can cause greater damage.”

The variant that’s being used in the campaign has also added three interesting modules, with new de-obfuscation and anti-analysis approaches noted. The TrickBot malware originated as a banking trojan. Ever since it has evolved beyond those humble beginnings to become a wide-ranging credential stealer and initial access threat, often responsible for fetching second-stage binaries such as ransomware.

Since the takedown of its infrastructure in October 2020, the threat has returned to infamy and it now sports more than 20 different modules that can be downloaded and executed on demand. It typically spreads via emails, though the latest campaign adds self-propagation via the EternalRomance vulnerability.

Researchers warned: “Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers of 60 high-profile financial and technology companies. We see that the malware is very selective in how it chooses its targets.” It has also been seen working in tandem with a similar malware, Emotet, which suffered its own takedown in January 2021.

TrickBot overall has seen over 140,000 successful infections since the takedown. Researchers noted that it’s back to taking first place in malware prevalence lists.

This particular threat is an issue, due to the high skill level of those behind it. As researchers state: “We know that the operators behind the infrastructure are very experienced with malware development on a high level as well. TrickBot remains a dangerous threat.”

Our advice is to beware of any kind of incoming emails, as many of these could have phishing threats laced within them. They could be hidden in emails or attachments that end up swiping credentials or other critical information. Always be wary of interacting with emails from unknown senders.

Emotet malware spreading through Excel files

The infamous Emotet malware has switched tactics yet again – with researchers observing a new email campaign being spread through malicious Excel files. The new infection approach for the high-volume malware, which is known to modify its attack vectors to avoid detection was noted last week.

Researchers said: “Emotet’s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload”. The new attack vector delivers Excel files that includes an obfuscated Excel 4.0 macro through socially engineered emails.

Emotet started life as a banking trojan in 2014. Ever since it has been evolving to become a full-service threat-delivery mechanism, at one point existing as a botnet that held more than 1.5 million machines under its control. The usual end result for victims of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks.

In January 2021, Emotet appeared to be put out of commission by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system. However, it resurfaced in November 2021 on the back of frequent partner-in-crime TrickBot — and now continues to be a threat to businesses.

Since its return, Emotet has used thread hijacking and other types of tactics as part of novel attack methods. Researchers added: “This technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with Emotet. The botnet uses this stolen email data to create fake replies impersonating the original senders.”

Examples of this method include, using links to install a fake Adobe Windows App Installer Package that were reported in December. And even this newest Emotet infection also has several variations.

In response, Microsoft announced a plan to disable all macros by default in some applications, acknowledging that the mechanism is one of the world’s most popular ways to deliver malware. The company stated: “For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet. VBA macros obtained from the internet will now be blocked by default.”

Three popular Office apps, Word, Excel and PowerPoint, plus Access and Visio, are all affected by the change.

Microsoft continued: “For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. The default option is now more secure and is expected to keep more users safe including home users and information workers in managed organisations.”

Beginning in late April, users will be prompted to click a “learn more” button rather than an “enable macros”  button. The change will take the user to an additional information page, before they can activate macros within a document.

LinkedIn phishing scam targeting users

Since the start of February, analysts have watched phishing email attacks impersonating LinkedIn surge by 232%.

It is believed that jobseekers on the popular platform are being particularly targeted. Researchers said: “It is likely these phishing attacks aim to capitalise on jobseekers by flattering them into believing their profile is being viewed and their experience is relevant to household brands.”

Phishing emails distributed had subject lines that would be enticing to job hunters hoping to get noticed, like, “Who’s searching for you online,” “You appeared in 4 searches this week” or even “You have 1 new message.” The phishing emails themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colours and icons. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, to make the correspondence seem more legitimate.

And to top it off, even the email’s footer lifted the company’s headquarters’ address and included “unsubscribe” links to add to the email’s authenticity. Researchers said: “You can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks.”

Once the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.

In a statement, LinkedIn said: “Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification.

Again, Neuways urges all LinkedIn users to be wary of communications they receive that purport to be from LinkedIn. Phishing Awareness Training, can help your employees learn the difference between normal emails and phishing emails. Our training sees test emails sent to your employees that help identify how much knowledge they have on phishing campaigns.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.