ThreatLabz July 2022 Report: Deconstructing a massive global phishing campaign, exposing Industrial Spy, Google Play infiltrated, Qakbot upgraded, and Raccoon v2
Aug 15, 2022
This July ThreatLabz released a trove of actionable threat intel, performed a deep dive on a massive phishing attack, exposed a new threat group named Industrial Spy, and more. Dive into the latest cybersecurity news from ThreatLabz today.
This July ThreatLabz released a trove of actionable threat intel, performed a deep dive on a massive phishing attack, exposed a new threat group named Industrial Spy, and more. Threat actors stayed busy developing new malware, expanding existing capabilities, and launching AiTM campaigns while the ThreatLabz team kept pace, refusing to yield an inch. Dive into the latest cybersecurity news from ThreatLabz and discover what is happening in the world of cybersecurity today.
Microsoft email services under massive AiTM phishing attack
ThreatLabz discovered a massive adversary-in-the-middle (AiTM) phishing campaign connected with an investigation they conducted in June. Using intelligence gathered from the Zscaler cloud, researchers discovered multiple new domains participating in ongoing phishing attacks. Several features of this campaign distinguish it from other run-of-the-mill phishing campaigns, including:
- A custom proxy-based phishing kit that uses AiTM techniques to bypass multi-factor authentication (MFA)
- Evasive techniques aimed at bypassing email and network security are used at several stages of the attack cycle
- Leveraging cloaking and browser fingerprinting techniques to bypass automated URL analysis systems
- Implementing multiple URL redirection by abusing open redirect pages from Google Ads, DoubleClick, and Snapchat to evade security solutions using email URL analysis
- Abusing legitimate services such as CodeSandbox and Glitch to prolong the lifespan of the campaign
Figure 1: AiTM technique to bypass MFA
Organizations in the United States, United Kingdom, New Zealand, and Australia have been observed being targeted by these attacks. The threat actors seem focused on the FinTech, Lending, Finance, Insurance, Accounting, Energy and Federal Credit Union sectors. The attackers are also using domain names that are typo squatted versions of legitimate sites, as seen below:
Attacker-registered domain name | Legit Federal Credit Union domain name |
crossvalleyfcv[.]org | crossvalleyfcu[.]org |
triboro-fcv[.]org | triboro-fcu[.]org |
cityfederalcv[.]com | cityfederalcu[.]com |
portconnfcuu[.]com | portconnfcu[.]com |
oufcv[.]com | oufcu[.]com |
Some of these domain names use keywords associated with resetting passwords, indicating the phishing emails may pose as reminders to update login credentials. There are also many attacker domains that appear to be randomized and do not conform to a specific pattern. The magnitude and complexity of these attacks make it vital for security teams to better understand them if they want to mount a successful defense.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection.
Learn more about this massive phishing campaign
Industrial Spy ransomware group releases bare-bones threat
A new threat group named Industrial Spy has introduced a no-frills ransomware intended to carry out double extortion attacks. Industrial Spy first appeared in April 2022 as a broker for a data extortion marketplace that sold stolen information. In May 2022, the group released a basic ransomware that uses a combination of RSA and 3DES to encrypt files. Currently, Industrial Spy ransomware is fairly basic and does not use anti-analysis or obfuscation techniques. During attacks, the group drops two executables, the first is an advertisement for their marketplace and the second performs file encryption.
Figure 2: Desktop wallpaper set by the Industrial Spy marketplace promotion binary
Industrial Spy ransomware has been observed being distributed with other malware threats, including SmokeLoader, GuLoader, and Redline Stealer. While the newly formed group has not successfully mounted any high-profile attacks, they have been consistently adding two or three victims to their data portal every month. Industrial Spy ransomware code has little beyond core functionality and is under development with very few samples observed in the wild.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Examine the tactics, techniques, and procedures of Industrial Spy
Malware sneaks into the Google Play store
What do Joker, Facestealer, and Coper malware all have in common? Zscaler ThreatLabz detected all three in apps on the Google Play store. The Google Android security team was swiftly notified and immediately removed the dangerous software.
Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques. ThreatLabz team discovered over 50 unique Joke apps on Play Store across following categories:
Figure 3: Joker malware has been found distributed in five app categories
To increase protection, the ThreatLabz team performed an extensive analysis on these three malware families to offer readers insight into how they operate. Identifying the indicators of compromise (IoCs) for these threats can help Android users keep their devices secure.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Discover the warning signs of Joker, Facestealer, and Coper infections
Qakbot evolving in dangerous ways
Qakbot (aka Quakbot/Qbot/Pinkslipbot) is a Trojan that has been a thorn in the side of users since 2008. For some perspective, in 2008 the Intel Core 2 Duo was a high-end CPU, and The Dark Knight (starring Heath Ledger as the Joker) was a global blockbuster. How does a piece of malware dating from this bygone era remain an active threat in today’s world?
It evolves.
In July, ThreatLabz observed six months of significant increases in Qakbot activity as the malware demonstrated several new capabilities.
Qakbot’s new tricks include improved evasive techniques using the .zip file extension, deceptive naming practices, and Excel (XLM) 4.0 attachments. The trojan uses obfuscated code, multiple URLs to deliver payloads and introduces new steps into its infection chain. Analyzing the de-obfuscated code exposes how these malicious attachments use XLM 4.0 to hide their macros and evade detection by static analysis tools and automated sandboxes.
Figure 4: Standard Email and Office templates used for Qakbot delivery in last six months
Since May 2022, we observed Qakbot distribution also happening using Windows Shortcut Files (.LNK) which invoke a powershell script on the victim machine to download and install the Qakbot payload. While Zscaler customers are protected against Qakbot attacks, all users can improve their resilience by not opening email attachments unless they absolutely trust the sender.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Discover Qakbot's dastardly new tricks
Raccoon Stealer v2 is ready to ransack data
Raccoon infostealer is back with a new version written in C. The malware, first offered as malware-as-a-service on underground forums in 2019, infiltrates systems to steal passwords, cookies, and browser data. The original Raccoon malware relied on abusing the Telegram network to retrieve lists of command and control servers. With Raccoon v2 this practice has been discarded in favor of using a hardcoded list of IP addresses controlled by the attacker. The malware’s authors have also announced versions of Raccoon are available as DLLs and embedded in other PE files.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Firewall, Cloud Sandbox.
Read a detailed breakdown of Raccoon v2
About ThreatLabz
ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.
The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.
What to read next:
Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US
The 2022 ThreatLabz State of Ransomware Report
Recommended