ThreatLabz June 2022 Report: Ransomware report, sextortion scams, new Lyceum APT backdoor, renewed Evilnum attacks, and PureCypter premier malware loader
In June, ThreatLabz released a report covering the latest ransomware trends observed in the wild. Zscaler researchers analyzed a new Lyceum APT backdoor, PureCrypt loader, a voicemail-themed phishing campaign, and how threat actors pose as the Indian government to extort victims.
The 2022 ThreatLabz State of Ransomware Report
Ransomware attacks surged by 80% between February 2021 and March 2022. Worse, double-extortion attacks (which involve exfiltrating the encrypted data and using it for leverage) increased by a staggering 117% year-over-year. These two findings are revealed in the 2022 ThreatLabz State of Ransomware report, an in-depth examination of this popular attack trend.
Figure 1: Percentage of change in double-extortion ransomware attacks by industry
The ransomware report offers big-picture visibility into prevalent ransomware groups and their evolving tactics as they continue to target global organizations. Key highlights from the report include:
- Manufacturing was the most targeted industry for the second straight year.
- Supply chain ransomware attacks are on the rise, targeting multiple industries, and exploiting the Log4j vulnerability.
- Ransomware as a service is driving more attacks, with most (8 out of 11) of the top ransomware families commonly proliferating via RaaS models.
- Ransomware families aren’t going away— but increasing pressure from law enforcement is forcing threat groups to retreat and rebrand.
- There have been several cyberattacks associated with the Russia-Ukraine conflict, with some combining multiple tactics, such as HermeticWiper and PartyTicket ransomware.
Stay ahead of ransomware threats by understanding how they are operating in today’s world, and how to protect your organization from them.
Download the full 2022 ThreatLabz State of Ransomware Report
Browser-in-the-browser sextortion scam shocks victims in India
A devious browser-in-the-browser (BITB) attack in India is accusing victims of visiting illegal pornographic sites. The attack begins with users seeing a pop-up claiming their browser is being blocked by the Indian government for visiting illegal porngraphic sites. The pop-up has two buttons, Leave and Cancel. The deceptive popup appears to be related to the alert browsers triggers when users navigate away from a website without saving their work. However, in this case both buttons will lead the victim to the attackers site regardless of which is selected.
The attacker’s homepage depicts a fraudulent notice from the Indian government saying the victim must pay a fine.
Figure 2: Attacker site masquerading as a legitimate page for the Indian government
Threat researchers, and particularly observant users, can discover they are in a BITB attack from here if they investigate the right places. First, the browser expands to full-screen mode as soon as the fake page is loaded. This is done to hide the real browser address bar from the victim while presenting a fake one. Second, any attempt to interact with the address bar, minimize button, maximize button, refresh, or back button reveals that they are unclickable. Lastly, by exiting full-screen mode the actual URL of the website becomes visible in the real address bar.
Read more about the deceptive tricks and clever ruses incorporated in this sextortion attack
Lyceum threat group’s new .NET DNS backdoor
The state-sponsored Lyceum APTgroup is back with a fresh campaign and a new .NET based malware. The attackers are using a customized version of the open-source tool DIG.net to create a DNS backdoor. Using this technique, the attacker modifies DNS responses to send instructions to the malware residing on the host machine. By cloaking threat-related communications inside the DNS protocol the Lyceum group is able to hide its operations from conventional forms of detection.
These attacks are initiated via delivering a macro-enabled word document that appears as a military-related report on Iran. Once the target enables macro content on the document a DNS backdoor is dropped onto the local system. An executable is also written to the Startup folder so the malware achieves persistence.
Figure 3: An infected document carrying a new DNS backdoor from the Lyceum group
DIG.net is an open-source DNS resolver that is capable of parsing responses coming from a DNS server. Lyceum puts this capability to malicious use by performing DNS hijacking. See an example in Figure 4, where a DNS request response clearly instructs the infected machine to execute ipconfig:
Figure 4: The attacker-controlled DNS returns an ipconfig command for the malware to execute
The ThreatLabz investigation into these new state-sponsored attacks uncovered several interesting details that offer additional insight into how Lyceum operates. For a detailed breakdown and list of IoCs read the full report.
Learn the trick the state-sponsored Lyceum group uses to hide their activity
PureCrypter loader a top-tier malware distributor
PureCrypter is a fully-featured malware loader that (as of this writing) can be purchased for under $60. ThreatLabz has observed PureCrypter being used to distribute several RATs, infostealers, and popular malware families. The loader features an array of malicious options that allow its users to configure malware payloads to achieve persistence, perform process injection, evade detection, and use defensive techniques.
Figure 5: The PureCrypter website, showcasing various loader capabilities
PureCrypter uses a .NET downloader to acquire its primary payload and execute it in memory. Once PureCrypt is running in memory it decrypts the resources it needs to create a configuration file for the malware payload it will unleash. Once these steps are complete, the loader injects the malware into another running process, infecting the host machine. While this brief description covers the process in broad strokes, there are many intricate details involved at each step. Understanding how PureCrypter infects a system can better prepare your organization for defending against it and similar loader-launched attacks.
Understand how PureCrypter bypasses security and infects systems
Voicemail-themed phishing attacks are focusing on key industry verticals
A new voicemail-themed phishing campaign, similar to one ThreatLabz monitored in 2020, is targeting US-based organizations. This recent campaign appears to focus on organizations related to software security, the U.S. military, the pharmaceutical/healthcare industry, and the manufacturing supply chain. Zscaler was among the organizations targeted by this attack, giving us a front-row view of the operational details of this campaign.
These phishing attacks are highly persuasive and use multiple techniques to convince targets to comply with requests. They begin with an email notification telling the target that they have missed a voicemail.
Figure 6: The initial phishing email informing a user they have missed a voicemail
If the user clicks on the link to hear the message they are redirected to a credential phishing page. However, they are not sent to the phishing page directly. Users are first asked to solve a CAPTCHA before proceeding to the credential-harvesting site. This gives the attackers the illusion of legitimacy while also preventing automated URL analysis tools from detecting malicious activity. Once the CAPTCHA is solved, users proceed to the phishing site where a fake Microsoft sign-in page prompts them to enter their credentials. Zscaler’s cloud security platform detects several indicators associated with this attack, so our customers are well protected from this campaign.
Learn more about the specifics of this campaign, and how to protect your organization
New Evilnum assets and tactics discovered
Zscaler has uncovered a new attack chain and previously unknown assets being used by the Evilnum APT. This threat group has historically targeted organizations in the UK and Europe. The attackers generally target organizations in the FinTech (financial services) sector, though they recently expanded this to include intergovernmental organizations dealing with migration services. Historically, Evilnum attacks began with an email containing a malicious Windows shortcut archived in a .ZIP file. Recently, the group was seen using a new distribution vector and updated attack chain.
Figure 7: New Evilnum attack chain discovered by ThreatLabz
Evilnum has improved its spear-phishing game by attaching malicious Word documents that fetch weaponized macro templates when opened. These macros use VBA code stomping to obfuscate the original source code (p-code) and hide it from static analysis tools. The Javascript dropped by the VBA-based macro is heavily obfuscated by techniques rarely seen in the wild. When executed, the malware drops two files, a loader and the binary file it loads at runtime. The full report details several new and significant details of Evilnum’s most recent activity, newly discovered assets, and attack IoCs.
Read about the new assets, tactics, and targets of Evilnum APT
About ThreatLabz
ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.
The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.
What to read next:
Browser-in-the Browser sextortion scam makes victims pay by imitating Indian Gov