SISA Weekly Threat Watch – November 21st, 2022

To avoid malware detection, threat actors switch between traditional and unusual techniques, like porting it to a different language, using Microsoft Office documents, or sending phishing links via voicemails. Despite their simplicity and limited functionality, some malwares may pose a risk to users because they have the potential to spread more sophisticated malware after infection. This week, it was observed that such malware developers were motivated and skilled enough to keep the threat growing by employing improved tactics and techniques.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Abusing Microsoft customer voice to send phishing links

Attackers are using Microsoft Dynamics 365 Customer Voice to get through email filters and send phishing emails to Microsoft users. Microsoft’s Dynamics 365 Customer Voice is a product that is primarily used to collect customer feedback. It can be utilized to gather data into actionable insights, track consumer feedback, and conduct surveys of customer satisfaction. To communicate with end users, hackers frequently use what we refer to as The Static Expressway.

People tend to immediately believe these connections from reliable sources. As a result, hackers now have a place to enter the network. Since the phishing link does not appear until the last stage, this attack is challenging for scanners to detect and even more challenging for users to identify. It would be crucial to remind users to check all URLs in this situation, even if they are not in an email body.

2. New StrelaStealer malware steals your Outlook, Thunderbird accounts

A new data-stealing malware called “StrelaStealer” is actively trying to take email account credentials in Thunderbird and Outlook. StrelaStealer is distributed by phishing emails with malicious attachments, typically ISO files with various contents. One unusual instance made use of an ISO file that contained LNK and HTML files. The logins.json and key4.db files, which include the data needed to decode and collect any stored passwords, are collected by the StrelaStealer DLL after it has been executed.

Additionally, it accesses the Windows Registry to locate the Outlook-stored encrypted credentials and uses the Windows CryptUnprotectData function to decrypt the data. Once the malware has completed both tasks, it exfiltrates the data back to its C2 server. To reduce the risk of credentials being compromised, enable multi-factor authentication (MFA), and ensure that it is enforced for any remote connectivity. To stop phishing emails from being sent to end users, it is highly recommended to implement and maintain reliable email security controls, such as AV scanning and sandboxing.

3. Emotet being distributed again via Excel files with new tactics

Emotet is active again with different tactics using weaponized Excel file. Unlike the earlier tactics used to prompt users to enable cell macro, Emotet advises the user to copy the Excel file into the Microsoft Office Templates folder before relaunching it. This exploits the fact that the Templates folder is considered a trusted location according to Microsoft Office policy, implying that the macro is run immediately without a security warning.

Furthermore, to avoid data detection within the sheet, the threat actor disperses and hides formulas in it to use formula macro before hiding the sheet. It also sets up a sheet protection measure so that the user cannot view the sheet. Users must refrain from opening document files from unknown and untrusted sources. It is recommended to switch on real-time antivirus protection to keep any malware at bay.

4. The FTX hack: An on-chain spoofing attack

The collapse of the doomed crypto exchange, FTX, after it filed for bankruptcy on Nov 11, worsens as over $450 million worth of assets were drained just moments after it went bankrupt. A crypto analyst claimed that the recent movement of funds is said to be on-chain token spoofing. The tokens were quickly converted to Ether, the second-largest cryptocurrency, a popular technique used by hackers to prevent their funds from being seized.

The ERC-20 standard “transfer” and “transfer from” functions can be modified to allow any arbitrary address to be the sender of tokens, if this is specified within the smart contract, resulting in a token being transferred from a different address than the one that initiated the transaction. These tokens can be sent to any address and then sent out of that address without the owner having any control over those tokens. As a precautionary measure, the exchange had initiated steps to move all digital assets to cold storage. Users are advised not to log on to the site which might expose them to further attacks.

5. UAC-0118 (FRwL) using the Somnia malware

An attack campaign targeted at infiltrating Ukrainian enterprises and permanently encrypting their files has been discovered by the Ukrainian CERT (CERT-UA). They are using a particular variant of the Somnia ransomware to achieve it. According to the findings, the initial breach was caused by downloading and running a file that appeared to be the “Advanced IP Scanner” application but actually contained Vidar malware.

When encrypting files, the ransomware added the .somnia extension to the files. After utilizing a VPN to acquire remote access to the organization’s computer network, the attackers ran the Cobalt Strike Beacon software, carried out reconnaissance, and exfiltrated data. It is recommended to enable automatic software updates whenever possible. This will ensure that software updates are installed as quickly as possible.