U.S. Center for Internet Security Alert Level
GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity.
From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.”
A New Cybercrime Group
They call themselves RATicate. Lindsey O’Donnell of Threatpost reports that what is significant about the name is the acronym R-A-T. RAT is an acronym for Remote Access Trojan. These cybercriminals are installing Remote Access Trojans by leveraging the Nullsoft Scriptable Install System (NSIS). The Nullsoft Scriptable Install System is an open source tool used to create windows installers. It is said that they are specifically targeting Industrial firms in Europe, the Middle East, and the Republic of Korea.
The are using email to deliver the payload using files with extensions that include .zip, .img, .udf, .rtf, and .xls.
It sounds as if the NSIS provides privileges to the Windows system that allows it to perform tasks including running commands from the CLI and loading DLL’s.
Lindsey O’Donnell goes on to say, this attack goes as far as installing what has been termed, junk DLL’s, in an effort to obfuscate and confuse researchers during the discovery and analysis process. The payload is said to be encrypted and then decrypted as the first phase of the attack.
One or of five different payloads are being used.
Payload #1 is said to be what is called Lokibot which is an “infostealer” gleaning FTP credentials, stored email passwords, and passwords stored in the browser.
Payload #2 is said to be what is called BetaBot which has been described as a rootkit. A rootkit is software designed to allow access to the internals of an operating system.
Payload #3 is said to be what is called FormBook which steals data when entered into forms in the browser. This would otherwise be known as a keylogger.
Payload #4 is said to be what is called Agent Tesla which is essentially spyware capable of extracting credentials, data from the clipboard, screen captures, keylogging, and various application credentials.
Payload #5 is said to be what is called Netwire a Remote Access Trojan that steals credentials, keystrokes, and hardware information.
Nine companies have been targeted.
Researches discovered that the same Command and Control (C2) server is being used with different payloads.
The RDP Protocol
McAfee is reporting that the number of instances of open RDP ports on the Internet has increased by 1.5 million. They go on to state that it is believed that the remote workforce created by the COVID19 Panedemic is to blame.
And a final word with a often stated statistic…
Remember that more than 90% of data breaches are the result of a phishing email. Keep you eyes on what the email says, who it is from, and what it is asking you to do. Verify the URL’s before you click the link. Look for a one off letter or a one of tld.