Threat Landscape Grows Increasingly Ominous
November 12, 2020
Infoblox report analyzes Q3 2020 malware campaigns
By Channelnomics Staff
This is part 1 of a 2-part series.
Cybersecurity is a white-hot market right now. While that spells opportunity for solution providers, it also signals danger on the horizon for organizations of every size and stripe.
According to Grand View Research, the global cybersecurity market is expected to expand at a compound annual growth rate (CAGR) of 10% in the next seven years. Meanwhile, Infoblox reports that the FBI Internet Crime Complaint Center’s 2019 Internet Crime Report revealed more than 460,000 complaints and losses of $3.5 billion-plus last year alone. The most prevalent crime types, according to that crime report, included extortion, nonpayment/nondelivery, personal data breach, and phishing/vishing/smishing/pharming.
As if things haven’t been bad enough on the cybersecurity front in the past few years, 2020 has done its part to complicate matters and open doors further for threat actors. The coronavirus pandemic forced companies to embrace a remote-work paradigm, with employees requiring access to enterprise resources from a variety of endpoints, including employer-provided devices and personal ones. As many enterprise security protocols and procedures don’t translate terribly well remotely, it’s difficult to duplicate corporate, on-premises security levels at home.
The potential vulnerabilities at home are legion – from consumer Wi-Fi connections and document shares on cloud folders to home routers that aren’t optimally secure or updated and personal e-mails being viewed on employer-issued devices.
Much of today’s malicious activity focuses on campaigns around COVID-19 as people seek to get information about the virus. Cybercriminals are focusing on e-mail campaigns and socially engineered attacks aimed at engaging victims and gaining their trust. Under many of these initiatives, the intended victim must cooperate and interact with the miscreant for the attack to succeed.
In efforts to help bring these and other cyberthreats to light and help organizations stave them off, Infoblox has published the first of a series of quarterly Cyberthreat Intelligence reports. These will be published the first month of every calendar quarter. The vendor’s inaugural report, covering the third quarter of 2020, includes data on threat activity publicly released from July 1 to Sept. 30 this year.
Infoblox threat reports generally include research on specific threats and related data, impact on customers, campaign execution analysis, attack-chain details, vulnerabilities, mitigation steps, and sometimes background information on the threat actors likely responsible for the particular incidents.
In this blog, part 1 of a 2-parter, we’ll look at the data Infoblox shared about four malware campaigns that ran from the end of June through the middle of July 2020.
BLM-Themed Malspam Unleashes Trickbot Banking Trojan
On June 25, Infoblox observed a campaign that used the Black Lives Matter (BLM) movement and the Trickbot malware to lure unsuspecting victims into opening a malicious e-mail and attachment. If the button in the attachment is clicked, malicious macros are activated, downloading TrickBot as a malicious library (DLL file). This attack is part of a trend that’s grown throughout 2020 with the arrival of the coronavirus pandemic.
Infoblox recommends the following for detecting, preventing, and mitigating Trickbot threats:
• Install and run advanced antivirus software that can detect, quarantine, and remove malware.
• Be cautious of e-mails from unfamiliar senders.
• Develop traffic rules that can block outbound access to potentially malicious endpoints based on domains or unique URI parameters.
• Implement command prompt logging to detect anomalous or malicious use.
• Install strong e-mail security solutions to detect e-mails with suspicious content.
Valak InfoStealer Delivers IcedID Banking Trojan
Between June 24 and July 1, security researcher Brad Duncan reported four malware campaigns that used the Valak malware loader to deliver the IcedID banking trojan – designed to steal banking credentials, credit cards, and other financial information. Valak, sophisticated modular malware that acts as both a malware loader and an information stealer (infostealer), was first observed in late 2019 and has quickly evolved to include 30 new versions.
To reduce the risk of this type of infection, Infoblox recommends the following:
• Don’t assume a file attachment or link is safe just because the sender is familiar.
• Be suspicious of vague e-mails.
• Inspect a file carefully if clicking on a link immediately initiates an attempt to download that file.
• Never enable macros.
Vidar InfoStealer Returns
From June 25 to 30, Infoblox observed a malicious spam (malspam) e-mail campaign distributing the Vidar infostealer, a variant of the Arkei infostealer. Vidar is a trojan infostealer first observed in December 2018. Vidar can steal credit cards, usernames, passwords, and files; it can take screenshots of a user’s desktop; and it can steal wallets for cryptocurrencies such as Bitcoin and Ethereum.
To reduce risk of infection, Infoblox recommends the following:
• Exercise caution if it’s necessary to open e-mails with generic subject lines.
• Always be suspicious of unexpected e-mails.
• Verify important or potentially legitimate attachments with the sender via alternative means.
• Never configure Microsoft Office to enable macros by default; don’t enable macros in Microsoft Office attachments.
Emotet Makes a Comeback
On July 17, Proofpoint’s threat research team observed a malspam campaign delivering the Emotet banking trojan after a five-month hiatus by the threat actor. Emotet – a sizable campaign that included nearly a quarter-million malspam messages – steals stored passwords, sensitive banking data, and browser histories from victims’ computers.
To reduce risk of infection, Infoblox recommends the following:
• Regularly train users to be aware of potential phishing efforts.
• Be wary of e-mails that don’t seem to fit in the context of a discussion thread.
• Be cautious of e-mails from unfamiliar senders.
• Never enable macros; don’t configure settings to enable macros by default.
• Never click on URLs in e-mails from unknown sources.
• Ensure the system’s file sharing capability is closed and protected with a strong password.
Stay tuned for part 2, when we reveal Infoblox’s analysis of 10 malware campaigns that ran this August and September.
Cybersecurity is a white-hot market right now. While that spells opportunity for solution providers, it also signals danger on the horizon for organizations of every size and stripe.
According to Grand View Research, the global cybersecurity market is expected to expand at a compound annual growth rate (CAGR) of 10% in the next seven years. Meanwhile, Infoblox reports that the FBI Internet Crime Complaint Center’s 2019 Internet Crime Report revealed more than 460,000 complaints and losses of $3.5 billion-plus last year alone. The most prevalent crime types, according to that crime report, included extortion, nonpayment/nondelivery, personal data breach, and phishing/vishing/smishing/pharming.
As if things haven’t been bad enough on the cybersecurity front in the past few years, 2020 has done its part to complicate matters and open doors further for threat actors. The coronavirus pandemic forced companies to embrace a remote-work paradigm, with employees requiring access to enterprise resources from a variety of endpoints, including employer-provided devices and personal ones. As many enterprise security protocols and procedures don’t translate terribly well remotely, it’s difficult to duplicate corporate, on-premises security levels at home.
The potential vulnerabilities at home are legion – from consumer Wi-Fi connections and document shares on cloud folders to home routers that aren’t optimally secure or updated and personal e-mails being viewed on employer-issued devices.
Much of today’s malicious activity focuses on campaigns around COVID-19 as people seek to get information about the virus. Cybercriminals are focusing on e-mail campaigns and socially engineered attacks aimed at engaging victims and gaining their trust. Under many of these initiatives, the intended victim must cooperate and interact with the miscreant for the attack to succeed.
In efforts to help bring these and other cyberthreats to light and help organizations stave them off, Infoblox has published the first of a series of quarterly Cyberthreat Intelligence reports. These will be published the first month of every calendar quarter. The vendor’s inaugural report, covering the third quarter of 2020, includes data on threat activity publicly released from July 1 to Sept. 30 this year.
Infoblox threat reports generally include research on specific threats and related data, impact on customers, campaign execution analysis, attack-chain details, vulnerabilities, mitigation steps, and sometimes background information on the threat actors likely responsible for the particular incidents.
In this blog, part 1 of a 2-parter, we’ll look at the data Infoblox shared about four malware campaigns that ran from the end of June through the middle of July 2020.
BLM-Themed Malspam Unleashes Trickbot Banking Trojan
On June 25, Infoblox observed a campaign that used the Black Lives Matter (BLM) movement and the Trickbot malware to lure unsuspecting victims into opening a malicious e-mail and attachment. If the button in the attachment is clicked, malicious macros are activated, downloading TrickBot as a malicious library (DLL file). This attack is part of a trend that’s grown throughout 2020 with the arrival of the coronavirus pandemic.
Infoblox recommends the following for detecting, preventing, and mitigating Trickbot threats:
• Install and run advanced antivirus software that can detect, quarantine, and remove malware.
• Be cautious of e-mails from unfamiliar senders.
• Develop traffic rules that can block outbound access to potentially malicious endpoints based on domains or unique URI parameters.
• Implement command prompt logging to detect anomalous or malicious use.
• Install strong e-mail security solutions to detect e-mails with suspicious content.
Valak InfoStealer Delivers IcedID Banking Trojan
Between June 24 and July 1, security researcher Brad Duncan reported four malware campaigns that used the Valak malware loader to deliver the IcedID banking trojan – designed to steal banking credentials, credit cards, and other financial information. Valak, sophisticated modular malware that acts as both a malware loader and an information stealer (infostealer), was first observed in late 2019 and has quickly evolved to include 30 new versions.
To reduce the risk of this type of infection, Infoblox recommends the following:
• Don’t assume a file attachment or link is safe just because the sender is familiar.
• Be suspicious of vague e-mails.
• Inspect a file carefully if clicking on a link immediately initiates an attempt to download that file.
• Never enable macros.
Vidar InfoStealer Returns
From June 25 to 30, Infoblox observed a malicious spam (malspam) e-mail campaign distributing the Vidar infostealer, a variant of the Arkei infostealer. Vidar is a trojan infostealer first observed in December 2018. Vidar can steal credit cards, usernames, passwords, and files; it can take screenshots of a user’s desktop; and it can steal wallets for cryptocurrencies such as Bitcoin and Ethereum.
To reduce risk of infection, Infoblox recommends the following:
• Exercise caution if it’s necessary to open e-mails with generic subject lines.
• Always be suspicious of unexpected e-mails.
• Verify important or potentially legitimate attachments with the sender via alternative means.
• Never configure Microsoft Office to enable macros by default; don’t enable macros in Microsoft Office attachments.
Emotet Makes a Comeback
On July 17, Proofpoint’s threat research team observed a malspam campaign delivering the Emotet banking trojan after a five-month hiatus by the threat actor. Emotet – a sizable campaign that included nearly a quarter-million malspam messages – steals stored passwords, sensitive banking data, and browser histories from victims’ computers.
To reduce risk of infection, Infoblox recommends the following:
• Regularly train users to be aware of potential phishing efforts.
• Be wary of e-mails that don’t seem to fit in the context of a discussion thread.
• Be cautious of e-mails from unfamiliar senders.
• Never enable macros; don’t configure settings to enable macros by default.
• Never click on URLs in e-mails from unknown sources.
• Ensure the system’s file sharing capability is closed and protected with a strong password.
Stay tuned for part 2, when we reveal Infoblox’s analysis of 10 malware campaigns that ran this August and September.