Episode 02 – January 09, 2022
Dridex Omicron phishing taunts with funeral helpline number
the Dridex banking malware has been toying with victims and researchers over the last few weeks.
With the latest example being a phishing campaign that taunts victims with a COVID-19 funeral assistance helpline number.
Dridex is banking malware distributed through phishing emails containing malicious Word or Excel attachments.
When these attachments are opened, and macros are enabled, the malware will be downloaded and installed on the victim’s device.
the threat actor began trolling security researchers by using their names combined with racist comments as malware file names and email addresses.
Earlier this week, the threat actor spammed fake employee termination letters that displayed an alert stating, “Merry X-Mas Dear Employees!”, after infecting their device.
this same threat actor took it to the next level by spamming emails with a subject of “COVID-19 testing result” that states the recipient was exposed to a coworker who tested positive to the Omicron COVID-19 variant.
“This letter is to inform you that you have been exposed to a coworker who tested positive for OMICRON variant of COVID-19 sometime between December 18th and 20th,” reads the new phishing email shown below.
“Please take a look at the details in the attached document.”
The email includes a password-protected Excel attachment and the password needed to open the document.
Once the password is entered, the recipient is shown a blurred COVID-19 document and is prompted to ‘Enable Content’ to view it.
To add insult to injury, after macros are enabled, and the device becomes infected, the threat actor taunts their victims by displaying an alert containing the phone number for the “COVID-19 Funeral Assistance Helpline.”
With the COVID-19 variant being highly contagious and rapidly spreading worldwide, phishing emails about the Omicron variant are becoming popular and are likely highly effective in distributing malware.
Fresh Warnings Issued Over Abuse of Google Services
Google Voice is a service that provides Google customers a phone number that they can use for calling, text messaging and voicemail. It can be used to make free PC-to-phone calls within the U.S. and Canada.
Scammers have been contacting people who sell things on online marketplaces such as Craigslist, claiming to be interested in the item.
However, before making a purchase, they claim they want to make sure the seller is a real person so they send them a text message with a Google Voice verification code and ask them to provide that code.
Once they have obtained the verification code, the scammer can create a Google Voice number linked to the victim’s real phone number.
They can then use the phone number to scam others and hide their identity.
The verification code can also be used to access and hijack the victim’s Gmail account, the FBI said.
On similar note
Email security company Avanan on Thursday warned that threat actors have been abusing Google Docs to deliver phishing websites and malware.
Attackers are creating a Google Docs document and adding a comment that mentions the email address of the targeted user.
The target automatically receives an email from Google informing them about the comment.
The email includes the attacker’s comment, which can be a link to a malicious website, accompanied by a piece of text that attempts to convince the victim to click on the link.
This technique has been used since at least August 2020, and Google at the time promised to take measures. However, Avanan says Google still hasn’t fully addressed the issue and a new attack wave mainly targeting Outlook users was spotted by the cybersecurity firm in December 2021.
Avanan explained. “There are several ways that make this email difficult for scanners to stop and for end-users to spot,” “For one, the notification comes directly from Google.
Google is on most Allow Lists and is trusted by users. Secondly, the email doesn’t contain the attacker’s email address, just the display name. This makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize.”
https://www.securityweek.com/fresh-warnings-issued-over-abuse-google-services
Norton 360 Now Comes With a Cryptominer
Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers.
Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it.
According to the FAQ posted on its site, “Norton Crypto” will mine Ethereum (ETH) cryptocurrency while the customer’s computer is idle. The FAQ also says Norton Crypto will only run on systems that meet certain hardware and software requirements (such as an NVIDIA graphics card with at least 6 GB of memory).
“Norton creates a secure digital Ethereum wallet for each user,” the FAQ reads. “The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.”
NortonLifeLock began offering the mining service in July 2021, and early news coverage of the program did not immediately receive widespread attention. That changed on Jan. 4, when Boing Boing co-editor Cory Doctorow tweeted that NortonCrypto would run by default for Norton 360 users.
NortonLifeLock says Norton Crypto is an opt-in feature only and is not enabled without user permission.
“If users have turned on Norton Crypto but no longer wish to use the feature, it can be disabled by temporarily shutting off ‘tamper protection’ (which allows users to modify the Norton installation) and deleting NCrypt.exe from your computer,” NortonLifeLock said in a written statement.
However, many users have reported difficulty removing the mining program.
It’s an open question whether Norton Crypto users can expect to see much profit from participating in this scheme, at least in the short run.
Mining cryptocurrencies basically involves using your computer’s spare resources to help validate financial transactions of other crypto users.
Crypto mining causes one’s computer to draw more power, which can increase one’s overall electricity costs.
https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/
Thousands of Schools Impacted After IT Provider Hit by Ransomware
A leading provider of school website infrastructure has been hit by a ransomware attack, potentially disrupting thousands of global customers.
Finalsite claims to serve over 8000 schools worldwide, offering content management, communications, mobile and enrolment software.
A message posted by the firm on Twitter yesterday apologized for the “prolonged outage” customers have been forced to endure as a result of the attack.
“The Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment,” it explained.
“In the time since the incident, our security, infrastructure and engineering teams have been working around the clock to restore backup systems and bring our network back to full performance, in a safe and secure manner.”
Finalsite claimed it had uncovered no evidence that data had been stolen as part of the raid but admitted that forensic work was still ongoing.
Double extortion involving the threat of leaking stolen data is now the norm for such attacks, according to ransomware experts.
According to Coveware, over 80% of attacks in Q3 involved the theft of corporate information alongside file encryption.
There’s no sign of exactly how many schools have been impacted by the attack, although a Reddit user claimed around 2,200 might have been disrupted.
“With numbers like this, there’s a good chance that a school in your town is affected. Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” they added.
“The impact of this outage is far greater than the attention it has received.”
There’s no indication of whether Finalsite is engaging with its attackers or when customers can expect a restoration of services
https://www.infosecurity-magazine.com/news/thousands-of-schools-it-provider/