Headline
A secondhand account of the worst possible timing for a scammer to strike
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows.
Thursday, September 7, 2023 14:09
Welcome to this week’s edition of the Threat Source newsletter.
Up until last week, I had never considered the timing of a scam to be important. I’m so used to just swiping away emails or text messages at random times during the day that I’d never considered what would happen if an adversary happened to get me at just the right time.
That’s what happened to my wife last week.
We were on vacation, and I was away for a few hours at lunch with my friends while she and the other spouses stayed back with our children to hang out at the pool for a bit.
She received a text message from an unknown number asking her to confirm a Zelle payment to someone she had never heard of for a not-insignificant amount of money. Not even a minute later, she received a call from the same number from someone claiming to represent our bank asking if the transaction was fraudulent and if could she provide some personal information to verify the transaction or cancel it.
In most cases, she probably would have put them on hold and Googled the number to see if it was legitimate or logged into her online account to view her recent transactions. The problem was this scammer had hit her at the worst possible time. It was right in the middle of a diaper change for our 10-month-old daughter, and she was trying to change our daughter out of a wet bathing suit and stop her from crying because they were just a few minutes away from naptime.
Already in a panic (and not to mention exhausted from the heat at the beach), she answered the phone call and listened to the person on the other line, growing increasingly frustrated and just wanting to end the phone call as quickly as possible so she could return her attention to our daughter while trying to make sure we weren’t legitimately about to be scammed out of money.
Our friends thankfully intervened after she put the phone on speaker, and they all noticed some similar red flags and she ended the conversation before giving away any significant information the scammer didn’t already seem to have.
But it did get me thinking about how the timing and urgency of these scams can make such a difference. I can’t say the same thing wouldn’t have happened to me had I been in the middle of a diaper change and having to worry about something as stressful as money. Or what if they had caught my wife while she was in the car and didn’t have the internet or friends at her disposal?
This timing was purely blind luck on the attacker’s part, but it nonetheless almost worked out for them. I’m not trying to throw my wife under the bus or anything, I just wanted to use this story to illustrate that anyone can be a target of these types of scams at any time, and the scammers don’t care if you have to change a dirty diaper or not.
The one big thing
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines, new Cisco Talos research shows. The campaign, active since late last year, appears to primarily target graphic designers or any other engineers who may rely on 3-D modeling software who speak French. Cybercriminals are likely targeting these users because this type of software requires large GPUs, which also happen to be extremely useful when mining cryptocurrency.
Why do I care?
This campaign specifically targets business verticals such as architecture, engineering, construction, manufacturing and entertainment, though anyone using a computer of any type could be a target of a cryptocurrency mining malware. The attackers’ use of Advanced Installer also allows the backdoors used in this campaign to often slip by undetected.
So now what?
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. And if you’re ever curious about what your GPU is up to, use Task Manager on Windows or Activity Monitor on Mac to check out what your machine’s computing power is going toward. There are also specific Cisco Secure protections available that we outlined in Talos’ blog on this campaign.
Top security headlines of the week
With students around the globe going back to school over the past few weeks, cyber attacks against the education sector are back in the spotlight. This time of year is often a popular time for attackers to strike against schools, colleges and universities because their systems are under the most stress at the start of a new school year. Private security companies in the U.K. issued public warnings to school leaders that their systems are likely not prepared for a sophisticated threat actor, days after a school in northern London had to delay its start date by six days due to a cyber attack. More than 100,000 people may have also had their personal information stolen as the result of a data breach against Minneapolis’ school district, with the Medusa ransomware group claiming it was behind the attack. Although the intrusion took place in February, the district last week sent home letters to students and parents describing the results of an investigation into the breach. (The Record by Recorded Future, Yahoo! News, BBC)
The FBI announced last week that it successfully dismantled the infamous Qakbot botnet. Known as “Operation: Duck Hunt,” the takedown involved the FBI deploying an in-house uninstaller tool to Qakbot-infected devices. International law enforcement also seized Qakbot infrastructure located in the U.S. and across Europe. In the announcement of the takedown, U.S. officials blamed Qakbot for more than 40 ransomware attacks over the past 18 months, generating $58 million in ransom payments. Authorities also seized millions of dollars’ worth of cryptocurrency from Qakbot, which they are working to return to the original owners. However, security researchers are warning that the operation likely won’t be gone forever, as the operators and creators of Qakbot apparently still remain at large, and these types of botnets typically find ways to be reborn after takedowns. (BankInfoSecurity, TechCrunch)
Researchers and reporters at “Wired” have unmasked one of the leaders of the Trickbot threat actor. A 41-year-old is allegedly behind the online monikers “Bentley” and “Manuel” who are known as being the creators of Trickbot. The investigation also uncovered potential connections between Trickbot and the Russian government and other cybercriminal games. Thousands of messages in a Trickbot group message were leaked last year, which included sensitive information researchers have been able to use to unmask some of the group’s operations. A single CEO-like figure also appears to be at the helm of Trickbot and the Conti ransomware gang, receiving daily updates on the groups’ operations, the messages show. (Wired, NISOS)
Can’t get enough Talos?
- Talos Takes Ep. #153: You’re never going to believe this, but Lazarus Group is back again
- Vulnerability Roundup: Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
- Hackers modify open-source ‘SapphireStealer’ malware, leading to multiple variants
- Cisco Talos Research: New Lazarus Group Attack Malware Campaign Hits UK & US Businesses
- Healthcare remains the top target of hackers, reports Cisco
Upcoming events where you can find Talos
LABScon (Sept. 20 - 23)
Scottsdale, Arizona
Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.
Grace Hopper Celebration (Sept. 26 - 29)
Orlando, Florida
Caitlin Huey, Susan Paskey and Alexis Merritt present a “Level Up Lab” titled “Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence.” Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
ATT&CKcon 4.0 (Oct. 24 - 25)
McLean, Virginia
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827
MD5: bf357485cf123a72a46cc896a5c4b62d
Typical Filename: bf357485cf123a72a46cc896a5c4b62d.virus
Claimed Product: N/A
Detection Name: W32.Auto:d5219579ee.in03.Talos
SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
MD5: 4c648967aeac81b18b53a3cb357120f4
Typical Filename: iptjqbjtb.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201
SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa
MD5: 9403425a34e0c78a919681a09e5c16da
Typical Filename: vincpsarzh.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201