Onyx ransomware destroys files larger than 200MB leaving victims with tough questions about paying ransoms.
The post Onyx ransomware destroys files, and also the criminal circle of trust appeared first on Malwarebytes Labs.

Some ransomware authors seem to be further whittling down their tenuous circle of trust style agreement with victims even further. Word has spread of a new Onyx ransomware operation which is quite a bit more destructive than those impacted would be hoping for.

The ransomware in question overwrites files larger than 200MB. Anything important is lost to the void forever, and only files smaller than this will be recovered should the victims pay up. This is not only very bad, but could also inspire other groups to do much the same thing. The message is loud and clear: ransomware authors simply don’t care about playing “fair” anymore.

**Trending towards destruction**

It used to be that ransomware authors tended to stick to somewhat peculiar honour among thieves style rules. If your ransomware operation gets a reputation for not decrypting files once payment has been made, people are less likely to pay up. Hand the files back, and you’ll get word of mouth spreading that you do, in fact, play fair – in a manner of speaking.

As ransomware operations evolved, more aspects have been added to what were once fairly straightforward acts. Regular attacks became “double threats”. That is to say, data is stolen before encryption takes place. If the company under fire refuses to pay a ransom, the ransomware authors come back and threaten to leak the stolen files.

This is a threat heaped upon a threat, but you’ve still got that code of honour rumbling away in the background. Pay up and they give the files back, right?

**2020: We paid up and they did not give the files back**

Ransomware gangs were already wavering on that whole “We’re still mostly trustworthy” thing back in 2020. Maze, Sodinokibi, Conti and many more started publishing stolen data even if the ransom had been paid out. As the article notes, there is a “fraying of promises” from ransomware groups to delete data once the payment takes place. Some folks used to argue that paying these groups was a last ditch resort, but a resort nonetheless and better than losing all of your data. Evidence strongly starts to suggest around this time that paying up offers little to no benefit, with no guarantees whatsoever.

**2021: No guarantees whatsoever**

It’s 2021, and we’ve already hit the “Only 8% of people who pay the ransom actually get their data back” part of this slide towards a realm where ransomware authors pretty much do what they feel like. The study explains that more organisations are deciding to pay up – despite data being returned to victims as good as flatlining. Whether you pay the original asking price, or negotiate down, or even pay by the first deadline date: it doesn’t seem to matter. The answer to “will my data be leaked anyway” may as well be viewed in a Magic 8 ball.

**2022: Oh no, my circle of trust**

In 2022, any pretence of expectations or trust from ransomware authors has sailed into the mist, never to return. Ransomware is now too big and too unwieldy, to make any real sense of expected operation. What we can expect is for extortion to continue even after the ransom has been paid. As the article notes, a combination of RaaS (Ransomware as a Service) being fairly short lived and affiliates mostly doing their own thing regardless of main group expectations means it’s pretty much a free for all.

One eye-opening statistic is that 83% of successful attacks were double or triple threat attempts. When ransomware groups threaten to lock files forever, but also threaten to leak files already exfiltrated, and _also_ claim they’ll increase the ransom and tell all business affiliates if you don’t pay up: what _do_ you do in that situation?

**Trust me, they say, as they disintegrate your files**

It’s very hard to believe at that point that a criminal enterprise with so many fingers in so many pies is simply going to leave you alone if you pay up. There’s too much data up for grabs, and too many more ways for them to profit from it. It’s reaching the stage where it simply does not matter if you pay at all, which naturally enough begs the question: Why do it?

You can’t plan your data recovery and incident negotiations around the toss of a coin, but that’s where we’re currently at. There’s no easy answer for this problem, but relying on ransomware authors to do the right thing continues to recede into the distance. Smash and grab tactics may well end up morphing into smash, with grabbing optional.

Onyx ransomware destroys files, and also the criminal circle of trust

We take a look at a wave of compromised facebook pages claiming your account is going to be closed in 12 hours.
The post Facebook phishers threaten users with Page Recovery Help Support appeared first on Malwarebytes Labs.

We’ve seen multiple hijacked profiles on Facebook recently claiming to be account recovery services. These bogus account recovery services aren’t here to help. They’re actually just trying to scare users into falling for phishing attempts.

The people behind these scams target Facebook pages belonging to musicians, products, and businesses of all kinds. In what may be a peculiar coincidence, quite a few of the accounts we looked at belonged to spa/beauty treatment small businesses.

Once the page has been taken over, the hijacker changes the name, profile picture, and more to look like it’s a support page.

Here’s a typical list of some of these compromised accounts:

_That’s a lot of support_

As you can see, there’s no real rhyme or reason to the hijacks. Just a big list of random pages ready to get up to mischief.

**With great power comes great transparency**

The dates of the pages being altered can be seen via Facebook’s “Page transparency” popup. The majority of those we’ve observed appear to have been hijacked in the last month or so. If you’re not familiar with this popup, it’s all about providing a fuller picture of what a page is all about.

When was it created? How many times has the name changed? Has it merged with another page? Which country does it operate out of? This is what the transparency box looks like:

_Transparency report_

**How do scammers go phishing?**

Businesses on Facebook have a dedicated page for their organisation, containing information, updates, and posts about the latest happenings. These pages are operated by one or more Admins, using their personal accounts. Should any of those users suffer an account compromise, the business page may become vulnerable as a result. The compromiser is able to set about changing the business page to suit their needs.

Let’s assume an account responsible for a page has just been compromised. The people behind this have made significant alterations to the page description and layout. Instead of a portal advertising the latest gardening tools or hair fashion, it’s now claiming to help you recover lost Facebook pages.

Potential victims are linked to a notification on the compromised account’s page via messaging. These pages are also easy to stumble upon while searching for content in Facebook itself – this is how a relative first brought it to my attention. A rather dire warning lies in wait for anyone viewing it:

_It’s account blocking time_

> _Your account will be deactivated. This is because someone has reported you with non-compliance with the terms of service. If you are the original owner of this account, re-verify your account to avoid blocking. Click here \[URL removed\]_
> 
> _If you do not confirm within 12 hours, our system will automatically block your account and you will not be able to use it._
> 
> _Thanks,_
> 
> _Bruce,_
> 
> _Security Support Specialist_

Well, that’s alarming. Thanks, Bruce, if it _is_ your real name (it is not). Here”s another example of a compromised page:

_Searching for hits_

Note the attempt at some form of keyword/search spam at the bottom, in an effort to be as visible to users as possible.

**Landing on the phish**

No matter which compromised warning page you land on, they all want you to visit a phishing page. These differ from account to account, but the landing pages are all pretty much the same. Here’s one example:

_Phishy behaviour_

Note that the page here isn’t even HTTPs.

We can’t say for sure what they’re doing with the stolen accounts, but once they have them, spam and malicious messaging would be the best bet. They’ll likely be used to compromise more accounts down the line. If any stolen accounts have access to business pages, no doubt they’ll create more fake recovery pages too. Whatever they’re up to, it won’t be anything good.

While drafting this blog, we became aware of research already published by Abnormal Security. The research covers similar tactics: hijacking business pages to phish. The fraudulent activity covered there includes fake emails, and a longer time limit (48 hours to respond, instead of just 12), and its well worth reading.

**Keeping your Facebook account safe**

*   Enable two-factor authentication on your account.
*   Consider using a password manager. It will help you use a different and difficult password for every online account you have. Better still, if the password manager has the ability to match the page you’re on with the one you’re trying to log into, it won’t work if the site is a phish.
*   Set up login alerts so you get notified if anyone tries to login to your account from a new device.
*   Don’t believe random warnings of account loss. You can always reach out to contact Facebook support directly if you’re unsure.
*   If you need to report that your own account has been compromised, you can send Facebook a message directly about your problem. Facebook also provides a variety of information related to specific situations here.

Pressuring people into handing over logins “or else” is a pressure tactic that’s been around forever. Making them “confirm” in 12 hours or less is one of the tighter time limits we’ve seen. Don’t panic, contact support, and go about your day. Those dire warnings of account loss and removal are almost certainly going to be a lot of phishy nonsense.

Facebook phishers threaten users with Page Recovery Help Support

It seems we're never short of Bitcoin scams banking on the popularity of Elon Musk. Here's another one of them.
The post Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site appeared first on Malwarebytes Labs.

So Elon Musk is buying Twitter, and you can be sure that scammers are making the most of this news.

As Elon Musk spends most of the week in the headlines, so pop up Elon Musk-themed scams—and it looks like they may be ramping up.

We witnessed a flurry of replies from the man himself in response to someone making a comment.

_“Oh. Wait a minute….”_

Sadly, it isn’t him but rather an army of bots, all bearing the same current profile picture of the Tesla CEO as his official Twitter account.

All of the URLs in their responses are shortened. No matter which one a user clicks, they all lead to the same website. You may be surprised when you see what it is.

_“Wait a minute…!”_

Musk must have taken the leap into longform blogging and is now a Medium author. He’s also off to a flying start with fewer than 5,326 claps on his first post. However, pulling at the page threads reveals more than the creator may have been bargaining for.

The page claims that Musk is doing an “official” ETH (Ethereal) and BTC (Bitcoin) giveaway. This giveaway aims to hand out a significant amount of BTC, ETH, and DOGE (Dogecoin) to winning participants. Appealing—if you’re a big cryptocurrency user.

Everything about the page is intended to convince the visitor that it’s all genuine, down to the numerous comments from “Medium users” saying they received their funds.

_Comments from supposed giveaway participants. All are, of course, fake._

We checked all of the profiles in the replies. With one exception—an account seemingly posting spam blogs—all of them lead to the official Medium front page, 404 pages, or suspended profiles.

This isn’t very reassuring. When we checked out the three links for the “giveaways,” it gets worse. Here’s a familiar face:

    Tesla 100 000 ETH Giveaway!
    
    To verify your address, just send from 0.5 to 100 ETH to the address below and get from 5 to 1000 ETH back!

Regular readers will recognize this design, as it’s similar to the landing page we covered concerning a fictional space marathon Tesla giveaway.

While this setup throws ETH and DOGE into the mix, it’s notable that the maximum donation suggested through BTC has increased. In contrast, the fake marathon giveaway asked visitors to send between 0.02 to 1 BTC.

Donations via DOGE and ETH coins are no joke either. For the former, it asks for amounts between 2,000 and 100,000 DOGE coins, hoping to get 20,000 to 1,000,000 back. That’s worth $276 to $13,801, with participants wishing to receive between $2,769 and $13,846 (based on rates at time of writing).

For the latter, it asks for between 0.5 to 100 ETH coins with a promised return of 5 to 1,000 ETH. That’s between $1,425 and $285,045 with a significant return of $14,252 to an extraordinary $2,850,458 (based on rates at time of writing).

We don’t know if whoever runs these sites is also responsible for the space marathon, but the giveaway page seems easy to reuse as a template. Scammers on this one appear to be a lot more ambitious than the space marathon people ever were.

The BTC address flags up across several spam or warning databases. One particular report is interesting, in which it claimed the address was involved in ransomware and appeared to be from a victim who claims to have recovered their money in “less than 48 hours”.

_Created with GIMP_

The report says:

    Good work deserves recommendation... i lost over 2.3 BTC on Instagram bitcoin scam.. Right about 2 weeks after my ordeal with them I tried using the recommendation from someone on one of the comment section {redacted}. I was able to get all my money back in less than 48 hours. Contact {redacted} to recover all your stolen bitcoins free of charge.

Visiting the URL in the comment opens a non-HTTPs site claiming it is the Internet Crime Complaint Center (IC3), asking visitors to submit their name, address, phone number, email, transaction date, and “proof of payment”.

_Don’t be fooled. This is just one of the many faces of a recovery scam._

If you’ve lost funds to the relevant BTC address, we suggest contacting the official IC3 site or the closest equivalent in your region. As for the many, _many_ Elon Musk-themed Bitcoin giveaways, we advise you to ignore them.

What’s noticeable with these is that the scammers are creative in their ways to get you on board. These aren’t effort-free generic sites, and they’re just off the wall enough to make Elon Musk fans think they’re the real deal.

Stay vigilant, and stay safe!

Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site

A bank executive needs your help to move a client's inheritance. Yes, you read that right.
The post “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance appeared first on Malwarebytes Labs.

![“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-479807743-900x506.jpg)

Posted: April 27, 2022 by

We’ve received several emails over the last couple of days which follow the classic 419 mail scam method. Titled “URGENT BUSINESS PROPOSAL!!!”, the mail reads as follows:

    Greetings,
    
    I am Mukhtar M. Hussain. I got your contact information from a reputable business/professional directory. I'm working with HSBC Berhad Malaysia as one of the Senior Vice Presidents. I am writing you this memo, because I have an urgent BUSINESS PROPOSAL for you that will benefit both of us and it’s urgent.
    
    For more details, write me on my personal contact e-mail on: {redacted}
    
    Yours Sincerely,
    
    Mukhtar Malik Hussain.

The mail the scammers want you to reply to is different to the mail it came from. They’re also trying to make the mail look more respectable by using the name of an actual person.

People naturally suspicious of the mail will go looking in search engines, and seeing this is a real person may be enough to convince them to reply. It’s worth noting that this is also a short mail by typical scam standards, but will become incredibly involved should you continue with it.

We were curious to see what the next stage of the scam was, so we replied and then waited to see what would come back. What we received was an even shorter email and a PDF attachment.

    Attention,
    
    Find attached the urgent BUSINESS PROPOSAL. I await your correspondence.
    
    Best regard,
    
    Mukhtar Malik Hussain

The PDF we received does not appear to be infected. The scammer is probably just trying their best to keep the meat of the attack away from non-curious individuals.

The document says that a bank customer died, and the bank appointed our contact to hand out the inheritance. If it’s not done in time, it goes to the Malaysian government despite them having moved the money to a “secret” account similar to Swiss banking.

Recipients have 21 days to complete the fund transfer. Despite the document hitting about 1,800 words in length, all it asks for is name in full, current address, and telephone number in order to “harmonise my records”. It’s very likely that the scammers will continue to ask for more information, including bank account number, should contact continue.

They close with the usual warning of not telling anyone:

    Please observe this instruction religiously, again note I am a family man; I have a wife and children’s I send you this mail not without a measure of fear as to what the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learnt from my private banking clients. Do not betray my confidence. If we can be of one accord, we should plan a meeting soon.
    
    So all I require from you is your consent and solemn confidentiality on this from you as it shall remain our secret forever. Deals like this take place every day in the banking world and the reason you never hear about them is because they never fail.

As good as it sounds, nothing in the mail scheme is true. You run the risk of losing all your money, or becoming a money mule, or both should you proceed.

As you’re reading this on a security site, it’s likely you’ve seen lots of these before and you’re well aware of the scam. But it doesn’t take a minute to talk to the less security-aware people in your life about this and other scams. Warn them, and help keep them safe online.

The only thing to do in this situation is report the message for spam, block the sender, and go about your day.

Stay safe!

**RELATED ARTICLES**

![Social engineering attacks: What makes you susceptible?](https://blog.malwarebytes.com/wp-content/uploads/2018/07/shutterstock_546129427-604x270.jpg)

August 2, 2018 - Cybercriminals will do what it takes to get what they want, whether that's breaching a corporate network or stealing credentials with malware. But what do we do if hackers are hacking us instead of our computers? Here's how to tell if you're susceptible to social engineering attacks, and what to do to combat them.

![A week in security (October 16 – October 22)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

October 23, 2017 - A compilation of notable security news and blog posts from Monday, October 16 to Sunday, October 22. We talked about adware and malware in Google Play, a ransomware exclusively targeting South Korea, BYOD, a new 419 scam, cyptocurrency mining, and more.

![Nigerian scams without the Nigerians](https://blog.malwarebytes.com/wp-content/uploads/2017/09/shutterstock_180970511-604x270.jpg)

September 6, 2017 - Many in the United States are familiar with Nigerian scams, but what kind of scams are going on in non-English countries? Take a look at the Chinese version – the seminar scam.

![A week in security (August 28 – September 3)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

September 4, 2017 - A compilation of security news and blog posts from the 28th of August to the 3rd of September. We touched on Kronos, Locky, a 419 scam, insider threats, and more!

![The little 419 scam that could](https://blog.malwarebytes.com/wp-content/uploads/2016/07/photodune-1132955-donation-s-604x270.jpg)

July 25, 2016 - It has been six months since David and Carol Martin, a Scottish couple in the UK, received the highest National Lottery pay out made to any winner to date. And scammers have been taking advantage of it for half a year now. Don't be misled by this so-called "donation scam".

“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance

Cyber insurance is back in the news, but this time the focus is on personal insurance. We take a look at what's on offer.
The post What’s happening in the world of personal cyber insurance? appeared first on Malwarebytes Labs.

You’ve likely only seen cybercrime insurance primarily mentioned in relation to attacks on businesses. Most commonly, it’s cited with regard to ransomware attacks in the workplace, or associated data loss. Some folks think the mere presence of insurance simply encourages more attacks, and is hurting more than it’s helping. Now we have another string to the bow to consider. Personal insurance plans are slowly becoming a more visible and talked about topic.

**A brave new world, or same-old same-old?**

I’m fascinated to see talk of personal cyber insurance, in an area dominated by business.

The plans referenced in the article are for people seeking cyber insurance in India. It provides personal cover in a manner somewhat similar to contents insurance for the items in your home. The major difference is losing your digital items due to online shenanigans, as opposed spilling orange juice on your TV.

Premiums are based on how much you have to lose, and tailoring types of cybercrime to your package needs. If you make a lot of financial transactions online, that’ll bump the cost of the plan up too.

**A transactional offering**

Some of the exclusions listed are fairly eye-catching. For example, you’ll pay a higher premium the more online transactions you engage in. Despite this, losses incurred through cryptocurrency aren’t included which could be a deal breaker for many people. The Indian Government has floated the idea of banning cryptocurrency on at least one occasion, but eventually moved to a less aggressive regulatory approach at the end of 2021.

While it makes sense that insurers will be cautious around such rapidly changing stances, it’s no real consolation to cryptocurrency fans.

Some cyber threats listed may not have realistic or obtainable legal solutions in some countries, but they will in others. For people not in the latter group, an additional insurance safety blanket might be very useful.

**A helping hand against online stalking**

There’s some solid defence against people harassing others online in the policy types mentioned. For example, expenses are covered to prosecute people found to be stalking/bullying you online. So far, so good.

This same cover which provides legal fees to prosecute stalkers _also_ provides the insured with costs against invasion of privacy.

So many examples of cyber insurance only ever focus on the technical aspects of online crime, or ransomware backups. It’s nice to see a more human aspect working its way into the mix. In some countries, the rules are fairly stacked against people and aren’t necessarily conducive to tackling online harassment. Knowing there’s a bit of backup to help with this kind of situation may itself make harassers think twice.

**From add-on to standalone**

Seeing cyber insurance as a standalone package for individuals is rather novel. In the UK at least, most—if not all—cyber offerings I’ve seen are add-on packages to regular insurance policies. For example, one major insurer offers it across all their insurance tiers and it covers the usual issues like ransom, fraud, restoration of systems, defamation and so on. Unlike the India-centric policy above, identity theft is included by default in regular, non-cyber packages.

The standalone offerings I’ve seen usually ask you to contact them to arrange a premium, as opposed to having a default one-size-fits all price. Some include monitoring customer data for breaches, including issuing alerts when necessary. Others seem to fall into more traditional areas of cover, offering to replace or repair damaged devices and recover data.

I’ve seen a few offer 24/7 cyber-helplines, credit reports, and “ransom monies” made available in ransomware cases. Some insurers have grey areas related to working from home, or just flat out refuse to cover it. All this, without the added complexity of business insurance and the question of whether it’s right to pay out to ransomware authors in the first place.

**Drawing insurance lines in the sand**

It’s a bit of a tumultuous time for insurers in the digital realm as they try to define what, exactly, is or isn’t up for coverage. Real world insurers use act of God policies, not covered by insurance. Cyber insurers are quickly coming up with their own non-coverable issues.

Then there’s the thorny problem of insurance companies themselves being juicy targets for attackers. I’m fairly certain they don’t have to look for decent cyber insurance quotes from competitors themselves. It’s still a very odd thing to think about in an industry still figuring out its role where rogues costing their customers money don’t play by the rules.

What’s happening in the world of personal cyber insurance?

Soon, all countires in Europe, including the UK and Switzerland, will have the power to accept all and reject all cookies with a single click.
The post “Reject All” cookie consent button is coming to European Google Search and YouTube appeared first on Malwarebytes Labs.

Google will soon be giving European countries a “Reject All” button in the Search and YouTube cookie consent banner.

This change, which was revealed by Google’s Product Manager for Privacy, Safety & Security Sammit Adhya in a blog post, has already been rolled out in France and will be cascaded to the rest of the European Economic Area, the UK, and Switzerland. Adhya didn’t provide a date on the cascade.

From the Adhya’s post:

> “In the past year, regulators who interpret European laws requiring these banners, including data protection authorities in France, Germany, Ireland, Italy, Spain and the UK, have updated their guidance for compliance. We’re committed to meeting the standards of that updated guidance and have been working with a number of these authorities.”

With directions from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Google finished a redesign of its cookie banner and changed the infrastructure behind how it handles cookies.

CNIL slapped Google with a $170M (€150M) fine for the confusing language in its cookie consent banners earlier this year. CNIL also found the asymmetry of letting users accept all tracking cookies with one click but allowing them to painstakingly untick individual options to reject them all as “unlawful.” Because the average user typically doesn’t want to bother doing this, they are left with no choice but to click “Accept all”—a win for Google’s business.

France has a strong case for declaring Google’s cookie consent behavior. In a 2019 study conducted by academics at Ruhr University Bochum (Germany) and the University of Michigan (USA), researchers found that European consumers think that most cookie consent notices are meaningless or manipulative.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/google-new-cookie-banner-600x565.png)

_Google has made it easy for users to accept and reject all cookies with this new consent banner first released to French users. (Source: Google)_

Adhya implied that this could be the first step for Google to change the way cookies work on its sites. He said he knew the implications of these changes and how they impact other sites and content creators who conduct business online.

> “We believe this update responds to updated regulatory guidance and is aligned with our broader goal of helping build a more sustainable future for the web. We believe it is possible both to protect people’s privacy online and to give companies and developers tools to build thriving digital businesses.”

“Reject All” cookie consent button is coming to European Google Search and YouTube

Emotet is back with a new spam campaign. And it's now spreading itself as a shortcut link file pretending to be Word document.
The post Emotet fixes bug in code, resumes spam campaign appeared first on Malwarebytes Labs.

![Emotet fixes bug in code, resumes spam campaign](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-1277291140-900x506.jpg)

Posted: April 27, 2022 by

Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

The bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—forced the actors to prematurely halt their campaign.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/FQ-puUmWUAERnF2-600x392.jpeg)

_Sample email of an Emotet spam containing a defective attachment.  
(Source: @malware\_traffic)_

Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.

Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug happened immediately after the attachment was clicked.

You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-04-22\_1033, USA.doc”. This error breaks the infection chain.

Cryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:

> #emotet Update – As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1/x https://t.co/pEcOWdbfOa
> 
> — Cryptolaemus (@Cryptolaemus1) April 22, 2022

Emotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.

Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa APT comes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and IcedID were just some of them.

Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).

BleepingComputer shared a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:

*   ACH form.zip
*   ACH payment info.zip
*   BANK TRANSFER COPY.zip
*   Electronic form.zip
*   form.zip
*   Form.zip
*   Form – Apr 25, 2022.zip
*   Payment Status.zip
*   PO 04252022.zip
*   Transaction.zip

If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.

Stay safe out there!

**RELATED ARTICLES**

Emotet fixes bug in code, resumes spam campaign

A group of French hospitals was taken offline afetr a data breach has been discovered. The stolen data are patient records including SSN, banking information, email addresses, and phone numbers.
The post Hospitals taken offline after cyberattack appeared first on Malwarebytes Labs.

![Hospitals taken offline after cyberattack](https://blog.malwarebytes.com/wp-content/uploads/2022/04/empty_hospital_room-900x506.png)

Posted: April 26, 2022 by

The GHT Coeur Grand Est has become a victim of a cyberattack on the hospital centers of Vitry-le-François and Saint-Dizier. The hospital’s administration has warned \[French\] that data have been exfiltrated and might be used for phishing in the future.

As a consequence, the GHT Cœur Grand Est has cut all incoming and outgoing internet connections from its franchises in order to protect and secure information systems and data.

**GHT Coeur Grand Est**

The GHT (Groupements Hospitaliers de Territoire) Coeur Grand Est is a group of nine hospitals in the Northeast of France (around Bar-le-Duc). Together they employ some 6,000 healthcare professionals and serve around 300,000 inhabitants of the region. Most of the hospitals within the GHT network operate their own IT infrastructure, but they do share certain resources. The stolen data come from the hospital centers of Vitry-le-François (Marne) and Saint-Dizier (Haute-Marne).

**The attack**

On April 19, staff discovered a network breach in the systems of the GHT. During that breach, the attackers managed to copy essential administrative data. As a result, the GHT decided to cut all incoming and outgoing internet connections until the situation was resolved.

The applications and software used internally on a daily basis were not affected by the attack and remain operational, but certain services like making online appointments aren’t possible at the moment. The computerized patient file system is fully functional.

The hospitals said the IT team is working to assess and identify the damage and, as quickly as possible, re-establish secure links with the outside world. The information flows that come from outside, mainly lab results, are handled in old-fashioned paper format or, as was done years ago, by fax.

**Vigilance**

The GHT has warned customers to be vigilant, saying there is no guarantee that the exfiltrated files will not be shared and used by malicious people.

GHT customers should stay on the lookout for targeted phishing attempts and scams that may look more trustworthy because the scammers have information you wouldn’t expect them to have.

*   Pay attention to the sender of messages, even if they appear to be an official sender.
*   Be careful with attachments. Don’t open them until you verified the origin.
*   Never respond to a request for confidential information, in particular banking information.
*   Pay attention to the content and wording of the message received. Phishing attempts often introduce some kind of urgency by scaring the receiver or putting time pressure behind the response.
*   Be wary of phone calls or texts from unknown numbers.

**Stolen data for sale**

While the hospital center’s announcement doesn’t contain any attribution clues, Bleeping Computer spotted a new entry on Industrial Spy’s website, a new marketplace for stolen data.

![listing on Industrial Spy platform](https://blog.malwarebytes.com/wp-content/uploads/2022/04/IndustrialSpy-600x62.png)

_image courtesy of Bleeping Computer_

Industrial Spy is a dark web platform that promotes itself as a marketplace for buying corporate data that contain sensitive information like schematics, financial reports, trade secrets, and client databases.

In this case, however, Industrial Spy isn’t offering anything that could draw the attention of a competitor. Instead, the data set exposes patient data among other administrative documents. The threat actors claim that the stolen personal data of patients includes social security numbers, passport scans, banking information, email addresses, and phone numbers.

Stay safe, everyone!

**RELATED ARTICLES**

![News Corp falls victim to cyberattack](https://blog.malwarebytes.com/wp-content/uploads/2022/02/NewsCorp_header-604x270.png)

February 7, 2022 - Media giant News Corp says it fell victim to a cyberattack that it discovered in January. Investigators suspect China to be behind the attack.

![50 percent of schools did not prepare for secure distance learning, Labs report reveals](https://blog.malwarebytes.com/wp-content/uploads/2019/06/MB_LABS-01-1-604x270.png)

December 7, 2020 - Schools faced a crisis this year, as the coronavirus forced educators across the country to suffer through lacking cybersecurity, our new report reveals.

![8 everyday technologies that can make you vulnerable to cyberattacks](https://blog.malwarebytes.com/wp-content/uploads/2018/08/everydaytechnologies-604x270.jpg)

August 9, 2018 - The security vulnerabilities of the latest developments in tech have been well documented. But what about everyday technologies that have been around for a while or are widely adopted? Here are eight commonly-used tech conveniences that are not as ironclad as you might hope.

![Singles’ Day deal seekers beware](https://blog.malwarebytes.com/wp-content/uploads/2017/11/shutterstock_7491459792-1-604x270.jpg)

November 9, 2017 - Originally a day set aside for singles in China to be proud of their singlehood, Singles’ Day has been transformed into what is arguably the world’s single largest e-commerce festival, thanks to the involvement of The Alibaba Group. In fact, the Alibaba Group alone reported $17.8 billion in sales; six times higher than what was...

![Remediation vs. prevention: How to place your bets](https://blog.malwarebytes.com/wp-content/uploads/2017/09/shutterstock_436847836-604x270.jpg)

September 13, 2017 - Building a security environment for businesses is a gamble these days. It's remediation vs. prevention. Which should you bet on?

Hospitals taken offline after cyberattack

Phishers racked up an enormous haul of stolen cryptocurrency via rogue Google ads. Time to check if you're free from bad ad worry.
The post Rogue ads phishing for cryptocurrency: Are you secure? appeared first on Malwarebytes Labs.

Bad ads are at it again. Rogue Google ads caused no end of misery for cryptocurrency enthusiasts, costing them roughly $4.31 million between the 12th and the 21st of April. This is an astonishing slice of cryptocurrency cash to lose for the sake of clicking on something in a search engine.

The bogus links were at the top of results for Terra blockchain projects. Searches for projects like Astroport or Anchor resulted in the below search results:

> Our security team conducted an analysis of this incident and discovered that the bulk of this attack was from google phishing ads. Users would search well know projects on the Terra blockchain such as @anchor\_protocol or @astroport\_fi only to click on the first link by google. pic.twitter.com/aucIcnsCd7
> 
> — SlowMist (@SlowMist\_Team) April 21, 2022

The design of the phish page is quite similar to many that we’ve seen. They’re quite basic, and include little beyond a set of “connect your wallet” buttons. However, as you can see in the below tweet, they’re after people’s seed phrase:

> These may look like normal ads and some even show the same domain names, but once you click on the link, the domain name actually changes. When clicked, it'll prompt you to connect your wallet, however instead of connecting, users are asked to input their seed phrase. pic.twitter.com/OZjifaJ17m
> 
> — SlowMist (@SlowMist\_Team) April 21, 2022

We’ve talked about seed/recovery phishing several times. Seed phrases are your keys to the kingdom, and giving them to a phisher could have serious consequences. It’s no wonder these phishers made off with so much money.

**The problem with bad ads**

Rogue adverts have been around pretty much for as long as paid adverts have existed. They’ve been the stomping ground of exploit kits, ransomware, fake tech support scams, and much more for years.

One of the main ways to hurt yourself in a search engine used to be SEO poisoning. That didn’t involve ads, but rather involved the search results themselves being bad. If a site got compromised and the content altered, innocent looking results could end up whisking you away to spam or malware. Alongside SEO poisoning, which search engines really tried to clamp down on, bogus ads started making major inroads.

**Big numbers, big rewards**

Ad fraud costs billions each year. Any network could potentially allow a bad actor onboard, and that’s before you consider that there are rogue ad networks who simply don’t care what’s being pushed to end-users. Slow, cumbersome static ads were replaced by real time bidding, and techniques to push bad content became ever more inventive.

On top of that, you have the usual tricks like fingerprinting and browser search string agents to ensure your bad content reaches specific people. For example, only allowing certain mobile users to land on your mobile-centric scam page. Or how about stopping users at a gateway to see if they run exploitable types of software before letting them progress to the exploit page?

The SEO poisoning tactics all look a bit antiquated next to the “paid-for ad might lose you a fortune” merry-go-round.

**Blink and you’ll miss it?**

The big problem with paid ads in search engines is one of assumed legitimacy. The fact that they usually appear at the top of the page originally led to complaints that they were being mixed up with “proper” results. This brought about many changes to make it clearer that paid ads were just that.

Sadly, people still struggle with figuring out paid ads vs organic. Close to 60% in one survey didn’t know the difference. This is despite changes from search engine providers for both desktop and mobile platforms.

> Last year, our search results on mobile gained a new look. That’s now rolling out to desktop results this week, presenting site domain names and brand icons prominently, along with a bolded “Ad” label for ads. Here’s a mockup: pic.twitter.com/aM9UAbSKtv
> 
> — Google SearchLiaison (@searchliaison) January 13, 2020

Does the word “Ad” next to the result in Google really leap out enough to be noticeable? Or when “Ad” appears in Yahoo! or the additional “Ads related to…” under the main ads? How about Bing’s very tiny “Ad” next to the results?

I vaguely recall a search engine placing paid results in a prominent box a few years back, but I suppose I could just be mixing it up with a screenshot of someone _highlighting_ a rogue advert instead.

**Avoiding bad ads**

There’s multiple ways to avoid bad ads, but some of them come at a cost to either yourself or the sites serving the ads. It’s one of those very personal choices for which there’s no single fit. I’m not going to suggest you do any of these; I’m merely going to give you examples of what people do and leave the decision in your hands.

1.  Some folks have simply had enough of adverts. They’ll install ad-blockers, hit the “disallow all” button, and that’s that. However, one drawback is that sites you like may not work. You’ve definitely seen a “please unblock our ads to continue” message at this point. Some sites take a hard line on this, and it’s a case of unblock or go elsewhere. Others will allow you to choose whether to view the site with the ads still blocked, or add them to your “safe site” list. Sometimes this goodwill gesture is enough to have the visitor unblock the ads. If it doesn’t and someone becomes a repeat visitor anyway (with ads still blocked), then the site loses ad revenue.
2.  Others may go down the script blocker route. This may allow ads, but will potentially contribute to preventing forms of redirect and/or malicious script loading. Script blocking tools are a lot better than they used to be, with more customisation available than ever before. In the bad old days, it was mostly a case of “enable this and break hundreds of websites”. The trade-off here is that you may end up enabling something that renders the site usable, but also allows for bad things to happen.
3.  Security tools. This is one of the more hands-on ways to shut bad things down. Browser extensions, security tools with real-time protection, regular security scans, and keeping your system (and programs) up to date will all help keep exploits, phishing pages, and malware far away, even with all adverts enabled. Nothing is guaranteed, of course, and that’s why several layers of defence tailored to your specific requirements will do significant heavy lifting on your behalf.

Rogue ad attacks are sadly a fact of internet life, and targeting cryptocurrency enthusiasts means potentially massive payouts in comparison to some other forms of phishing. With no way to get your stolen coins back in most cases, it’s not something you can afford to ignore. Start shoring up those defences now, and have a long think about the level of advert exposure you’re comfortable with.

Rogue ads phishing for cryptocurrency: Are you secure?

We take a look at a round of phishing mails being sent to people in Belgium, promising tax-related refunds.
The post Watch out for this SMS phish promising a tax refund appeared first on Malwarebytes Labs.

Imagine logging into your bank’s website after responding to a text message claiming you’re due a refund, only to see a warning to watch out for bogus texts:

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/dbphish7-600x365.jpg)

Beware of SMS phishing!

For those who don’t read Dutch, the warning reads:

> Never respond to unusual emails or texts!
> 
> Fraudsters often send e-mails under the guise of renewing your debit card or digipas. Never go into that. They refer to websites that are not owned by Argenta. Argenta will also never ask you to provide your card number by telephone because you will allegedly receive a new debit card or digipas.
> 
> Do you still receive suspicious messages?
> 
> Have you already passed on codes over the phone? Or has money already been withdrawn from your account? Please contact us immediately on (available 24/7 for victims of phishing).

The warning above is genuine, on a real bank’s website. But the warning, in this case, comes too late because this is the last and only legitimate stop in a victim’s passage through a phishing scam.

**The bogus SMS trail begins**

Here’s one of the suspect SMS messages, as tweeted by Twitter user @ypselon:

> it has been decided that you will receive a refund. to receive this amount you can visit our website \[url removed\]

The text claims to be from “FOD”. This is the Federale Overheidsdienst Financien in Belgium. The suspect URL includes a domain registered just this month (often a red flag), in India, rather than Belgium.

Visiting the site presents you with a message that says:

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/dbphish1-600x551.jpg)

A fake FOD website offering fake refunds

> Refund:
> 
> In order to receive a refund of your personal income tax, you must verify your account so that we can transfer the full amount of €278.35 to the correct account.
> 
> It is important to carry out a one-time verification as a check. Afterwards you will receive the amount on your account within a few working days.

For “one-time verification” read “send us money”.

We all love a tax refund so it’s an effective hook to lure in potential victims. Continuing reveals a large assortment of banks commonly used in Belgium.

**A slippery phish**

The scam site includes customised pages for each popular bank. Some ask for card details, others for account numbers. All are fake, all are trying to hoover up information that can be used to steal your money.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/dbphish5.jpg)

A phishing site asks for credit card details for a “one-time verification”

No matter which route you go down, entering your details will neither verify your identity nor secure you a tax refund. But all will leave you poorer and eventually redirect you to your bank’s real website (where you might encounter a warning about falling for scams like the one you’ve just fallen for).

At this point, your only option is to contact the bank for real, and tell them what’s happened. If you’re lucky, you may be able to have them shut things down. If not, days or weeks of hassle might lie in wait.

**Faking it to make it**

Fake tax refunds are hugely popular. They’re especially rampant during (or immediately following) any tax season. The Federale Overheidsdienst Financien has some advice for avoiding scams like this..

*   **If the FOD helped you with a tax return the previous year**, it may contact you by phone. The organisation warns that if the caller doesn’t know your name; asks for payment for assistance; asks to come to your home; or requests passwords, PINs, email, or address, then you should hang up.
*   **Report any request to provide confidential data** related to banking you receive by email, text, or WhatsApp.
*   **If you’re asked to make a payment to the FOD directly**, check their site because there’s only a limited number of ways to make a payment to an official account.