CyberWire Daily - Research Briefing: Emotet's return. LodaRAT improvements. Callback phishing leads to data theft extortion. [CW Pro]
Episode Date: November 24, 2022Emotet's return. LodaRAT improvements. Callback phishing leads to data theft extortion. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
Here is your CyberWire Pro Research Briefing for Tuesday, November 22, 2022.
Proofpoint is tracking the return of Emotet earlier this month, warning that the malware's distributor has been sending out hundreds of thousands of phishing emails per day. The threat actor, which Proofpoint tracks as TA542,
had been quiet since mid-July, but resurfaced on November 2nd. Notably, Emotet is being widely
used to deliver the IcedID Trojan. Quote, the addition of commands related to IcedID and the
widespread drop of a new IcedID loader
might mean a change of ownership or at least the start of a relationship between IcedID and Emotet.
Emotet dropping IcedID marks Emotet as being in full functionality again
by acting as a delivery network for other malware families.
Emotet has not demonstrated full functionality and consistent follow-up payload delivery
that's not Cobalt Strike – since 2021, when it was observed distributing the trick
and QBOT.
TA542's return, coinciding with the delivery of ICED-ID, is concerning.
ICED-ID has previously been observed as follow-on payload to Emotet's infections.
In many cases, these infections can lead to ransomware.
End quote.
In many cases, these infections can lead to ransomware.
End quote.
Cisco Talos has published an analysis of Lodarat, a remote access tool written in the Atsolt scripting language.
Users of the malware have been modifying its source code to make it more efficient.
Quote,
Over the course of Lodarat's lifetime, the implant has gone through numerous changes and continues to evolve.
While some of these changes appear to be purely for an increase in speed and efficiency,
or reduction in file size, some changes make Loda a more capable malware.
As it grows in popularity, it is reasonable to expect additional altercations in the future.
The ease of access to its source code makes LodaRat an attractive tool for any threat actor who is interested in its capabilities.
Palo Alto Networks Unit 42 is tracking a large callback phishing campaign dubbed Luna Moth that's using legitimate
tools to exfiltrate data for extortion. Callback phishing requires the victim to get in contact
with the attacker. The attacker then uses social engineering to trick the victim into granting
access to a system or transferring money. Quote, The initial lure of the campaign is a phishing email to corporate email addresses
with an attached invoice indicating the recipient's credit card has been charged for a service,
usually for an amount under $1,000.
People are less likely to question strange invoices when they're for relatively small amounts.
However, if people targeted by these types of attacks reported these invoices
to their organization's purchasing department, the organization might be better able to spot
the attack, particularly if a number of individuals report similar messages.
The phishing email is personalized to the recipient, contains no malware,
and is sent using a legitimate email service. These phishing emails also have an invoice
attached as a PDF file. These features make a phishing email less likely to be encrypted by most email protection platforms.
End quote.
The PDF has a phone number that will connect the victim to the scammer.
The scammer then instructs the victim to download a remote support tool so the scammer can manage the victim's computer, supposedly to cancel the phony subscription.
After exfiltrating the data, the attackers email the compromised organization
and demand a ransom.
The ransom amounts vary depending on the organization's revenue
and range from $30,000 to over $1 million worth of Bitcoin.
Unit 42 notes that the attackers
don't always follow through with their promise
to provide proof that the stolen data has been deleted.
And that's your CyberWire Pro Research Briefing.