emotet - X-Industry - Red Sky Alliance2024-03-29T09:27:35Zhttps://redskyalliance.org/xindustry/feed/tag/emotetThe Bad Guy's 3-R'shttps://redskyalliance.org/xindustry/the-bad-guy-s-3-r-s2023-03-21T12:10:00.000Z2023-03-21T12:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11000532066,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11000532066,RESIZE_400x{{/staticFileLink}}" alt="11000532066?profile=RESIZE_400x" width="250" /></a>Malware has a way of grabbing all the attention in the media and keeping companies on their toes. The world watched as wipers were deployed to Ukrainian organizations after the Russian invasion of Ukraine, which marked the beginning of a time of instability that included ransomware and InfoStealers, as well. Adding to the negative cybersecurity load of 2022, the contemporary version of ransomware celebrated its 10-year anniversary.</p>
<p>And if that were not enough, researchers have seen that a cybercriminal, like any sensible businessperson, are big proponents of getting the most out of their resources. You might say they are practicing the <strong>r</strong>educe, <strong>r</strong>euse, <strong>r</strong>ecycle principles, but instead of being focused on environmental concerns, they are retrofitting code to enable more successful criminal outcomes.<a href="#_ftn1">[1]</a> Reduce, Reuse, Recycle !!</p>
<p>In the second half of 2022, researchers saw the resurgence of familiar names in the malware, wiper, and botnet space - including Emotet and GandCrab, to name a few. The top five ransomware families, out of a total of 99 detected, accounted for about 37% of all ransomware activity in the second half of 2022. The most prominent malware was GandCrab, a RaaS threat that surfaced in 2018.</p>
<p>A group of Emotet variations were observed to assess their propensity for borrowing and recycling code. Emotet has undergone significant diversification, with variants dividing into about six different "species" of malware. Not content to simply automate threats, cyber-attackers aggressively improve upon successful innovations.</p>
<p>Cyber adversaries have an entrepreneurial spirit and are constantly seeking for ways to increase the value of current investments and knowledge in attack operations to increase their effectiveness and profitability. Reusing code allows hackers to build on previously successful results while iteratively improving their attacks and getting past defensive barriers. In fact, the most common malware for the second half of 2022, was pl.;’/the bulk of the top ranks were occupied by malware that was more than a year old. Some of them, like Lazurus, have existed for more than 10 years and are pillars of the history of the internet.</p>
<p>Resurrecting Old Tactics - Along with reusing code, attackers are maximizing opportunities by using well-known threats and existing infrastructure. For instance, if one looks at botnet threats by pervasiveness; many of the top botnets are not novel. Mirai and Gh0st.Rat has continued to dominate across all geographies, which is not surprising. Among the top five observed botnets, only RotaJakiro was created in the last couple of years. Although there’s a tendency to disregard more recent risks as history, businesses in all industries must maintain their vigilance.</p>
<p>Such "vintage" botnets remain in wide circulation because they continue to be highly effective. Because there is a return on investment, clever hackers will continue to exploit current botnet infrastructure and transform it into increasingly persistent versions using highly specialized techniques. In particular, the manufacturing sector, Managed Security Service Providers (MSSP), and the telco/carrier sector were all major targets of Mirai in the second half of 2022. This demonstrates an intensive effort of criminals to target those sectors with tried-and-true techniques.</p>
<p>Getting Ahead of The Game - It can be difficult for enterprises to keep up with constantly changing threats. The reuse of code and modularization made possible by a burgeoning Crime-as-a-Service ecosystem underscores the value of prompt security services that can help enterprises fend off threats with AI-powered, coordinated defense. Moreover, companies can achieve quicker detection and enforcement across the full attack surface if there is integration across all security devices, thereby lowering their overall risk posture.</p>
<p>Beyond technology, cybersecurity strategy really comes down to people. It takes a global team effort with robust, trustworthy relationships and collaboration among cybersecurity participants across public and commercial organizations and sectors to successfully disrupt cybercriminal supply chains.</p>
<p>Cyber awareness and hygiene training <strong>must</strong> be a cornerstone of any company and this must extend to all employees, not just those in IT or security functions. An estimated 80% of organizations reported last year that they had suffered one or more breaches due to a lack of cybersecurity skills and awareness.</p>
<p>Prepare for What’s Next - The latter half of 2022 was interesting, to say the least. Understanding the trends from this period will help you better understand how to keep your companies operating safely. According to what we have observed over the past six months, we cannot dismiss older threats. They are still actively evolving and searching for both unpatched places and fresh vulnerabilities that will enable them to spread. Companies that use the above information and best practices will be better prepared to face what’s next on the threat horizon. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.fortinet.com/blog/threat-research/bad-actors-resurrecting-old-tactics?lctg=141970831">https://www.fortinet.com/blog/threat-research/bad-actors-resurrecting-old-tactics?lctg=141970831</a></p></div>A New and Improved Emotethttps://redskyalliance.org/xindustry/a-new-and-improved-emotet2022-11-30T15:11:17.000Z2022-11-30T15:11:17.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10895583072,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10895583072,RESIZE_400x{{/staticFileLink}}" width="250" alt="10895583072?profile=RESIZE_400x" /></a>Over the past six months, the infamous Emotet botnet has shown almost no activity, and now it is distributing malicious spam. Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.</p>
<p>The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and loads into memory. It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet">https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet</a></p>
<p>The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps. The results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.</p>
<p>Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:</p>
<ul>
<li>2014 - Money transfer, mail spam, DDoS, and address book stealing modules.</li>
<li>2015 - Evasion functionality.</li>
<li>2016 - Mail spam, RIG 4.0 exploit kit, delivery of other trojans.</li>
<li>2017 - A spreader and address book stealer module.</li>
<li>2021 - XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.</li>
<li>2022 - Some features remained the same, but this year also brought several updates</li>
</ul>
<p>This tendency proves that Emotet is not going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.</p>
<p>After almost half a year of “vacation,” the Emotet botnet has returned even stronger. Here is what you need to know about a new 2022 version:</p>
<ul>
<li>It drops IcedID, a modular banking trojan.</li>
<li>The malware loads XMRig, a miner that steals wallet data.</li>
<li>The trojan has binary changes.</li>
<li>Emotet bypasses detection using a 64-bit code base.</li>
</ul>
<p>A new version uses new commands:</p>
<ul>
<li>Invoke rundll32.exe with a random named DLL, and the export PluginInit</li>
<li>Emotet's goal is to get credentials from Google Chrome and other browsers.</li>
<li>It's also targeted to use the SMB protocol to collect company data.</li>
</ul>
<p>Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:</p>
<ul>
<li>The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.</li>
<li>With its long development story, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.</li>
</ul>
<p>For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:</p>
<p>eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho</p>
<p>Later, in the first quarter of 2020, Emotet started to create specific key into the registry it writes into the key:HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER value with the length 8 symbols (letters and characters).</p>
<p>Suricata rules<a href="#_ftn1">[1]</a> always identify this malware, but detection systems often continue beyond the first wave because rules need to update. Another way to detect this banker was its malicious documents crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules<a href="#_ftn2">[2]</a>. Emotet has not demonstrated full functionality and consistent follow-on payload delivery.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> Suricata rules are the defacto method for sharing and matching threat intelligence against network traffic. This rule consists of several components: The networks and traffic type of matching the signature against ("alert HTTP $HOME_NET any -> $EXTERNAL_NET any")</p>
<p><a href="#_ftnref2">[2]</a> YARA rules are used to classify and identify malware samples by creating descriptions of malware families based on textual or binary patterns.</p></div>Weekly Cyber Intel Report - All Sector 04 22 2022https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-04-22-20222022-04-22T12:33:03.000Z2022-04-22T12:33:03.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10427619487,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10427619487,RESIZE_400x{{/staticFileLink}}" width="250" alt="10427619487?profile=RESIZE_400x" /></a>Activity Summary - Week Ending on 22 April 2022:</h2>
<ul>
<li>Red Sky Alliance identified 9,534 connections from new IP’s checking in with our Sinkholes</li>
<li>StreamHost in Belgium Hit 302x</li>
<li>Analysts identified 6,436 new IP addresses participating in various Botnets</li>
<li>Industroyer2 </li>
<li>Lightning Stealer</li>
<li>Emotet</li>
<li>TraderTraitor</li>
<li>Spying on Boris</li>
<li>Trolls in the Tolls<br /><br />Link to full report: <a href="{{#staticFileLink}}10427619085,original{{/staticFileLink}}">IR-22-112-001_weekly112.pdf</a></li>
</ul></div>Weekly Cyber Intel Report - All Sector 04 01 2022https://redskyalliance.org/xindustry/in2022-04-01T14:06:50.000Z2022-04-01T14:06:50.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}10254824865,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10254824865,RESIZE_400x{{/staticFileLink}}" alt="10254824865?profile=RESIZE_400x" width="250" /></a></h2>
<h2>Activity Summary - Week Ending on 1 April 2022:</h2>
<p>Today is April Fools' Day, but sound Cyber Security is No Joke. Call us for protection.</p>
<ul>
<li>Red Sky Alliance identified 15,105 connections from new IP’s checking in with our Sinkholes</li>
<li>Kanzas LLC Moscow RU - 241 x</li>
<li>Analysts identified 1,392 new IP addresses participating in various Botnets</li>
<li>Emotet Variant</li>
<li>AbereBot is Escobar</li>
<li>Kaspersky Lab</li>
<li>Shortage of female Cyber Security Professional</li>
<li>Hacked Ukrainian News Website</li>
<li>Spearphishing Attack from Belize</li>
</ul></div>March 2022 Motor Vessel (MV) & Motor Tanker (MT) Impersonationhttps://redskyalliance.org/xindustry/march-2022-motor-vessel-mv-motor-tanker-mt-impersonation2022-03-16T19:53:18.000Z2022-03-16T19:53:18.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10215100865,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10215100865,RESIZE_400x{{/staticFileLink}}" width="250" alt="10215100865?profile=RESIZE_400x" /></a>Red Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p><br /> <strong>Significant Vessel Keys Words:</strong></p>
<p><strong><a href="{{#staticFileLink}}10215032059,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10215032059,RESIZE_710x{{/staticFileLink}}" alt="10215032059?profile=RESIZE_710x" width="630" /></a></strong></p>
<p><a href="{{#staticFileLink}}10215037268,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10215037268,RESIZE_584x{{/staticFileLink}}" alt="10215037268?profile=RESIZE_584x" width="500" /></a></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10215038877,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10215038877,RESIZE_584x{{/staticFileLink}}" alt="10215038877?profile=RESIZE_584x" width="500" /></a><br /> Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10215057882,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10215057882,RESIZE_400x{{/staticFileLink}}" alt="10215057882?profile=RESIZE_400x" width="368" /></a></em><em>Figure 3. Sender host by country</em></p>
<p style="text-align:left;"><em><a href="{{#staticFileLink}}10215066265,RESIZE_400x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10215066265,RESIZE_400x{{/staticFileLink}}" alt="10215066265?profile=RESIZE_400x" width="368" /></a></em></p>
<p style="text-align:center;"><em>Figure 4. Target host by country</em></p>
<p>Table 1: List of subject lines, type of malware sent, sender data and targets seen in Red Sky Alliance’s malicious email collection from last 90 days. Information extrapolated from the Subject Line. <strong>The Full Table is attached -> <a href="{{#staticFileLink}}10215016297,original{{/staticFileLink}}">maritime_collection_data_table_march_2022.pdf</a></strong></p>
<p><a href="{{#staticFileLink}}10215084892,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10215084892,RESIZE_584x{{/staticFileLink}}" alt="10215084892?profile=RESIZE_584x" width="523" /></a>Analyzing the subject lines shows a few similarities between phishing attempts. For instance, many of the subject lines use company or vessel impersonations and port names. Additionally, we see the use of common phrases used within the industry, attempting to establish credibility for the attacker. Analysts notice some emails using fake Purchase Orders, Remittances, and Pro-forma Disbursement Account Requests (PDA) to try scamming their victims. These are tempting lures for the recipient. Most of the vessel impersonations use the name of real ships, such as MV Blue Everton, MV Pacific Selina, MV Ever Shining, MV Atlantic Harmony, and MV Shaman Wisdom.</p>
<p>In the Sending Email field, we noticed the impersonations of different companies. These companies include Cosco Shipping Lines, Maersk, Kawasaki Kisen Kaisha, Ltd. ("K"Line), and Well Reach Logistics. All large and legitimate international companies. Other companies that show up as the sender on emails seem to be fake or overly generalized and do not represent existing companies. These include Warong Soto, Coscon, Part Sales & Technical Service Team, and Operation Department.<a href="{{#staticFileLink}}10215069859,RESIZE_584x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10215069859,RESIZE_400x{{/staticFileLink}}" alt="10215069859?profile=RESIZE_400x" width="400" /></a></p>
<p>One sample phishing attack from the collection is sent from “Maersk Line Shipping mir.bak@warongsoto.com” with the subject line “Maersk Line Shipping Notification. AWB45321xxxxx”. From 13 February to 17 February 2022, our data collections show this combination of subject line and sender email was used to send malware thirteen (13) times. The actor impersonating Maersk Line Shipping is sending the malicious email from the domain warongsoto.com. Another email claiming to be from Maersk used the subject line “B-L NOTICE FROM MAERSK” and was sent from “Anara Utepova <anara.serikbayeva@isker.kz>” Our collections show that this campaign was used to send eight (8) emails between 21 February and 23 February 2022. A third Maersk impersonation campaign made use of the subject line, “Maersk : Arrival Notice // NO: 1KT002324 // YENIGUN ORMAN // 7*40 FCL” sent from the address “Maersk Notification <h.nathaniel@borsarigroups.com>” This campaign sent seven emails between 10 February and 11 February 2022.</p>
<p>A number of phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most ports, shipping companies, and vessels. Vessels that have been impersonated multiple times include MV Pacific Selina (pictured right), MV Jabal Shams, MV Valerio, and MV Hai Phuong 87. </p>
<p style="text-align:left;">Finally, in the email analysis, we noticed malware similarities. In most of the emails, we have noticed some form of Trojan virus. The most notable Trojans installed include Agent Tesla, Valyria, Emotet, Darkstealer, and STRRat among other generic trojans and exploits. Agent Tesla acts as a keylogger, downloader, password-stealer, and is capable of taking screenshots on infected machines. Valyria is a trojan downloader that is frequently used to distribute Emotet by leveraging corrupted Microsoft Word documents. Emotet has recently made a comeback after the law enforcement operation “Ladybird” took Emotet down in January of 2022. It is likely that the Valyria infections are connected to the resurgence of Emotet as it was used in previous campaigns to install the Emotet banking trojan. Darkstealer is a spyware used to steal passwords and banking information. STRRat is a Java-based Remote Access Trojan. These malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice, using corrupted Microsoft Excel or Word Documents as well as using PDFs.</p>
<p><a href="{{#staticFileLink}}10215070873,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10215070873,RESIZE_400x{{/staticFileLink}}" alt="10215070873?profile=RESIZE_400x" width="400" /></a>These analytical results illustrate how a recipient could be fooled into opening an infected email. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p> </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p>The full Maritime Watch List is available here -> <a href="{{#staticFileLink}}10215071475,original{{/staticFileLink}}">maritime_watchlist_march_2022.csv</a></p>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>2022 Motor Vessel (MV) & Motor Tanker (MT) Impersonationhttps://redskyalliance.org/xindustry/2022-motor-vessel-mv-motor-tanker-mt-impersonation2022-01-25T16:00:50.000Z2022-01-25T16:00:50.000ZNathan Burnhamhttps://redskyalliance.org/members/NathanBurnham<div><p><a href="{{#staticFileLink}}10046387086,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10046387086,RESIZE_400x{{/staticFileLink}}" width="250" alt="10046387086?profile=RESIZE_400x" /></a>Red Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p><a href="{{#staticFileLink}}10045521289,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045521289,RESIZE_710x{{/staticFileLink}}" alt="10045521289?profile=RESIZE_710x" width="638" /></a></p>
<p><a href="{{#staticFileLink}}10045589672,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045589672,RESIZE_584x{{/staticFileLink}}" alt="10045589672?profile=RESIZE_584x" width="495" /></a></p>
<p> </p>
<p><a href="{{#staticFileLink}}10045589456,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045589456,RESIZE_584x{{/staticFileLink}}" alt="10045589456?profile=RESIZE_584x" width="529" /></a></p>
<p> </p>
<p><a href="{{#staticFileLink}}10045585852,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045585852,RESIZE_584x{{/staticFileLink}}" alt="10045585852?profile=RESIZE_584x" width="584" /></a></p>
<p><a href="{{#staticFileLink}}10045587890,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045587890,RESIZE_584x{{/staticFileLink}}" alt="10045587890?profile=RESIZE_584x" width="584" /></a></p>
<p><a href="{{#staticFileLink}}10045591701,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045591701,RESIZE_710x{{/staticFileLink}}" alt="10045591701?profile=RESIZE_710x" width="593" /></a></p>
<p><a href="{{#staticFileLink}}10045592069,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045592069,RESIZE_710x{{/staticFileLink}}" alt="10045592069?profile=RESIZE_710x" width="593" /></a></p>
<p>Analyzing the subject lines shows a few similarities between phishing attempts. For instance, many of the subject lines use company or vessel impersonations and port names. Additionally, we see the use of common phrases used within the industry, attempting to establish credibility for the attacker. We also notice some emails (in table 2) using fake Purchase Orders or Remittances to try scamming their victims. Most of the vessel impersonations use the name of real ships, such as Navios Galaxy II, Almi Hydra, Jin Gang, Atlantic Harmony, and SM Jakarta. A few vessels seem to use create fake names derived from names of other real vessels, including Grand Hulk and VTB 38.</p>
<p>When investigating the Sending Email field, we noticed the impersonations of many different companies. Companies impersonated in these phishing emails include Hebei Ocean Shipping Company, Ltd (although the attacker replaces Company with Agency), Almi Tankers, S.A., SM Line, and DSV. Other companies that show up as the sender on emails seem to be fake or overly generalized and not represent currently existing companies. These are CML Logistics, Sahar Supply, and NSTQA.</p>
<p>One example that exemplifies the phishing attacks are the emails sent from “Interport Freight Systems, Inc”. The attacker is using the name of an existing company based out of Hawthorne, California, but uses an invalid web-port.live email domain address. When attempting to visit this URL, Google Chrome flags the website as dangerous for its use in phishing attacks.</p>
<p><a href="{{#staticFileLink}}10045567275,RESIZE_400x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045567275,RESIZE_400x{{/staticFileLink}}" alt="10045567275?profile=RESIZE_400x" width="380" /></a></p>
<p>Lastly, in the email analysis, we noticed malware similarities. In all the emails, we have noticed some form of Trojan virus. The most notable Trojans installed include Emotet, Kryptic, and STRRat. Emotet was designed to steal sensitive information from the victim’s computer and acts like a work to spread to other connected computers. Kryptic malware is a backdoor Trojan. Similar to Emotet, Kryptic also steal sensitive information from the victim’s computer. STRRat is a Java-based Remote Access Trojan. All of these malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul></div>Emotet Returns from the Dead and Brings a Friendhttps://redskyalliance.org/xindustry/emotet-returns-from-the-dead-and-brings-a-friend2021-12-15T19:25:32.000Z2021-12-15T19:25:32.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9913748094,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9913748094,RESIZE_400x{{/staticFileLink}}" width="250" alt="9913748094?profile=RESIZE_400x" /></a>The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure. The advanced Trojan is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021. Emotet is believed to have originated in the Ukraine is also known as Heodo which was first detected in 2014. See: <a href="https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet">https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet</a></p>
<p>Most of the victims detected since 01 November 2020, are from Portugal (18%), the US (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), researchers noted in a report. Government, finance, and manufacturing entities are emerging the top affected industry verticals. "Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the analysts who detected 223 different Trickbot campaigns over the course of the last six months. See: <a href="https://redskyalliance.org/xindustry/trickbot-malware-is-tricky-having-new-devious-versions">https://redskyalliance.org/xindustry/trickbot-malware-is-tricky-having-new-devious-versions</a></p>
<p>Both TrickBot and Emotet are botnets, which are a network of Internet-connected devices infected by malware and can be tasked to conduct an array of malicious activities. TrickBot originated as a C++ banking Trojan and as a successor of Dyre malware in 2016, featuring capabilities to steal financial details, account credentials and other sensitive information; laterally spread across a network; and drop additional payloads, including Conti, Diavol, and Ryuk ransomware strains.</p>
<p>Introduced by malspam campaigns or previously dropped by other malware like Emotet, TrickBot is believed to be the handiwork of a Russia-based group called Wizard Spider. This bad actor group has since extended its capabilities to create a complete modular malware ecosystem, making it an adaptable and evolving threat, not to mention an attractive tool for conducting a myriad of illegal cyber activities.</p>
<p>The botnet also caught the attention of government and private entities in 2020, when the US Cyber Command and a group of private sector partners spearheaded by Microsoft, ESET, and Symantec acted to curtail TrickBot's reach and prevent the adversary from purchasing or leasing servers for command-and-control operations.<a href="#_ftn1">[1]</a></p>
<p>These actions have only been temporary setbacks, with the malware authors rolling out updates to the botnet code that have made it more resilient and suitable for mounting further attacks. TrickBot infections in November and December 2021 have also escalated a surge in Emotet malware on compromised machines, signaling a revival of the infamous botnet after a gap of 10 months following a coordinated law enforcement effort to disrupt its spread. "Emotet could not choose a better platform than Trickbot as a delivery service when it came to its rebirth," the researchers noted.</p>
<p>The latest wave of spam attacks are prompting users to download password-protected ZIP archive files, which contain malicious documents that, once opened and macros are enabled, result in the deployment of Emotet malware, thereby enabling it to rebuild its botnet network and grow in volume. "Emotet's comeback is a major warning sign for yet another surge in ransomware attacks as we go into 2022," said Check Point's head of threat intelligence. "Trickbot, who has always collaborated with Emotet, is facilitating Emotet's comeback by dropping it on infected victims. This has allowed Emotet to start from a very firm position, and not from scratch."</p>
<p>In what appears to be a further escalation in tactics, new Emotet artifacts have been uncovered dropping Cobalt Strike beacons directly onto compromised systems, according to Cryptolaemus cybersecurity experts, as opposed to dropping first-stage payloads before installing the post-exploitation tool. "This is a big deal. Typically, Emotet dropped TrickBot or QakBot, which in turn dropped Cobalt Strike. You'd usually have about a month between [the] first infection and ransomware. With Emotet dropping [Cobalt Strike] directly, there's likely to be a much much shorter delay," security researcher stated.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. Cyber intelligence is a needed key for your over-all cyber security. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2021/12/140000-reasons-why-emotet-is.html">https://thehackernews.com/2021/12/140000-reasons-why-emotet-is.html</a></p></div>This May Be the End of Emotethttps://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet2021-05-04T16:50:54.000Z2021-05-04T16:50:54.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8892672262,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8892672262,RESIZE_400x{{/staticFileLink}}" width="223" alt="8892672262?profile=RESIZE_400x" /></a>A specially crafted update created by Germany's Bundeskriminalamt (BKA) federal police agency created and pushed the uninstall update. European law enforcement has triggered the process of removing the Emotet botnet malware from 1.6 million infected computers around the world. Emotet was thought to be the world's largest botnet, known for spewing millions of malware-laden spam emails each day. Law enforcement in the US, Canada and Europe conducted a <a href="https://www.zdnet.com/article/emotet-worlds-most-dangerous-malware-botnet-disrupted-by-international-police-operation/">coordinated takedown of Emotet infrastructure in January</a> to rid the web of one of its worst menaces, which was used to spread banking trojans, remote access tools, and ransomware.</p>
<p>Part of the action involved law enforcement commandeering Emotet's command and control (C2) infrastructure to prevent its operators from using the botnet to spread more malware. <a href="https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-april-25-2021/">As reported by ZDNet in January</a>, law enforcement in the Netherlands took control of two of Emotet's three-tier C2 servers. </p>
<p>Emotet is a malware strain and a cybercrime operation believed to be based in Russia. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. Emotet uses functionality that helps the software evade detection by some anti-malware products. Emotet uses <a href="https://blog.malwarebytes.com/detections/worm/">worm-like capabilities</a> to help spread to other connected computers. This helps in distribution of the malware. This functionality has led the Department of Homeland Security to <a href="https://www.us-cert.gov/ncas/alerts/TA18-201A"target="_blank" rel="nofollow">conclude</a> that Emotet is one of the most costly and destructive malware, affecting government and private sectors, individuals and organizations, and costing upwards of $1M per incident to clean up.</p>
<p>"Law enforcement officials will deliver an Emotet update, "EmotetLoader.dll" file, which will remove the malware from all infected devices. The run key in the Windows registry of infected devices will be removed to ensure that Emotet modules are no longer started automatically and all servers running Emotet processes are terminated," said security company Redscan. "However, it is important to note that the switch-off does not remove other malware installed on infected devices via Emotet, nor malware from other sources," <a href="https://www.redscan.com/news/rise-and-fall-emotet-botnet/">it added</a>.</p>
<p>The cybersecurity firm Malwarebytes has now <a href="https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/">analyzed the law enforcement Emotet uninstaller</a>. Essentially, law enforcement used Emotet's botnet infrastructure to dismantle the malware. "The uninstall routine itself is very simple. It deletes the service associated with Emotet, deletes the run key, attempts (but fails) to move the file to %temp% and then exits the process," note the researchers. </p>
<p>See our earlier article <a href="https://redskyalliance.org/xindustry/emotet-attacks-increase-as-the-botnet-spreads-its-joy-globally" target="_blank">HERE</a></p>
<p>Despite the error in the law enforcement code, they add that the Emotet malware "has been neutered and is harmless since it won't run as its persistence mechanisms have been removed."</p>
<p><a href="https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation">According to an FBI press release in January 2021, an FBI investigator's affidavit stated that</a>: "foreign law enforcement agents, working in coordination with the FBI, gained lawful access to Emotet servers located overseas and identified the Internet Protocol addresses of approximately 1.6 million computers worldwide that appear to have been infected with Emotet malware between 01 April 2020, and 17 January 2021." </p>
<p>Over 45,000 of the infected computers appeared to have been located in the United States. "Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement," the FBI said. This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update. </p>
<p>"The law enforcement file prevents the administrators of the Emotet botnet from further communicating with infected computers. The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet."</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org/">https://redskyalliance.org</a> at no charge. Many past tactics are reused in current malicious campaigns.</p>
<p><br /> Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br />Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br />LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8892671882,original{{/staticFileLink}}">TR-21-124-002_End_of_Emotet.pdf</a></p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://www.zdnet.com/article/police-just-delivered-this-killswitch-update-to-finish-off-a-notorious-botnet/">https://www.zdnet.com/article/police-just-delivered-this-killswitch-update-to-finish-off-a-notorious-botnet/</a></span></p>
<p> </p></div>New and Improved Version of Ryuk Ransomwarehttps://redskyalliance.org/xindustry/new-and-improved-version-of-ryuk-ransomware2021-03-08T15:29:47.000Z2021-03-08T15:29:47.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8643112062,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8643112062,RESIZE_400x{{/staticFileLink}}" width="250" alt="8643112062?profile=RESIZE_400x" /></a>A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have recently found. The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found. “Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; and 192.168.0.0/16,” according to a <a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf">recent ANSSI report</a>. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.”</p>
<p>The “new and improved” version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with. Then, according to ANSSI, it sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers. “It generates every possible IP address on local networks and sends an ICMP ping to each of them,” according to ANSSI. “It lists the IP addresses of the local ARP cache and sends them a [wake-up] packet.” Ryuk’s targets tend to be high-profile organizations where the attackers know they are likely to get paid their steep ransom demands.</p>
<p>For each identified host, Ryuk will then attempt to mount possible network shares using SMB, or Server Message Block, according to the report. SMB is a Windows function that allows the sharing, opening or editing files with/on remote computers and servers. Once all of the available network shares have been identified or created, the payload is then installed on the new targets and is self-executed using a scheduled task, allowing Ryuk to encrypt the targets’ content and delete any Volume Shadow Copies to prevent file recovery. “The scheduled task is created through a call to the schtasks.exe system tool, a native-Windows tool,” ANSSI explained.</p>
<p>The files are encrypted using Microsoft CryptoAPI with the AES256 algorithm, using a unique AES key which is generated for each file. The AES key is also wrapped with an RSA public key stored in the binary code, according to the analysis. The malware also interrupts multiple programs based on hardcoded lists, including a list of 41 processes to be killed (task kill) and a list of 64 services to stop, ANSSI found.</p>
<p>As for avoiding infection, Ryuk ransomware is usually loaded by an initial “dropper” malware that acts as the tip of the spear in any attack; these include <a href="https://threatpost.com/emotet-returns-100k-mailboxes/162584/">Emotet</a>, TrickBot, Qakbot and Zloader, among others. From there, the attackers <a href="https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/">look to escalate privileges</a> in order to set up for lateral movement. An effective defense thus should involve developing countermeasures that will prevent that initial foothold.</p>
<p>Once infected, things become more complicated. In the 2021 campaign observed by ANSSI researchers, the initial infection point is a privileged domain account. And the analysis shows that the worm-like spread of this version of Ryuk can bot be thwarted by choking off this initial infection point. “A privileged account of the domain is used for malware propagation,” according to the report. “If this user’s password is changed, the replication will continue as long as the Kerberos tickets [authentication keys] are not expired. If the user account is disabled, the issue will remain the same.” In addition to the self-propagation functions, this version of Ryuk also lacks any exclusion mechanisms, meaning that there’s nothing preventing infections of the same machine over and over again, which makes fumigation more difficult.</p>
<p>Previous versions of the malware used Mutual Exclusion Objects (MUTEX) to make sure that any given host had access to only one Ryuk process at a time. “As the malware does not check if a machine has already been infected, no simple system object creation that could prevent infection,” according to the ANSSI report.</p>
<p>One way to tackle an active infection, ANSSI recommended, would be to change the password or disable the account for the privileged user, and then proceed to force a domain password change through KRBTGT. The KRBTGT is a local default account found in Active Directory that acts as a service account for the Key Distribution Center (KDC) service for Kerberos authentication. “This would induce many disturbances on the domain – and most likely require many reboots – but would also immediately contain the propagation,” according to ANSSI.</p>
<p>The Ryuk ransomware <a href="https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/">was first observed</a> in 2018, as a variant of the Hermes 2.1 ransomware. But unlike Hermes, it is not sold on underground markets like the Exploit forum. “A doubt…remains as to the origins of Ryuk,” according to ANSSI’s report. “The appearance of Ryuk could…be a result of the acquisition of the Hermes 2.1 source code by another attacker group, which may have developed Ryuk from this starting point.” It is suspected that a group named CryptoTech could have been the developer of Hermes and then named Ryuk. The name Ryuk is a fictional character in a popular Japanese comic book and cartoon series.</p>
<p>Deloitte researchers have theorized that <a href="https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-shinigamis-revenge-long-tail-ryuk-malware/">Ryuk is sold as a toolkit</a> to attacker groups, which use it to develop their own “flavors” of the ransomware. There could therefore be as many variants as there are attacker groups that buy the code. In early 2021, it was estimated that Ryuk operators have raked in at least $150 million, according to an examination of the malware’s <a href="https://threatpost.com/ryuk-150m-ransom-payments/162905/">money-laundering operations</a>.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge.</p>
<p>What can you do to better protect your organization today?</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication-company wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. <a href="http://www.infragard.org">infragard.org</a></li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p> <a href="{{#staticFileLink}}8643112258,original{{/staticFileLink}}">TR-21-062-001_New_Ryuk_Ransomware.pdf</a></p>
<p> </p></div>Ransomware as a Decoyhttps://redskyalliance.org/xindustry/ransomware-as-a-decoy2021-01-22T19:04:40.000Z2021-01-22T19:04:40.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8467395687,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8467395687,RESIZE_400x{{/staticFileLink}}" width="250" alt="8467395687?profile=RESIZE_400x" /></a>Attacks involving million-dollar ransom demands attract headlines, but the payout is no longer the sole financial incentive for attackers. The exfiltration of critical data is a key motivator that can be used to extort victims into paying even larger fees to recover assets. Data, including intellectual property such as research and patents, is often targeted by organized groups or as part of corporate espionage. Stealing this information and then coercing a business into paying to get access to their network provides attackers with further rewards for planning and executing advanced, targeted attacks.</p>
<p>Ransomware is the perfect cover for a targeted data exfiltration attack. Security teams are well aware of the devastation an unchecked ransomware outbreak can cause. They will naturally focus all their efforts on containment and remediation to minimize disruption and get the business up and running. However, once the infection has been taken care of and forensics are performed to investigate how the attack started, there can be signs that the infiltrators have been on the network for much longer than first suspected. The worst of the damage could well have been carried out in the weeks prior to the detonation of the ransomware itself.</p>
<p>As an example of a thorough cyber attack, analysts will have triaged a ransomware attack for one organization, you investigated how the attack started and what other actions the threat actors might have carried out on the network. You discovered suspicious activity originating from a service account. Attackers used the account to access and move large quantities of data into a temporary directory for exfiltration. By following the investigation to the source, it was clear this was more than a typical ransomware attack. This approach is fast becoming the norm rather than the exception.</p>
<p>By taking the time to really study their targets, find the weak spots in defenses, and conduct highly targeted campaigns, threat actors can inflict far greater damage on their victims. In a business model reminiscent of large software companies, threat actors can buy the exact tools that they need and tailor these to their target by purchasing modular add-ons. Once they have established a foothold, the real value for threat actors lies in establishing and maintaining persistence on the network. The longer they are able to remain in the system, the greater their potential for escalating privileges and gathering high-value data or IP. This, in turn, makes the conversion rate from any ransom demands much higher.</p>
<p>Their leverage becomes greater the longer they can trawl the network for data, and organizations are more likely to pay this demand if they are threatened with an ultimatum that troves of highly sensitive corporate data are about to be made public.</p>
<p>While exploits continue to multiply, one of the most dangerous is still Emotet, which acts as a malware loader or dropper. Regarded by the CISA as “One of the most prevalent ongoing threats,” its indicators of compromise frequently change and it is very difficult for traditional security solutions to detect. The malspam campaigns that spread it often take advantage of a technique called “thread-jacking,” where a threat actor can intercept an email chain via an infected host and deliver the payload to a trusting victim.</p>
<p>Once a system is infected, Emotet enables threat actors to escalate privileges, move laterally, establish persistence and exfiltrate data, and upload other malicious programs such as Trickbot. Once they have captured and encrypted files, cybercriminals can then demand a ransom. A new money making enterprise appeared in 2020, when ransomware actors opened auction sites to sell data to the highest bidder.</p>
<p>Attackers are constantly creating new variants that evade detection by traditional signature-based approaches. To counteract these attacks, firms need to have defense in depth. This starts with preventing threat actors from infiltrating the network by defending against tactics such as phishing and malware campaigns through staff training, the use of strong passwords, two-factor-authentication, and patch management.</p>
<p>If a threat actor makes it onto the system, their potential for lateral movement is limited when organizations have deployed a least-privilege approach, where access to files and folders is limited based on job role or seniority. Behavioral anomalies are a prime indicator that a threat actor could be on the network. This includes encrypting or downloading large amounts of data or user accounts trying to access restricted data. Successfully spotting such behavior requires correlating data from many sources, including endpoint and network detection and response solutions.</p>
<p>Finally, to ensure they can recover quickly in the event of a ransomware attack, organizations must also have robust backups that they can rely on if their network does go down. With targeted ransomware attacks showing no signs of slowing next year, businesses need a connected system of detection capabilities to identify when a ransomware outbreak may just be an attempt to distract and disable companies while attackers escape with their most valuable data assets.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org/">https://redskyalliance.org</a> at no charge.</p>
<p>To help organizations protect their Work from Home (WFH) employees, Red Sky Alliance has introduced their RedXray cyber threat notification service that can notify cyber security teams for potential cyber threats on a daily basis, <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a>. At home workers can add their IP addresses to the RedXray enrollment page and they are automatically added to the notifications. This is one more way Red Sky Alliance is helping organizations through the COVID-19 lockdown. RedXray can be used by customers at any location in the world.</p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8467396260,original{{/staticFileLink}}">TR-21-022-002Ransomware_as_a_Decoy.pdf</a> </p>
<p> </p></div>Emotet Attacks Increase as the Botnet Spreads its Joy Globallyhttps://redskyalliance.org/xindustry/emotet-attacks-increase-as-the-botnet-spreads-its-joy-globally2020-11-06T19:27:30.000Z2020-11-06T19:27:30.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8131297495,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8131297495,RESIZE_400x{{/staticFileLink}}" width="250" alt="8131297495?profile=RESIZE_400x" /></a>The number of attacks related to Emotet continue to spike after the dangerous botnet re-emerged over the summer with a fresh phishing and spam campaign that is primarily infecting devices with a banking Trojan, according to new research from HP-Bromium, an end-point security company.</p>
<p>Emotet is a malware strain and a cybercrime operation. The malware, also known as Geodo and Mealybug, was first detected in 2014 and remains active, deemed one of the most prevalent threats of 2019. First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads. Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.</p>
<p>During the third quarter of 2020, the number of Emotet infections increased 1,200% compared to the second quarter of the year, according to an analysis by HP-Bromium. After a nearly six-month hiatus, an uptick in spam and phishing emails related to the malware began in mid-July 2020, the security researchers stated.</p>
<p>This increase in activity was also spotted by other researchers who note that Emotet is increasingly used to deliver a banking Trojan called QBot or QakBot to infected devices. This malware is primarily designed to steal banking data and credentials and is known to target the customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo. It continuously evolves with variants having worm-like capabilities, able to drop additional malware, log user keystrokes, and create a backdoor to compromised machines.</p>
<p>Besides the banking Trojan, Alex Holland, senior malware analyst at HP-Bromium, notes that Emotet infections are usually the precursor to a ransomware attack. "The typical pattern of Emotet campaigns we have seen since 2018 suggests that we are likely to see weekly spam runs until early 2021," Holland says. "The targeting of enterprises is consistent with the objectives of Emotet's operators, many of whom are keen to broker access to compromised systems to ransomware actors."</p>
<p>The U.S. Cybersecurity and Infrastructure Security Agency has called Emotet one of the most dangerous malware variants currently active. Since July 2020, the malspam campaign that is spreading the Emotet botnet has been spotted in the U.S., U.K., Canada, Austria, Germany, Brazil, Italy and Spain, according to previous research by security firm Proofpoint. CISA has noted that its own intrusion detection system that monitors federal civilian networks, has detected approximately 16,000 alerts related to the Emotet since the botnet re-emerged.</p>
<p> The HP-Bromium research finds the Japan and Australia have sustained the most Emotet infections between July and September 2020. The report also confirms that Emotet is spreading through a social-engineering technique called thread-jacking, where the botnet operator replies to stolen email threads as a way to lure victims into opening malicious content since it appears to come from a trusted source.</p>
<p>The HP-Bromium report also notes that Emotet is spreading through spam or phishing emails that usually contain a malicious attached document. If opened, the file enables malicious macros that install the malware within the compromised device. Some of these documents are designed to look like invoices and purchase orders. "In one campaign, we saw hackers encrypting malicious documents with Microsoft Word's 'Encrypt with Password' feature, to slip past network security and detection tools," Holland says. "The malware, in this case, TrickBot, would only deploy if the user entered a password sent with the phishing email. Developed in 2016, TrickBot is one of the more recent banking Trojans, with many of its original features inspired by Dyreza (another banking Trojan).This meant that most anti-virus tools weren't able to access the file to scan it, but we were able to watch it in the micro-virtual machine. It may sound like a relatively simple tactic, but it's one that has proven to be effective in bypassing detection."</p>
<p>During the first days of November 2020, Bradley Duncan, a threat researcher, posted a blog on the SANS Technology Institute website that found that not only will Emotet infect a device with the Qakbot Trojan, but that Qakbot will then turn around and attempt to spread another Emotet infection, which helps grow the size of the botnet. "In order to become infected, a victim must open the Word document and enable macros. In most cases, people would see a warning against enabling macros. Just opening the Word document by itself should not kick off the infection chain, unless the computer was set up to have macros automatically enabled," Duncan notes. "Although Emotet pushes other families of malware like Qakbot, this is the first time I've seen indications that Qakbot has pushed Emotet."</p>
<p>The HP-Bromium research recommends that best defense against Emotet is implementing an email content filtering policy to reduce the risk of compromise by encrypted attachments containing the malware. The report also suggests organizations implement DMARC, safe list attachments based on file types the organization would expect to receive and block encrypted attachments.</p>
<p>The installation, updating and monitoring of firewalls, cyber security, use of multi-factor authentication and proper employee training are keys to success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. There are extensive reports on many of the threats mentioned in this article that can be found at <a href="https://redskyalliance.org/">https://redskyalliance.org</a>. There is no charge for these reports and articles posted.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8131297457,original{{/staticFileLink}}">TR-20-310-002.pdf</a> </p>
<p> </p>
<p> </p></div>Analyzing Trickbot Takedown Attemptshttps://redskyalliance.org/xindustry/analyzing-trickbot-takedown-attempts-slides2020-10-22T18:15:53.000Z2020-10-22T18:15:53.000ZYury Polozovhttps://redskyalliance.org/members/YuryPolozov<div><p><a href="{{#staticFileLink}}8063205283,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8063205283,RESIZE_400x{{/staticFileLink}}" alt="8063205283?profile=RESIZE_400x" width="250" /></a></p>
<p>US Cyber Command, Microsoft, and Europol are attacking Trickbot's malicious infrastructure, ahead of the elections. It won't stop hackers from adapting but is expected to create breathing space during the elections. Check out these slides if you missed the webinar on October 21, 2020 to find out more:</p>
<p><a href="https://attendee.gotowebinar.com/recording/6510042732247379725" target="_blank">View Webinar</a></p></div>Oil and Gas Brief 07 31 2020https://redskyalliance.org/xindustry/oil-and-gas-brief-07-31-20202020-07-31T12:52:22.000Z2020-07-31T12:52:22.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><h2><a href="{{#staticFileLink}}7164438487,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7164438487,RESIZE_400x{{/staticFileLink}}" width="250" alt="7164438487?profile=RESIZE_400x" /></a>Activity Summary - Week Ending 31 July 2020:</h2>
<ul>
<li>Red Sky Alliance identified 65,708 connections from new unique IP addresses</li>
<li>83 unique email accounts have been shown to be Compromised with Keyloggers</li>
<li>Analysts identified 2,442 new IP addresses participating in various Botnets</li>
<li>Emotet is Back</li>
<li>Phishing Campaign Targeting High-Profile Twitter Accounts</li>
<li>Confidential & Proprietary</li>
<li>Russia conducts 1<sup>st</sup> gas delivery via Artic shipping Route to Japan</li>
<li>DAPL in the news Again</li>
<li>Cavitas Energy and Thor</li>
<li>Floating storage hits a record 311m barrels</li>
<li>Vietnam and China still arm Wrestling</li>
<li>NRDC suing the US govt again - Whales</li>
</ul>
<p>Link to full report: <a href="{{#staticFileLink}}7164426878,original{{/staticFileLink}}">IR-20-213-001-OilGAS_FINAL.pdf</a></p></div>Ryukhttps://redskyalliance.org/xindustry/ryuk2019-07-03T12:31:12.000Z2019-07-03T12:31:12.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}3187431567,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3187431567,RESIZE_710x{{/staticFileLink}}" alt="3187431567?profile=RESIZE_710x" width="416" height="242" /></a><span style="font-size:8pt;"><a href="https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/">https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/</a></span></p>
<p>Our UK partners have share an important report on Ryuk Malware.</p>
<p>Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally. Ryuk is a targeted ransomware where demands are set according to the victim’s perceived ability to pay.</p>
<p>The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack.1 But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied. Links to other malware - Ryuk ransomware has been linked to other malware families, in particular the Emotet and Trickbot banking trojans, although it could also be dropped by other malware.</p>
<p>Link to full NCSC Report - Advisory: Ryuk ransomware targeting organizations globally: <a href="{{#staticFileLink}}3187410344,original{{/staticFileLink}}">RYUK Advisory draft CP June 2019.pdf</a></p></div>