Week in security with Tony Anscombe

This week, ESET researchers released their findings about Operation In(ter)ception, a campaign that leveraged LinkedIn-based spearphishing and took aim at aerospace and military companies in Europe and the Middle East between September and December 2019. Another major research effort by ESET experts revealed a campaign by the InvisiMole group that targeted high-profile organizations in the

This week, ESET researchers released their findings about Operation In(ter)ception, a campaign that leveraged LinkedIn-based spearphishing and took aim at aerospace and military companies in Europe and the Middle East between September and December 2019. Another major research effort by ESET experts revealed a campaign by the InvisiMole group that targeted high-profile organizations in the military sector and diplomatic missions in Eastern Europe in late 2019 and involved collaboration with Gamaredon, a fellow APT gang. No fewer than 19 vulnerabilities, collectively dubbed Ripple20, in the TCP/IP software library open countless IoT devices to attacks. All this – and more – on WeLiveSecurity.com.

Cyberbullying: Adults can be victims too

Cyberbullying can happen to anyone, at any time – and at any age. How can adults deal with various forms of online abuse and harassment?

Whenever cyberbullying is mentioned, our minds usually associate the topic with children or teenagers. Much has been said about cyberbullying by psychologists, organizations, public figures, as well as other concerned parties. However, we often fail to realize that adults can be the victims of cyberbullying too.

If you think that adults being victims is an overstatement, just look at the comments under the social media posts of celebrities, athletes, or even politicians. You might say: “Those are public figures; they should be able to handle it!” As far as constructive criticism is concerned, then yes, by all means. But when does criticism cross the line and turn into cyberbullying?

Cyberbullying isn’t limited to public figures; any one of us can become a target. Skeptical? The Pew Research Center begs to differ. Its recent study on online harassment found that approximately four in ten US adults have personally experienced online harassment, with a quarter of the respondents finding their experience very or extremely upsetting.

And if that didn’t drive home the point that everyone could be a target regardless of age, then this quote from the Pew study by a 59-year-old victim might: “Cyberbullies who are anonymous are relentless. They find a weakness and hammer it over and over.”

As we mark Stop Cyberbullying Day, we should educate ourselves on the signs and threats of cyberbullying and how we can stand up to it.

What is cyberbullying?

The Merriam-Webster dictionary defines cyberbullying as “the electronic posting of mean-spirited messages about a person (such as a student) often done anonymously,” while stopbullying.gov says that “cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets.”

It takes place on social media, messaging services, comment sections, forums, or even on gaming platforms. Social media is the most prevalent channel; almost 60% of Americans surveyed in the Pew study stated that the most recent episode of harassment they experienced was through social media.

You may encounter various types of cyberbullying attacks; some bullies will focus on your beliefs – political, religious or otherwise – while others may aim at your physical appearance, character, gender, ethnicity, sexual orientation, or anything that may present itself as an easy target and that will rattle you.

Your bullies may try to humiliate you by revealing sensitive personal information that you’d rather keep private. Often the person harassing you will be a stranger, but in some cases, it could be an acquaintance, a co-worker, or a former romantic partner.

When multiple perpetrators engage in the act of cyberbullying, it’s called mobbing. The act is sometimes associated with the workplace, where other employees try to force someone out of work by using intimidation, humiliation, spreading malicious rumors, or by other means.

RELATED READING: Cyberbullying: How is it different from face‑to‑face bullying?

We’ve also mentioned gaming platforms. Cyberbullying has been quite prevalent in the gamer community. It usually takes place when a player’s match performance within a team is suboptimal. The other team members then engage in berating them, using personal attacks and vulgar language. The worst manifestation of cyberbullying (and not only in the gaming community) is swatting, a tactic that involves deceiving emergency services into sending a police response team to another person’s address by falsely reporting a hostage situation or bomb threat. In some cases, these incidents have led to deaths.

Political discussions on social media or different forums can prove to be cyberbullying hotbeds as well. Tempers run high and participants want to convince you that their chosen party is the solution to all of the country’s problems. Civil discourse can turn into a vitriolic, hate-speech-filled, virtual shouting match with insidious comments and ad hominem arguments. Unfortunately, to make matters worse, trolls like to join in just to stoke the fire and see what happens.

Now, what can you do to protect yourself against cyberbullying?

Protective and reactive measures

When children and teenagers are cyberbullied, they are usually advised to turn to adults for help. But what can adults do? Who do they turn to?

Well, surprisingly, the advice remains quite similar. Adults should turn to other adults – in this case, the authorities. Cyberbullying is considered a crime in many parts of the developed world. The police, or the organizations that deal with this sort of crime, can then start an investigation.

But what should you do if you want to avoid turning to the police, and keep it as a last resort?

Most social media platforms have tools in place to deal with any kind of online abuse. On Facebook you can report offensive comments, posts, and profiles; the last can be blocked as well. The social media giant also offers pages dedicated to help with abusive behavior and bullying or harassment on its platform. Instagram also encourages users to report any instances of bullying and harassment and offers resources to help those who have experienced it. Twitter also offers advice on how to deal with online abuse on its platform.

When it comes to online gaming platforms the same usually applies. The majority of popular game platforms institute some sort of safeguards against online bullying and harassment. Usually these comprised a combination of manual reporting of players and automated detection of abusive behavior, which can lead to temporary bans and to permanent ones for repeat offenders. You may argue that they can sign up once again from another email, but they’ll have to start their journey through the game from scratch, which may be sufficient deterrence to an avid gamer dabbling in some cyberbullying on the side.

Always remember

Cyberbullying is never the victim’s fault: nobody should be treated harshly and attacked, no matter who they are, where they come from, or who they love – no one under any circumstances, period. If anything of this sort happens to you, do not keep it bottled up inside; rather, seek help. Talk to your friends, family members,

Digging up InvisiMole’s hidden arsenal

ESET researchers reveal the modus operandi of the elusive InvisiMole group, including newly discovered ties with the Gamaredon group

In our tracking of the InvisiMole group, which we rediscovered and first reported on in 2018, we have found a new campaign targeting high-profile organizations in Eastern Europe. Investigating the attacks, in close cooperation with the affected organizations, we uncovered its updated toolset and previously unknown details about InvisiMole’s tactics, techniques and procedures (TTPs).

In this blogpost, we summarize the findings published in full in our white paper, InvisiMole: The hidden part of the story.

The InvisiMole group is a threat actor operating at least since 2013. We previously documented its two backdoors, RC2CL and RC2FM, notable for their extensive spying capabilities, but we didn’t know how these backdoors were delivered, spread or installed on the system.

In this recent campaign, the InvisiMole group has resurfaced with an updated toolset, targeting a small number of high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. According to our telemetry, the attack attempts were ongoing from late 2019 to the time of writing this report.

Thanks to investigating the attacks in cooperation with the affected organizations, we were able to expose the inner workings of the updated InvisiMole toolset.

We discovered InvisiMole’s arsenal is only unleashed after another threat group, Gamaredon, has already infiltrated the network of interest, and possibly gained administrative privileges. This allows the InvisiMole group to devise creative ways to operate under the radar.

For example, the attackers use long execution chains, crafted by combining malicious shellcode with legitimate tools and vulnerable executables. They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.

Delivery mechanism

During our investigation, we discovered that InvisiMole is delivered to the compromised systems by a .NET downloader detected by ESET products as MSIL/Pterodo, the work of the Gamaredon group. Gamaredon is a threat actor, operating at least since 2013, characterized by rapid development and making little effort to stay under the radar. We recently documented the newest Gamaredon components, distributed through spearphishing emails and used to move laterally as far as possible within the target’s network, while fingerprinting the machines.

Our research now shows Gamaredon is used to pave the way for a far stealthier payload – according to our telemetry, a small number of Gamaredon’s targets are “upgraded” to the advanced InvisiMole malware, likely those deemed particularly significant by the attackers.

Figure 1. Gamaredon’s .NET downloader can “upgrade” the victim’s machine to InvisiMole’s TCP downloader

As we detail in the white paper, despite the evidence of collaboration, we consider Gamaredon and InvisiMole to be two distinct groups with different TTPs, rather than a single threat actor.

Spreading and updating mechanisms

We document three ways that InvisiMole spreads within compromised networks:

Using the BlueKeep vulnerability in the RDP protocol (CVE-2019-0708) Using the EternalBlue vulnerability in the SMB protocol (CVE-2017-0144) Using trojanized documents and software installers, crafted using benign files stolen from the compromised organization

To craft the trojanized files, InvisiMole first steals documents or software installers from the compromised organization, and then creates an SFX archive bundling the file with the InvisiMole installer. The original file is then replaced with the weaponized version, while its name, icon and metadata are preserved. The attackers rely on the users to share and execute these files.

This lateral movement technique is especially powerful if the trojanized file happens to be a software installer placed on a central server – a common way to deploy software in larger organizations. That way, InvisiMole is organically distributed to many computers that use this server.

Regardless of the spreading method, the first InvisiMole component deployed on the newly-compromised machines is always InvisiMole’s TCP downloader – a simple addition to the toolset that downloads the next stage of the infiltration.

The second addition to the updated InvisiMole toolset, the DNS downloader, has the same functionality but is designed for long-term, covert access to the machine. It uses a stealthier method of C&C communication, using a technique called DNS tunneling (see Figure 2).

Figure 2. DNS tunneling

With DNS tunneling, the compromised client does not directly contact the C&C server; it only communicates with the benign DNS server(s) the victim machine would normally communicate with, where it sends requests to resolve a domain to its IP address. The DNS server then contacts the name server responsible for the domain in the request, which is an attacker-controlled name server, and relays its response back to the client.

The actual C&C communication is embedded in the DNS requests and replies, unbeknownst to the benign DNS server that operates as an intermediary in the communication.

Execution chains

The most notable feature of the newest InvisiMole toolset is its long execution chains, used to deploy the final payloads – the updated RC2CM and RC2CL backdoors, and the new TCP and DNS downloaders.

We reconstructed four execution chains, used by the attackers in various situations – based on the OS version of the victim’s computer, and on whether they were able to gain administrative privileges on the system:

The Control Panel misuse chain uses a rare technique known from Vault 7 leaks, used to achieve covert execution in the context of the Control Panel. The SMInit exploit chain exploits a vulnerability in the legitimate Total Video Player software. It is used in cases where the attackers haven’t managed to obtain administrative privileges on the system. The Speedfan exploit chain exploits a local privilege escalation vulnerability in the speedfan.sys driver to inject its code to a trusted process from kernel mode. The Wdigest exploit chain is InvisiMole’s flagship chain, the most elaborate, used on the newest versions of Windows, where the attackers have administrative privileges. It exploits a vulnerability in the Windows wdigest.dll library and then uses an improved ListPlanting technique to inject its code into a trusted process.

The vulnerable executables used in these chains are

Ripple20 bugs expose hundreds of millions of devices to attacks

Devices used in the energy, transportation and communications sectors are also affected by the flaws in the TCP/IP software library

Hundreds of millions of connected devices may be vulnerable to remote attacks due to a series of 19 vulnerabilities in a popular TCP/IP software library developed by a software company called Treck. Collectively dubbed Ripple20, the flaws affect IoT devices produced by specialized boutique vendors as well as multiple Fortune 500 companies, according to Israel-based security company JSOF, which discovered the security holes.

Vulnerable products include smart-home devices, industrial control systems, medical and healthcare systems, and even devices used in key parts of infrastructure such as energy, transportation, communication and the government and national security sectors.

JSOF highlighted a few possible high-risk scenarios that could occur if these flaws were to be weaponized:

“Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries;” they said, before adding that this was just a sample of the damage that could be wreaked.

A major challenge faced by the researchers involved tracking the distribution trail of Treck’s TCP/IP library. They found out that over the last 20 years it has made its way into countless devices distributed around the world. They even discovered different branches of the library due to Treck’s joint project with a Japanese company in the 1990s, with which Treck later parted ways.

According to a security advisory by the Department of Homeland Security’s Cybersecurity and Infrastructure and Security Agency (CISA), four vulnerabilities are rated critical and earned a base score of above 9 on the CVSSv3 vulnerability scale (the scale rates from 1 to 10).

Two flaws – CVE-2020-11896 and CVE-2020-11897 – earned a “perfect” severity score of 10, underlining the seriousness of the issue. The former could result in remote code execution while the latter may result in an out‑of‑bounds write. Two more vulnerabilities were rated as critical: CVE-2020-11898 could lead to information leakage and CVE-2020-11901 could allow remote code execution through a single invalid DNS response.

RELATED READING: What happens when the global supply chain breaks?

Four loopholes – one high- and three low-severity – have been closed over the years due to routine code changes, but remained open on some affected devices, while many others have multiple variants due to the TCP/IP stack configurability and changes.

However, Ripple20 still presents a sizable risk for devices that are still in use. “In all scenarios, an attacker can gain complete control over the targeted device remotely, with no user interaction required,” said JSOF.

To mitigate the risks, JSOF has a variety of recommendations, including comprehensive risk assessment before defensive measures are deployed. Computer emergency response teams (CERT) such as Carnegie Mellon’s CERT Coordination Center as well as JPCERT/CC, and CERT IL have also released advisories on how to handle risks stemming from Ripple20. If patches have been released, you should apply them now.

17 Jun 2020 – 09:00PM

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies

ESET researchers uncover targeted attacks against high-profile aerospace and military companies

At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware.

This blogpost will shed light on how the attacks unfolded. The full research can be found in our white paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

The attacks, which we dubbed Operation In(ter)ception based on a related malware sample named Inception.dll, were highly targeted and clearly intent on staying under the radar.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies.

According to our investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

While we did not find strong evidence connecting the attacks to a known threat actor, we discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.

Initial compromise

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Figure 1. A fake job offer sent via LinkedIn to employees at one of the targeted companies

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, masqueraded as documents related to the job offer in question. Figure 2 shows an example of such a communication.

Figure 2. Communication between the attackers and an employee at one of the targeted companies

To send the malicious files, the attackers either used LinkedIn directly, or a combination of email and OneDrive. For the latter option, the attackers used fake email accounts corresponding with their fake LinkedIn personas, and included OneDrive links hosting the files.

The shared file was a password-protected RAR archive containing a LNK file. When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.

That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy; in the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.

This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the compromised computer. Figure 3 illustrates the steps leading up to compromise.

Figure 3. Attack scenario from initial contact to compromise

Attacker tools and techniques

The Operation In(ter)ception attackers employed a number of malicious tools, including custom, multistage malware, and modified versions of open-source tools.

We have seen the following components:

Custom downloader (Stage 1) Custom backdoor (Stage 2) A modified version of PowerShdll – a tool for running PowerShell code without the use of powershell.exe Custom DLL loaders used for executing the custom malware Beacon DLL, likely used for verifying connections to remote servers A custom build of dbxcli – an open-source, command-line client for Dropbox; used for data exfiltration

Under a typical scenario, the Stage 1 malware – the custom downloader – was downloaded by the remote XSL script (described in the Initial compromise section) and executed using the rundll32 utility. However, we also saw instances where the attackers used one of their custom DLL loaders to run the Stage 1 malware. The main purpose of the custom downloader is to download the Stage 2 payload and run it in its memory.

The Stage 2 payload is a modular backdoor in the form of a DLL written in C++. It periodically sends requests to the server and performs defined actions based on the received commands, such as send basic information about the computer, load a module, or change the configuration. While we didn’t recover any modules received by the backdoor from its C&C server, we did find indications that a module was used to download the PowerShdll.

Besides malware, the adversaries leveraged living off the land tactics, abusing legitimate tools and OS functions to perform various malicious operations, in an attempt to fly under the radar. As for specific techniques, we found that the attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware.

Figure 4 shows how the various components interacted during the malware’s execution.

Figure 4. Malware execution flow

Besides the living off the land techniques, we found that the attackers made special effort to remain undetected.

First, the attackers disguised their files and folders by giving them legitimate-sounding names. For this purpose, the attackers misused the names of known software and companies, such as Intel, NVidia, Skype, OneDrive and Mozilla. For example, we found malicious files with the following paths:

C:ProgramDataDellTPadDellTPadRepair.exe C:IntelIntelV.cgi

Interestingly, it was not just malicious files that were renamed

Survey shows rise in robocalls amid COVID‑19 fears

The unsolicited phone calls tout everything from miracle cures to financial relief – here’s how you can stay safe

The public concern and confusion surrounding the COVID-19 pandemic have offered an array of opportunities for con artists, who have pulled every trick from their books to cash in on people – including by dint of robocalls. A recent survey conducted by senior services company Provision Living and involving 4,038 Americans speaks volumes in this regard.

“Nearly a quarter of respondents said they’ve experienced an increase in robocalls since COVID-19 and 1 in 5 people have received a robocall regarding COVID-19,” said the survey. Most commonly, the robocalls and text messages claimed to provide treatment (22%), financial relief (18%), and free COVID-19 testing (18%).

To be sure, this won’t surprise our regular readers, who are by now well aware of coronavirus-themed scams that involve fake charities, bogus testing kits, credit card-stealing websites, and even extortion, to name just a few recurrent riffs on the same theme.

But let’s go back to the survey, which showed that two out of five callers claimed to represent the Social Security Administration (SSA), 38% impersonated Internal Revenue Service (IRS) officials, and over a third claimed to be from travel companies. These all seem to be clever ruses since the pandemic has forced a lot of people to cancel their vacation plans and some have fallen on hard times.

A total of 15% have received a robocall regarding their stimulus checks from people claiming to be from the IRS – it’s important to note that the IRS doesn’t normally call people. Also, the revenue service will not ask you to use a specific payment method (debit card, gift card, wire, etc.) but will usually first mail the taxpayer a bill with any taxes they owe.

Generally speaking, scams involving the IRS aren’t all that uncommon; some cybercriminals attempt to commit tax refund fraud by stealing other peoples’ identities using robocalls as well.

The incessant robocalls have had another adverse effect – over half of the respondents have become fearful in answering calls from unrecognizable numbers, while 46% missed an important call because they thought it was a robocall. On the other hand, the scams have also encouraged vigilance; almost three-quarters of respondent Google an unknown number before calling back.

How to protect yourself

Here’s how you can avoid falling prey to fraud facilitated by robocalls and scammy text messages:

If you received a robocall, hang up and immediately add it to the list of blocked numbers on your phone. You can list your number into a national do not call registry or list. Here are the links to the various registries offering the service – in the United StatesCanada, the United KingdomIndiaAustraliaNew Zealand, and Singapore. Never divulge any personally identifiable information such as your social security number, address, birthday, or tax identification number if you are not sure who you are talking to. Always verify the identity of the caller – ask them to identify themselves and then check this information with the organization they are claiming to represent. Some network providers also offer their own fraud and spam blocking apps, so you can check with them and download it to your device. Alternatively, you can use a third-party app that provides the service, but be sure to research it carefully. Also be sure to educate your family members about the dangers of robocalls and fraudulent texts, especially the elder ones since they are the most susceptible. 16 Jun 2020 – 05:38PM

Warning issued over hackable security cameras

The owners of the vulnerable indoor cameras are advised to unplug the devices immediately

Around 3.5 million security cameras installed in homes and offices mainly in Asia and Europe have serious vulnerabilities that expose the gadgets’ owners to the risk that attackers will spy on them, steal their data or target other devices on the same networks, the United Kingdom’s consumer watchdog Which? has warned.

“Brands with potentially vulnerable cameras include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis,” says Which?, adding that any wireless camera using the CamHi app and sporting a certain type of Unique Identification Number (UID) could be susceptible to a hack. Some 700,000 of the cameras are in use in Europe, including 100,000 in the UK.

These gadgets use peer-to-peer (P2P) features, which allow users to connect to their devices instantly when they come online. The vulnerabilities, indexed as CVE-2019-11219 and CVE-2019-11220, involve iLnkP2P, a P2P solution developed by Shenzhen Yunni Technology Company. If exploited, the loopholes can allow attackers to bypass firewalls and steal passwords.

The consumer watchdog believes that as many as 47 wireless camera brands worldwide may potentially have these flaws. The full list of vulnerable gizmos is available on this site run by Paul Marrapese, an American security engineer who uncovered the issues.

If own such a camera and it is hijacked, cybercriminals could access the live footage and spy on your home or office, as well as communicate with people around if the camera has a microphone. They could also use the camera to pinpoint your exact location, target other devices on your home network, or even add your camera to an online botnet.

Although changing the default password would normally lower the chances of the camera being compromised, in this case it will not help. “In effect, there’s nothing you can do to protect against the flaw,” said Which?. The consumer advocacy organization recommended that anyone who owns the vulnerable camera and uses the CamHi app should remove it from their network and turn it off.

Related reading: These things may be cool, but are they safe?

HiChip, the company that produces many of the camera brands and developed the CamHi app, is working together with Which? and Marrapese on improving the security of its cameras. “HiChip has focused on IP camera R&D for more than 10 years and continues to improve the security of the cameras,” said a HiChip spokesperson.

In fact, Which? raised the alarm about the security issues last October. The gizmos can still be bought on Amazon, eBay, Wish.com, and AliExpress and continue to be in use around the globe.

Speaking of security issues in connected security cameras, ESET researchers themselves have uncovered a vulnerability in D-Link cameras that would allow attackers to tap into the video stream.

15 Jun 2020 – 05:26PM

Week in security with Tony Anscombe

ESET research into Gamaredon’s tricks – A flawed online voting platform – Massive hack-for-hire campaigns

This week, ESET researchers published their findings about new malicious tools deployed by the Gamaredon group, including a VBA macro that takes advantage of the Microsoft Outlook email accounts of compromised targets to send spearphishing emails to their contacts. An academic study has highlighted a range of security risks associated with OmniBallot, an online voting platform used in multiple US states. A report by Citizen Lab claims that a hack-for-hire group operating out of India targeted thousands of people and organizations all over the world. All this – and more – on WeLiveSecurity.com.

FBI warns about fraudsters targeting banking app users

Watch out for attacks attempting to take advantage of the lockdown-induced surge in mobile banking use

As the use of mobile banking apps surges during COVID-19 lockdowns, so does the risk that these platforms will be exploited by cybercriminals, warns the FBI’s Internet Crime Complaint Center (IC3).

Citing estimates by US financial technology providers, the Bureau’s online fraud wing said that more than 75 percent of Americans used mobile banking in some form in 2019. Since the start of this year, a 50-percent spike in the usage of banking apps has been observed.

The move to mobile banking hasn’t escaped the attention of cybercriminals, and IC3 expects crooks to deploy various techniques to target mobile banking customers; mainly through app-based banking trojans and fake banking apps.

While both have the same goal – steal credentials for the victims’ bank accounts and ultimately money from them – their strategies in achieving it are quite different. ESET malware researcher Lukáš Štefanko recently drew a clear distinction between the two when bringing clarity to the murky waters of Android banking malware.

“Banking trojans are devious – they try to make users install them by pretending they are something fun or useful, but definitely totally harmless. Think games, battery managers and power boosters, weather apps, video players, and so on.” These apps bid their time before striking when a person least expects it; sliding a fake login screen over a legitimate banking app and stealing the credentials.

Fake banking apps, however, are more straightforward – they try to convince you that they are the real deal. “Once installed and launched, they lead with a login form, just like a real banking app would. And, as you probably already guessed, the credentials submitted into the form are harvested,” Štefanko notes.

How to stay safe?

To lower the chances of falling prey to the threat, there are a number of rules you should follow:

First, you should always install apps from official stores, but before you do, check the rating, the reviews, and the number of installs. After you install an app, pay attention to the permissions it requests. If you are downloading a banking or finance app, check if it is the official application of your bank, either by contacting it or looking through its official website. Just as importantly, keep your device updated and use a reliable mobile security solution. Another great way to double down on your security is by enabling two-factor authentication (2FA). Further reading

Navigating the murky waters of Android banking malware
How to protect yourself as the threat of scam apps grows
Scam iOS apps promise fitness, steal money instead

12 Jun 2020 – 12:37PM

Gamaredon group grows its game

Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macro

ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents.

Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products.

The Gamaredon group has been active since at least 2013. It has been responsible for a number of attacks, mostly against Ukrainian institutions, as evidenced in several reports from CERT-UA and from other official Ukrainian bodies over time.

In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes. The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.

Gamaredon has leveraged many different programming languages in the past few months, ranging from C# to VBScript, batch files and C/C++. The tools used by Gamaredon are very simple and are designed to gather sensitive information from compromised systems and to spread further.

Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data. Could we be missing something?


Figure 1 illustrates a typical compromise chain in a Gamaredon campaign.

Figure 1. Typical Gamaredon compromise chain

While most of the recent publications have focused on the spearphishing emails together with the downloaders they contain, this blogpost focuses on the post-compromise tools deployed on these systems.

Outlook VBA module

The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns.

This bundle of malicious code starts out with a VBScript that first kills the Outlook process if it is running, and then removes security around VBA macro execution in Outlook by changing registry values. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to.

Next, it relaunches Outlook with a special option, /altvba <OTM filename>, which loads the Gamaredon VBA project. The malicious code is executed once the Application.Startup event is received. They have been using this module in three different ways to send malicious email to:

Everyone in the victim’s address book Everyone within the same organization A predefined list of targets

While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it.

Figure 2. Outlook VBA script creating the malicious email

Based on the “send to all in contact list” behavior of this malicious VBA code, we believe that this module might have led some organizations to think they were targeted by Gamaredon when they were merely collateral damage. For example, recent samples uploaded to VirusTotal coming from regions that are not traditionally targeted by Gamaredon, such as Japan, could be explained by the actions of this module.

As seen in Figure 2, the VBA code builds the email body and attaches the malicious document to the email. We’ve seen both .docx and .lnk files being used as attachments. These are very similar to the content of the malicious attachments used in Gamaredon’s initial spearphishing campaigns. Figure 3 shows an email generated by this malicious component.

Figure 3. Email generated by the Outlook VBA module with a Word document attachment that contains a remote template

The email contains both English and Russian text. However, as illustrated in Figure 3, there is a problem with the Russian encoding. This was fixed in a later version of this module — another example of the Gamaredon group’s fast development pace and apparent lack of attention to detail.

Office macro injection module – CodeBuilder

We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. This is a very efficient way of moving laterally within an organization’s network as documents are routinely shared amongst colleagues. Also, as these macros are run when opening the documents, it is a good way to persist on a system as some of these documents are likely to be opened multiple times and at different times.

These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents. We have seen this module implemented in two different languages: C# and VBScript.


This module was delivered, like many other tools, in a 7z self-extracting archive. Inside, there was a password-protected RAR archive containing a few files. Notably, there were two text files, one for Word and one for Excel, containing the VBA source code of the malicious macro to be inserted into the targeted documents, and the .NET assembly responsible for finding and compromising existing documents. As illustrated in Figure 4, the assembly name is CodeBuilder.

Figure 4. CodeBuilder functions in a version that is not obfuscated

This .NET module first reduces Office macro security settings