Cybercriminal Groups Diversify Tactics, Combining Infostealers and Ransomware
Introduction
Two well-established cybercriminal groups known for distributing infostealer malware, called RedLine and Vidar, are now expanding their capabilities by utilizing code-signing certificates to spread ransomware. These threat actors have started incorporating ransomware payloads into their phishing campaigns, using Extended Validation (EV) certifications to bypass email security measures. This new development suggests that these cybercriminals are streamlining their operations and making their techniques multipurpose, according to researchers from TrendMicro.
A New Double-Attack Vector
The investigation conducted by TrendMicro discovered a case where a victim initially received infostealer malware signed with EV code-signing certificates. Subsequently, the same victim received ransomware payloads through the same delivery route. This represents the first time a single threat actor was observed with multiple EV code-signed samples, indicating a significant shift in tactics.
The EV code-signing certificates used by these cybercriminals provide an added layer of verification compared to regular code-signing certificates. They are issued to organizations verified to have legal and physical existence in each country. The private key generation for these certificates requires a hardware token, making it more difficult to steal private keys and certificates.
The Abuse of Code-Signing Certificates
Cyber attackers have previously exploited code-signing certificates by using stolen certificates to pass off their malware as legitimate software, bypassing security protections. This abuse has prompted authorities to address the gaps in the technology. The Certificate Authority/Browser Forum (CABF), an industry group focused on public key infrastructure (PKI), made hardware key generation mandatory even for regular code-signing certificates to enhance private key protection.
However, TrendMicro’s recent investigation revealed that the code signing of the infostealer malware was not invalidated because the revocation date was set to the date TrendMicro reported the abuse, rather than the sample’s signing date. The certificates that were signed before the revocation date continued to have valid signatures. TrendMicro advised the certificate authority (CA) to revoke the certificate using the issuance date as the revocation date to invalidate all code signing using that certificate.
The Double-Attack Campaign
The campaign investigated by TrendMicro began with socially engineered spear-phishing emails that urged the victim to take immediate action. These emails commonly covered topics related to health and hotel accommodations. In July, the victim started receiving infostealer payloads as a result of a series of campaigns. On August 9, the victim received a ransomware payload after opening a fake complaint email from TripAdvisor, which disguised itself as a benign .pdf file using a double file extension. The payload executed various processes that ultimately deployed the ransomware payload.
The ransomware used in this campaign, detected as Ransom.Win64.CYCLOPS, did not have EV certificates. However, the researchers noted that the payloads originated from the same threat actor and were delivered through the same methods. The cybercriminals leveraged LNK files containing commands to execute malicious files, bypassing detection mechanisms. They also managed to transfer malicious files through the Google Drive file storage service, evading built-in security protocols.
Thwarting Ransomware Attacks
TrendMicro advises individuals and organizations who have been targeted by infostealer campaigns to be cautious of potential ransomware attacks in the future. The researchers suggest that threat actors are becoming more efficient in maximizing their techniques for different purposes and cybercrimes.
To prevent ransomware attacks, configuring and updating attack surface protections that remove malicious items before they reach users is crucial. Early detection and mitigation can prevent threat actors from gathering enough information to leverage in a ransomware attack. Additionally, users should avoid downloading files, programs, and software from unverified sources and websites.
Conclusion
The combination of infostealers and ransomware in a single attack campaign represents a significant evolution in cybercriminal tactics. The abuse of code-signing certificates underscores the need for stronger protective measures and more robust revocation procedures. As cybercriminals continue to adapt and diversify their techniques, individuals and organizations must remain vigilant in implementing security measures and regularly updating their defenses to mitigate the risk of becoming victims of these sophisticated attacks.
<< photo by Criativa Pix Fotografia >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Emerging Threat: DHS Raises Red Flag on AI-Driven Attacks Targeting Critical Infrastructure
- Beware the Webex Impersonators: Cybercriminals Target Corporate Users
- Dangerous Evolution: Exploring the Cuba Ransomware Gang’s Ongoing Backdoor Threat
- Cybersecurity Crisis: Unmasking the Prolific Criminal Hacking Gangs Behind the Las Vegas Attacks
- Rampant Cyber Attacks: The Growing Threat to Western Countries’ ICS Computers
- Mideast Retailers Struggle to Curb Scam Facebook Pages Peddling ‘Investment’ Opportunities
- Breaking Down the Communication Barrier: Bridging the Gap Between CISOs and the Board
- Airbus Launches Probe into Cybersecurity Breach After Data Leak
- Beware: Microsoft Sounds Alarm on Corporate Phishing via Teams Messages
- Monti Ransomware: Evolving Threat with Linux Variant and Improved Evasion Techniques
- The Dark Web: A Growing Menace that Demands Continuous Monitoring
- The Rising Threat: 100K+ Infected Devices Compromise ChatGPT Accounts, Exposing User Data on the Dark Web
- The Fall of EncroChat: How a Major Criminal Bust Led to Thousands of Arrests and Millions Seized
