TRENDING
Under the radar attacks aim for the
long-haul victims, making it far more of a long-term
threat compared to its contemporaries.
The Zegostinfostealer malware is the
cornerstone of a spear phishing campaign
and contains intriguing techniques. Like
other infostealers, the main objective of
Zegost is to gather information about the
victim’s device and exfiltrate it. Ransomware continues to trend to
more targeted attacks
Yet, when compared to other infostealers,
Zegost is uniquely configured to stay under
the radar. For example, Zegost includes
functionality designed to clear event logs.
Phil Quade, Chief Information Security
Officer, Fortinet
Highlights of the report include:
Upping the ante on evasion tactics
Many modern malware tools already
incorporate features for evading antivirus
or other threat detection measures, but
cyberadversaries are becoming more
sophisticated in their obfuscation and anti-
analysis practices to avoid detection.
For example, a spam campaign demonstrates
how adversaries are using and tweaking these
techniques against defenders.
The campaign involves the use of a phishing
email with an attachment that turned out
to be a weaponised Excel document with a
malicious macro.
The macro has attributes designed to disable
security tools, execute commands arbitrarily,
cause memory problems and ensure that it
only runs on Japanese systems.
One property that it looks for in particular, an
xlDate variable, seems to be undocumented.
Another example involves a variant of the
Dridexbanking trojan which changes the
names and hashes of files each time the
victim logs in, making it difficult to spot the
malware on infected host systems.
The growing use of anti-analysis and
broader evasion tactics is a reminder of
the need for multi-layered defences and
behaviour-based threat detection.
24
INTELLIGENTCIO
“
THE EVER-
WIDENING
BREADTH AND
SOPHISTICATION
OF CYBER-
ADVERSARIES’
ATTACK METHODS
IS AN IMPORTANT
REMINDER OF
HOW THEY ARE
ATTEMPTING
TO LEVERAGE
SPEED AND
CONNECTIVITY
TO THEIR
ADVANTAGE.
This type of cleanup is not seen in typical
malware. Another interesting development
in Zegost’s evasion capabilities is a
command that kept the infostealer ‘in stasis’
until after February 14, 2019, after which it
began its infection routine.
The threat actors behind Zegost utilise an
arsenal of exploits to ensure they establish
and maintain a connection to targeted
The attacks on multiple cities, local
governments and education systems serve
as a reminder that ransomware is not
going away, but instead continues to pose
a serious threat for many organisations
going forward.
Ransomware attacks continue to move
away from mass-volume, opportunistic
attacks to more targeted attacks on
organisations, which are perceived as
having either the ability or the incentive
to pay ransoms. In some instances,
cybercriminals have conducted considerable
reconnaissance before deploying their
ransomware on carefully selected systems
to maximise opportunity. For example,
RobbinHoodransomware is designed to attack
an organisation’s network infrastructure and
is capable of disabling Windows services that
prevent data encryption and to disconnect
from shared drives.
Another newer ransomware, called
Sodinokibi, could become another threat
for organisations. Functionally, it is not very
different from a majority of ransomware
tools in the wild. It is troublesome because
of the attack vector, which exploits a newer
vulnerability that allows for arbitrary code
execution and does not need any user
interaction like other ransomware being
delivered by phishing email.
Regardless of the vector, ransomware
continues to pose a serious threat for
organisations going forward, serving as a
reminder of the importance of prioritising
patching and infosecurity awareness
education. In addition, Remote Desktop
Protocol (RDP) vulnerabilities, such as
BlueKeep are a warning that remote
access services can be opportunities for
cybercriminals and that they can also be used
as an attack vector to spread ransomware.
New opportunities in the digital
attack surface
Between the home printer and critical
infrastructure is a growing line of control
systems for residential and small business use.
www.intelligentcio.com