Paul Scott
on August 27, 2020

Extortionware becomes the new norm

Another week, another usually weekly threat report. Check out what’s in store today:

Google Drive used in threat campaign
Ransomware with a side of extortion, please
Busted: Egor Igorevich Kriuchkov
APT spotlight: DarkHotel

Google Drive vulnerability could help malware

On August 22, 2020, details were released regarding an unpatched vulnerability associated with Google Drive that could help bad actors spread malware.

The vulnerability lives in the “manage versions” feature in Google Drive, which allows users to upload and manage different versions of a file.

A. Nikoci, a security researcher, discovered users can upload a new version of a file with any file extension for any legitimate file stored on Google Drive.

Researchers also observed that the Google Chrome browser appears to completely trust any file downloaded from Google Drive, even if the file has been flagged as “malicious” by an anti-malware solution.

Threat actors could leverage this bug to carry out spear-phishing campaigns that contain links to malicious files hosted on Google Drive – an issue that could be especially dangerous for Google Chrome users. This could be a path for APTs to land ransomware infections at an organization.

There are no reports of this technique being used by threat actors, but it is unclear when Google will address the issue.

New ransomware leak sites

We predicted a trend in 2020 of ransomware groups moving increasingly towards extortion. Four new ransomware strains have recently popped up with support for exfiltration and leaking.

One reason we expect to see the surge continue with new ransomware strains leaking data is that the Maze ransomware cartel is enabling groups through their Ransomware-as-a-Service (RaaS) offerings.

That’s the case with SunCrypt ransomware, according to Bleeping Computer.

When SunCrypt is executed, it connects to 91.218.114.31, which is used by Maze RaaS.

For months, Maze has been hosting a data leak site and launching attacks from known public IP addresses. Yet in all this time, their services remain intact and haven’t been taken down by law enforcement.

This shared IP address means one of two things: either Maze is sharing their infrastructure, or they’re white-labeling their ransomware technology to other groups.

This sharing of resources would also explain why SunCrypt operators claim Maze is earning revenue from each infection.

Another big addition to the ransomware leak world is Ryuk. Ryuk’s new evolution into Conti has added extortion and leaking to its bag of tricks.

Other additions include:

Darkside – Recently arrived on the scene, making large ransom demands and going after large targets
Avaddon – Added in early August and has only published two victims to date.
Light – Light ransomware makes it difficult to find their leaks because they use a new onion site for each leak.

Now that ransomware leaks have become the popular thing on the street, we expect to see even more ransomware strains adopting the technique. Infact, a ransomware leak plot was recently interrupted by the FBI.

Busted

The U.S. Department of Justice announced on August 25, 2020, that Egor Igorevich Kriuchkov, a Russian citizen, was arrested in Los Angeles for plotting to infect a Nevada-based business with malware, extract company data, and then threaten to make the data public unless the company paid a ransom.

According to the statement published by the Department of Justice, Kriuchkov and his unnamed co-conspirators had promised to pay an employee of the company $1 million to infect the company’s network with ransomware.

Kriuchkov met with the employee numerous times between July 15, 2020, and August 22, 2020; after being contacted by the FBI, Kriuchkov then attempted to flee the country before being arrested.

APT spotlight: DarkHotel

On August 25, 2020, details of a March 2020 campaign by “DarkHotel,” also known as APT-C-06 and Dubnium, was targeting government agencies and institutions in China and the Korean Peninsula with VPN software exploits for espionage and data theft.

360 Advanced Threat Research Institute observed that the victims are mainly localized in northern China and the eastern coastal areas and include government agencies, news media, large state-owned enterprises, foreign trade enterprises, and other industries.

According to the researchers’ findings, the APT group’s techniques and tactics are divided into two methods: watering hole attacks and software vulnerability attacks.

In one identified instance, an employee of a targeted institution visited a South Korean adult-site, where they downloaded a trojan’d QuickTime install. After installation, the malicious loader was saved in the %appdata% directory and executed to load the final module and compromise the victim’s machine.

In 2018, the threat actors were observed targeting an unspecified company’s security software master control server and distributing a backdoor disguised as a vulnerability patch “KB3928472.exe.”

From there, the backdoor was executed, and the threat actors were able to compromise the systems.

In 2017, the threat actors used a certain OA software vulnerability to attack vulnerable systems. The APT group issued execution commands through the OA master control server and sent commands on the computer to execute a malicious JavaScript code to install the backdoor on the victim’s machine.

In early 2020, DarkHotel was observed using a fake upgrade for a VPN software to target an undisclosed organization.

The group took the VPN server through the vulnerability in advance and then replaced the VPN client upgrade component of the server with a backdoor program. They then changed the server upgrade configuration file to compromise the targeted system. During the attacks, the APT group also used a series of new backdoor frameworks.

One of these new backdoor frameworks was named “Thinmon” by the 360 Advanced Threat Research Institute due to the file name of the attack component of the backdoor frame.

The researchers identified that DarkHotel started using the backdoor framework in 2017 to implement a series of attacks against the targeted organizations. To prevent the risk of the attacks, it’s recommended that organizations should be more cautious on the websites they’re visiting, and patch the related vulnerabilities across the systems and software they use. Additionally, it’s recommended to use security solutions to prevent the risk of the attacks.

URLs:

http://134.119.220.118/update64/pack3.dat

http://apple-onlineservice.com/recommend/ascfree.php

http://185.198.56.191/sfverify.php

http://134.119.220.118/update64/pack2.dat

http://134.119.220.118/360safe.css

http://account163-mail.com/recommend/ascfree.php

http://onlineservice.bounceme.net/recommend/ascfree.php

http://134.119.220.118/update64/pack1.dat

IPs:

206.221.187.130

185.4.227.2