Cyberthreat update from Acronis CPOCs: Week of May 24, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as the emergence of new online threats and the latest statistics on cybercrime. Here’s a look at some of the most recent breaking news and analyses:

Over 70 banks targeted by Bizarro banking Trojan

After first appearing in Brazil, the Bizarro banking Trojan has now spread across South America and into several European countries — including Spain, Portugal and France. This cyberthreat has now targeted more than 70 banks across the world.

Bizarro is spread using a malicious MSI installer attached to a phishing email, currently with a tax notification message as the social engineering lure. This malware has the ability to take screenshots, monitor the system clipboard, log keystrokes, and download additional payloads from trusted cloud storage servers like Azure and AWS.

In order to increase the chances of capturing user credentials, Bizarro disables autocomplete in the browser, forcing victims to enter usernames and passwords manually — so it can then log and steal this information. When 2FA is enabled on a website, Bizarro uses fake popups to capture these codes. And if a cryptocurrency wallet address is detected on the user’s clipboard, Bizarro will replace it with an address owned by the malware’s operators in the hopes that victims will unwittingly transfer funds.

With threats like Bizarro out there, a comprehensive solution is needed to keep your systems safe. Acronis Cyber Protect blocks malware by using cloud file reputation as well as behavioral detection to stop malware before your data or your money are stolen.

Like a phoenix from the ashes, Zeppelin ransomware returns

After a several-month hiatus, Zeppelin ransomware is back — this time with updates available for the ransomware-as-a-service platform. On April 27, these new versions showed up on underground forums, with a price of $2,300 for the core build.

Zeppelin is a variant of Buran ransomware, and has often been used to go after large tech and healthcare targets in the United States. and Europe. The ransomware was designed to be highly configurable, making it an easy choice as a go-to tool for cybercriminals.

Zeppelin users are independent customers who buy the ransomware to use in their own attacks, not relying on a specific attack vector determined by the developers. This means that it could spread through a variety of tactics, including phishing, taking advantage of VPN or RDP vulnerabilities, or other methods.

No matter how the attack starts, Acronis Cyber Protect puts a stop to ransomware like Zeppelin with its included Active Protection functionality, protecting your data before it can be stolen or encrypted.

Too many phish in the sea

The latest annual Active Cyber Defence report from the UK's National Cyber Security Centre (NCSC) outlines their efforts in removing phishing and other scams from the internet.

This report shows that in the last year alone, the NCSC has taken down more than 1.4 million URLs that were associated with over 700,000 online scams. These scams included fake online shops, fake celebrity endorsements, and phishing campaigns that aimed to impersonate the U.K. government.

Despite such valiant efforts, the sheer volume of phishing is already overwhelming — and lures are becoming more effective. Acronis Cyber Protect has built-in URL filtering capabilities that protect you from the malicious websites used by phishing campaigns and other scams.

Fake ransomware is actually a RAT

Microsoft Security Intelligence has released information regarding a remote access Trojan (RAT) named StrRAT, which masquerades as ransomware.

RATs, which enable remote attackers to download additional payloads to infected systems, continue to be widely used in a variety of attacks alongside ransomware. Recently, Bloomberg BNA clients worth up to $18 billion were targeted with RATs delivered through phishing campaigns.

While StrRAT does steal sensitive browser data and can allow threat actors to take control of your systems, its ransomware encryption module actually only changes file names and extensions, making it appear that they’ve been encrypted for ransom.

StrRAT is still a dangerous threat, and is likely to keep spreading through smart phishing lures. Acronis Cyber Protect detects and stops RATs of all types — including StrRAT.

An Apple a day can’t keep malware away

The latest version of XCSSET malware has been abusing a zero-day vulnerability in macOS 11 Big Sur to bypass built-in privacy protections. macOS accounts for over 16% of the operating system market share, with the majority of Macs running this version.

In addition to capturing screenshots of victims’ systems, XCSSET steals cookies from the Safari browser to access online accounts. It also installs a development version of Safari, which allows the attackers to monitor activity or modify any website the victim visits.

XCSSET continues a trend of including compatibility with Apple's new M1 processors, and with development ongoing, it’s definitely a piece of Mac malware worth keeping an eye on. Acronis Cyber Protect includes anti-malware protection for macOS devices, halting threats like XCSSET before your credentials or other sensitive data are stolen.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.