Cyberthreat update from Acronis CPOCs: Week of April 26, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as a surge in remote access Trojan attacks and new techniques for malware delivery. Here’s a look at some of the most recent breaking news and analyses:

REvil gang threatens release of stolen Apple blueprints

Taiwan-based Quanta Computer, a leading device manufacturer and one of Apple's partners, is the latest victim in the REvil gang's ransomware spree.

Quanta is the second-largest original device manufacturer (ODM) behind Compal, who were also a ransomware victim earlier this year. The company manufactures several Apple products, including the Apple Watch, MacBook Air, and MacBook Pro. Quanta also has deals with Dell, Hewlett-Packard (HP), Alienware, Lenovo, Cisco, and Microsoft.

REvil has demanded a ransom of $50 million if paid before April 27, with the amount set to jump to $100 million after that date. Quanta has thus far refused to pay. REvil has already released some of Apple's designs as proof of their successful strike, and they’re threatening to leak all of the designs for Apple's devices — as well as personal employee and customer data — if their demands are ignored entirely.

Whether your systems are targeted by a brand-new ransomware variant, or an established cyberthreat like REvil, Acronis’ cyber protection solutions secure your data with an advanced anti-malware engine that detects and blocks the malicious processes that malware relies on.

RATs aimed at Bloomberg clients

A new threat actor, dubbed "Fajan," is emerging in an email-based phishing campaign that’s actively targeting clients of Bloomberg Industry Group (formerly known as Bloomberg BNA). These clients include industry leaders — such as 7-Eleven, Arent Fox, and First Solar — with annual revenues ranging anywhere from $300 million to $18 billion.

Samples obtained show that Fajan is using a classic phishing tactic — attaching an “invoice” that requires users to enable active content in order to view it, only to execute a malicious payload once this is done.

The Fajan campaign is using a variety of remote access Trojans (RATs), including NetWire, Revenge RAT, NanoCore, and XpertRAT. The variation in attacks in this campaign suggests that Fajan is still experimenting, hoping to determine which approach will best avoid detection on a larger scale.

A strong email security and protection product is the first step to stopping remote access attacks. The advanced behavioral analytic engine in Acronis Cyber Protect identifies and blocks RATs as well as the other forms of malware that they may drop onto compromised systems — keeping your data and systems safe from harm.

A picture is worth 1,000 RATs

Hiding malicious code within image files isn’t new, but it is one of the sneakier methods used by malicious actors. The North Korean APT group Lazarus is now using this technique to hide a remote access trojan (RAT) in bitmap images, which use the .bmp file extension.

The Lazarus Group is sending out phishing emails that bypass security protocols by embedding a malicious HTA file (as a compressed zlib file) inside a PNG image. This image is decompressed at run time by converting itself to a BMP format image file.

The initial payload is a loader that decodes and decrypts the second-stage payload into memory, which can then receive and execute commands, steal data, and communicate with a command-and-control (C&C) server.

The advanced heuristic engines in Acronis Cyber Protect Cloud detect and block both Trojans and the malware payloads they attempt to retrieve, keeping your data secure from remote access and manipulation.

Malware continues to spread via Google Alerts

Google Alerts, a content change and notification service from Google, is being exploited by cybercriminals to spread malware and scams.

SEO poisoning attacks are making a comeback due to their high success rate, and attackers are intrigued by any new avenues for delivering malware. GootLoader's latest SEO poisoning campaign drew rapid attention from Microsoft and is possibly linked to Acer's recent $50 million ransom demand.

These threat actors are using a technique called 'cloaking' to serve different content to automated web crawlers than to real visitors. When used in phishing attacks, as is common, cloaking sends crawlers to safe pages but redirects visitors to pages with malicious content or downloads. But in this campaign, it’s the crawlers that are redirected to nefarious, keyword-stuffed pages that trigger a Google Alert. Users who click these alerts may be presented with malware or other threats.

Cyberthreats continue to evolve as threat actors find success with new and unexpected techniques. Acronis Cyber Protect has multiple built-in tools to keep you safe, including URL filtering to block malicious pages and an AI-driven behavioral protection engine that stops malware from executing.

New Ryuk techniques include Windows privilege escalation, password theft

The most common infection vector for the notorious Ryuk ransomware has been remote desktop protocol (RDP) servers with weak passwords, but spear phishing emails with malicious PowerShell scripts have been observed as well.

Recently, some new techniques have been spotted in the wild. Perhaps most notable is the exploitation of Windows vulnerabilities CVE-2018-8453 and CVE-2018-8453 to escalate privileges, before using PsExec or shared folders to spread Ryuk inside the network. Microsoft has released patches for these vulnerabilities, but many systems remain unpatched and unprotected.

Other novel methods that Ryuk is using to gain heightened privileges within target networks include stealing passwords from KeePass password manager or dropping a portable version of Notepad++ which includes its own unmonitored PowerShell instance.

No matter the delivery method, Acronis Cyber Protect effectively blocks Ryuk and other ransomware threats. Furthermore, the built-in patch management capabilities ensure that business-critical applications are kept up-to-date with all relevant vulnerability fixes.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.