Cyberthreat update from Acronis CPOCs: Week of September 14, 2020

Cyberthreat update from Acronis CPOCs: Week of September 14, 2020

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as malware masquerading as legitimate software, and newly emerging malicious websites. Here’s a look at some of the most recent breaking news and analyses:

Apple accidentally notarizes Shlayer malware

Shlayer, one of the most notorious malware variants targeting macOS devices, is back. This time around, Shlayer was found posing as an Adobe Flash Player update, and this fake “update” was accidentally approved by Apple’s notary review — allowing the malware to bypass Gatekeeper and enable installation on victim’s computers.

The long-standing myth that “Macs don’t get viruses” has been challenged significantly in recent years, as malware targeting macOS users has increased rapidly. This is the first known instance of malware actually being notarized by Apple. The company has since reversed the error — but for victims, the damage was already done.

With Acronis Active Protection, the advanced antiransomware technology in Acronis Cyber Protect, Shlayer and other ransomware variants are stopped before they can do any harm to end-user systems.

Fake Malwarebytes installer drops cryptominer

The rise of cryptocurrency has brought with it a relatively new type of malicious software: cryptojackers. These malware variants steal processing power from impacted systems to mine cryptocurrencies — a profitable exercise, given that victims are paying for the cost of the system as well as the increased electricity bills that result from active mining.

Cybersecurity researchers recently discovered an installer for the security tool Malwarebytes that had been bundled with cryptojacker malware and spread on third-party websites. Once installed, the malware starts draining processing power, slowing the victim’s system and even potentially damaging physical components.

So far, infections have largely occurred in eastern Europe, but this activity could easily spread anywhere. Acronis Cyber Protect has threat diagnostic heuristics that are specifically designed to protect and block cryptojackers before they can cripple your systems.

Conti (Ryuk) sets up new data leak website

Conti, a new Ransomware as a Service (RaaS) and the successor of the notorious Ryuk variant, has released a data leak website as part of its extortion strategy to force victims into paying ransoms.

While Conti has been active for several months, it wasn’t until recently that the cybercriminals involved released a data leak site, where they threaten to publish victims’ stolen data if the demanded ransom is not paid. “Conti.News” currently lists 26 victims, including large and well-known companies.

The advanced behavioral analytics in Acronis Cyber Protect monitor users’ machines and prevent ransomware — including new, never-before-seen variants — from compromising endpoints before encryption can even begin.

Word documents weaponized by Emotet

The cybercriminals behind Emotet — the most active email threat currently in the wild — have begun using the new “Red Dawn” template to deliver malware through weaponized Word documents. This move adds a convincing layer of legitimacy when compared to the iOS templates that this group has previously been known to use.

The name “Red Dawn” refers to the accent colors used in these malicious Word docs. Victims are prompted to “Enable editing” or “Enable content” in order to view the information they’ve supposedly been sent, but clicking these prompts activates macros that install malware.

Acronis Cyber Protect’s antimalware capabilities effectively block trojans, ransomware, and other cyberthreats from running on your systems, safeguarding your data against social engineering attacks like this one.

450 cybersquatting domains registered every day

Phishing campaigns often use a technique called cybersquatting, in which attackers register one or more variants of a well-known web address to confuse victims and instill a false sense of security.

With the constant rise of phishing attacks, lookalike domain names pose a considerable problem. On average, about 450 squatting domains are registered each day — that’s over 13,000 per month. These domains are used in malicious emails and websites, and even in links injected into legitimate websites.

URL filtering capabilities, like those present in Acronis Cyber Protect, can block access to known malicious domains and prevent would-be victims from actually being able to reach the fake site that they’ve opened a link to.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.