Hackers have restarted a campaign to spread ransomware in a bid to extort millions of pounds from victims.
According to research by security researchers from FireEye, between May and September 2019 cyber-criminals have used leveraged compromised web infrastructure to establish an initial foothold in victim environments.
In a blog post, they said that the activity they monitored was consistent with a fake browser update campaign first identified in April 2018 called FakeUpdates.
In the latest campaign, hackers used victim systems to deploy malware such as Dridex or NetSupport, and multiple post-exploitation frameworks. Hackers have also updated techniques in places such as "internal reconnaissance, credential harvesting, privilege escalation, lateral movement, and ransomware deployment in enterprise networks."
"The threat actors’ ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware," said researchers.
Compromised sites would display a fake browser update window saying that an old version of the web browser was in use and the victim should download an "update" to keep it running "smoothly and securely".
The malicious script would then collect information about the computer and send that back to the hacker’s C2 server. The server would then run another script to install malware on the victim machine. The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware.
"The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor," said researchers.
As well as this, scripts would also use freeware Nircmd.exe tool to take two screenshots of the current desktop. These are then also uploaded to the C2 server.
Researchers said that Dridex would install the BitPaymer or DoppelPaymer ransomware on a victim's system. Dridex backdoors would also be used to execute the publicly-available PowerShell Empire and/or Koadic post-exploitation frameworks.
They also identified the FakeUpdates to Dridex infection chain resulting in the download and execution of PoshC2, another publicly available tool.
"While it could be coincidental, it is worth noting that the use of PoshC2 was first observed in early September 2019 following the announcement that Empire would no longer be maintained and could represent a shift in attacker TTPs. These additional tools were often executed between 30 minutes and two hours after initial Dridex download," said researchers.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that as attackers find more creative ways to trick users into installing malware through techniques such as fake browser updates, it becomes increasingly important for users to be aware of these attacks and to only update software through official and approved channels.
"Users should never click on banners on any sites which promise to speed up their PC, or conduct a free scan. Rather, they should seek advice from their IT department if they have any needs," he said.
David Emm, principle security researcher at Kaspersky Lab, told SC Media UK that users should "carefully look at the address bar before entering any sensitive information such as your login and password".
"If something is wrong with the URL (it’s misspelled, doesn’t look like the original or uses some special symbols instead of letters), don’t enter anything on such sites. Always navigate to a site by entering the URL yourself, or choosing from your list of bookmarks or favourites – rather than clicking on a link," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout