###### PRESENTS # Cybercrime tactics and techniques Q2 2020 ----- ## Table of contents #### Attack on home base...........................4 Distributed malware............................5 ###### Avemaria.................................................................................6 NetwiredRC.............................................................................8 Lokibot.................................................................................. 10 Azorult....................................................................................12 Danabot..................................................................................14 #### Other efforts...................................... 16 ###### Card skimmers.......................................................................16 State sponsored attacks........................................................18 #### Protecting home base........................ 19 Conclusion.........................................20 ----- ## Attack on home base ###### The coronavirus pandemic has left the world looking very different at the end of the quarter than it did at the beginning. For starters, millions of workers are out of the office and working from their homes. This change in scenery, combined with safe social distancing efforts that help prevent the spread of COVID-19, has created a crisis for many, but an opportunity for some. Employees are accessing company resources through VPNs, utilizing cloud based services, and spending countless hours chatting on communication tools, all while connecting through personal networks and machines. In response, cybercriminals have been deploying campaigns to trick users into installing malware that steals login information for these sites, as well as provide remote control of the endpoint to the attacker. This special, COVID-19 themed CTNT report for January 2020 to March 2020 looks at the most prominently spread malware families taking advantage of this crisis, as well as other cybercriminal efforts we observed. We will give you a look into what the campaigns that spread these threats look like and the capabilities of the malware, along with information about card skimmers and APT attacks, wrapping up with some tips on staying safe. ----- ## Distributed malware ###### Threats like Emotet and Trickbot are still a big concern for businesses all over the world, however, the threats we are going to cover in this section are specifically using COVID-19 themed campaigns to spread. In fact, many of the families we have seen being installed by these campaigns have had very little success prior to the last few months. These changes represent a shift by cybercriminals to focus on a new target, your home base. ----- ## AveMaria ### Malware profile ###### AveMaria is a Remote Access Trojan used for taking over the systems of its victims and providing the attackers with remote control capability. It was first observed being spread through malicious phishing campaigns in 2018 and its presence on infected endpoints has been on the rise ever since. ###### Detection name: Backdoor.AveMaria.* Trojan.AveMaria Spyware.AveMaria First seen: December 2018 Category: Remote access trojan ----- ##### Capabilities: AVEMARIA ###### • Remote desktop access 350 300 250 ###### • Remote webcam control 200 ###### • Password stealer 150 • Downloader 100 50 0 ###### • Keylogger • Remote shell • Privilege escalation Figure 1. AveMaria detections, February 2019 - March 2020 ##### Recent activity: AVEMARIA ###### The AveMaria Remote Access Trojan 1200 1000 ###### is available for cybercriminals to **109.6%** ###### purchase on the dark web for about 800 600 ###### $23 for a monthly “subscription.” 77.3% 400 ###### Over the last three months, we have 200 0 ###### seen an increase in detections of this Jan-20 Feb-20 _Figure 2. Avemaria percentage change January - March 2020_ ###### threat, with a 109.6 percent increase between February and March. ##### Spread via: ###### AveMaria has been observed recently being spread through malicious phishing emails claiming to contain information about effective face masks as well as through other COVID-19 themed campaigns. Figure 3. COVID-19 themed phishing campaign spreading AveMaria ----- ## NetWiredRC ### Malware profile ###### The backdoor NetWiredRC has been associated with numerous types of attacks and threat groups, including the state sponsored group APT33— Iranian-sponsored hackers with a focus on energy industries, since its discovery in 2014. This malware is incredibly capable and dangerous, armed with the ability to manipulate, spy on, and steal data and applications from the user. ###### Detection name: Backdoor.NetWiredRC.* First seen: November 2014 Category: Backdoor access ----- ##### Capabilities: ###### • Downloader • Keylogger • Information stealing • System manipulation • Provide remote access ##### Recent activity: ###### We have observed a roughly 40 percent increase in NetWiredRC detections since the beginning of the year. During the summer of 2019, NetWiredRC was involved with a phishing campaign targeting the hotel industry in North America. ##### Spread via: ###### This malware has been observed primarily through malicious phishing campaigns, using numerous themes and ploys to get users to install the malware. A recent campaign claimed to be providing COVID-19 information from UNICEF, the children’s aid organization. ----- ## LokiBot ### Malware profile ###### LokiBot is a well-known botnet which has been active since 2015. Its primary method of spreading has been through malicious emails or as a secondary payload for other downloader malware families. It is also known to use stenography to hide malicious code inside images. ###### Detection name: Backdoor.Lokibot.* Spyware.Lokibot.* Trojan.Lokibot.* First seen: 2015 Category: Botnet, Information seeker ----- ##### Capabilities: ###### • Keylogger • Password stealer ##### Recent activity: ###### In addition to impersonating banks and shipping companies, LokiBot has been seen by multiple security research groups as a possible payload for many of the COVID-19 themed phishing campaigns that are active today. During the coronavirus pandemic, we have seen a 61.8 percent rise in LokiBot detections. ##### Spread via: ###### LokiBot is most notably spread through malicious phishing campaigns. Recently, we’ve observed this malware being pushed as an invoice for a medical supply pusher. ----- ## AZORult ### Malware profile ###### AZORult is a dangerous information stealing malware that has been on the scene since 2016. This malware can also act as a downloader for other malware and has previously been installed as a secondary payload to families like Emotet. The primary method of infection for this threat is through malicious phishing campaigns and drive-by exploits. ###### Detection name: Backdoor.AZORult.* Spyware.AZORult.* First seen: July 2016 Category: Information stealer ----- ##### Capabilities: ###### • Password stealer • Cryptocurrency theft • Downloader ##### Recent activity: ###### The AZORult malware remained a steady threat throughout 2019. Then, starting in November, we began to see a larger increase in detections until around February. However, a comparison with March shows a 30.1 percent increase in detections of this threat, month over month, proving that this threat is likely not going away soon. ##### Spread via: ###### AZORult has been observed recently as a possible payload for numerous COVID-19 themed attacks, including one asking the recipient for bulk quantities of ventilators as well as being one of the payloads attached to a fake Johns Hopkins University coronavirus map application. ----- ## DanaBot ### Malware profile ###### DanaBot is a family of banking trojan malware, first discovered being distributed by malicious emails, with a focus in Australia. It has recently been distributed through malicious advertisements using the RIG & Fallout exploit kits. However, DanaBot’s spread has expanded as of late, as infections have been spotted in various countries in Europe as well as North America. ###### Detection name: Backdoor.DanaBot Spyware.DanaBot Trojan.DanaBot First seen: May 2018 Category: Banker trojan, Information stealer ----- ##### Capabilities: ###### • Bank credential theft • Password stealer • Downloader • Browser manipulation • Phishing website redirection ##### Recent activity: ###### DanaBot has been active since September of 2019, with a dip in detections between January and February 2020. This dip resulted in a rise of 166 percent in detections between February and March 2020. ----- ##### Spread via: ###### DanaBot is being spread in numerous ways, from exploit kit malvertising attacks, to malicious email campaigns. The Polish CERT organization recently sent a warning to Polish citizens about a campaign pushing the DanaBot malware through malicious PowerPoint presentations. In addition, DanaBot is one of the possible payloads we may see installed by the fake Johns Hopkins coronavirus map which was first discovered in March. ----- ## Other efforts ###### Phishing emails and scary maps are not the only criminal operation we have seen taking advantage of the current state of the world. In fact, home shoppers are at a greater risk than ever with an increase in credit card skimmers found on webstore checkout pages. In addition, government sponsored actors are trying to blend their attacks in with the flood of coronavirus themed scams. ##### Card skimmers: ###### Panic buying, hoarding, and a drastic change in how we purchase goods—from in-store to delivery and pickup—has resulted in rushed deployments of online order forms, price manipulation, counterfeit goods and, of course, online scams. Cybercriminals focused on stealing financial data from users have increased the compromise of online order forms and installation of card skimming code on these web pages. We have seen a 26 percent increase in this kind of attack from February to March 2020. ----- ###### You can find out more about the rise in card skimmers and about some notable companies whose customers have become victims of this method of attack on the ----- ##### State sponsored attacks: ###### Using COVID-19 as bait to trick users is not solely a trick of the commercial cybercriminal; in fact, numerous state-sponsored groups have used this theme in phishing attacks against relevant targets. From late January on, several cybercriminal and state-sponsored advanced persistent threat (APT) groups have been using coronavirus-based phishing as their infection vector to gain a foothold on victim machines and launch malware attacks. Just like the spread of coronavirus itself, China was first hit by APT groups and as the virus spread worldwide, so did the attacks. Their method of spreading threats with emails varies depending on the group—some use template injections, others use RTF exploits, and the majority use malicious macro scripts, like the modus operandi of non-state-funded attackers. To read more about state-sponsored actors using COVID-19 as bait, check out the Malwarebytes Labs blog and a recent white paper we released: “APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure.” ----- ## Protecting home base ###### The threat landscape of the last few months has been very different from the one we saw at the end of 2019. Attacks in the COVID-19 era are focused on stealing your information and using remote employees as doorways into more valuable networks. This means that we need to make sure to spread valuable security knowledge to protect people while they are working at home base. ##### Gain security through knowledge by: 1. Running security software on any system which is not only connected to your home network but is also used regularly. With this current flood of attacks, the malware families being deployed will change quickly to avoid detection and be difficult to defeat without updated security tools that monitor system applications and behavior. 2. Using a virtual private network or VPN. This will not keep you protected from malware; however, it will help to keep your online activities from your browser or connection revealing [personal information or tracing your behavior. This creates an additional measure of layered](https://www.malwarebytes.com/vpn/) **[protection when you shop online.](https://www.malwarebytes.com/vpn/)** 3. Using trusted sources for information, shopping, or applications. The spread of misinformation allows many of the attacks mentioned in this report to flourish. So, relying on certain trusted vendors, websites, and news sources is the best approach. 4. Avoiding repeated entries of credit card numbers into applications. Use something like PayPal, Apple Pay, Samsung Pay, or Google Pay, which can offer greater security of your financial information and reduce the chance that your card information will be spread online. 5. Changing online service passwords on a separate, trusted computer, then thoroughly cleaning the suspected system with an anti-malware application if there are identified active infections or suspected system or data compromise. ----- ## Conclusion ###### Themed phishing campaigns usually don’t last too long. In fact, once enough information about their existence has been distributed, the attacks will become less effective and we’ll see a return to regular attacks, like those pretending to be from a bank or shipping company. What is likely going to last is the capability of organizations to have their employees working remotely to cut down on overhead or as an alternative to working in an office. This reality also means that attackers who attempt to infiltrate organizations via their remote workers will continue to develop their tactics and techniques long into the future. [blog.malwarebytes.com](http://blog.malwarebytes.com) [corporate-sales@malwarebytes.com](mailto:corporate-sales%40malwarebytes.com?subject=2020%20COVID19%20Report%20Contact) 1.800.520.2796 Malwarebytes is a cybersecurity company that millions worldwide trust. Malwarebytes proactively protects people and businesses against malicious threats, including ransomware, that traditional antivirus solutions miss. The company’s flagship product uses signature-less technologies to detect and [stop a cyberattack before damage occurs. Learn more at www.malwarebytes.com.](http://www.malwarebytes.com/business) -----