Issue 17: The New Phishing Kit With Real-time Victim Interaction, Excel Macro Malware Hits Ukraine And More
CloudGuard
We help organisations proactively detect and automatically remediate cyber threats in real-time.
Top Stories 07 June 2024:
Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers
Snowflake, a cloud computing and analytics company, has reported that a limited number of its customers have been targeted in a recent campaign. According to a joint statement from Snowflake, CrowdStrike, and Mandiant (a subsidiary of Google), there is no evidence to suggest that this activity resulted from a vulnerability, misconfiguration, or breach of Snowflake's platform, nor from compromised credentials of current or former personnel.
The attack appears to be directed at users with single-factor authentication, with threat actors using credentials acquired via information-stealing malware. Charles Carmakal, CTO of Mandiant, highlighted on LinkedIn that these actors are compromising Snowflake customer tenants by logging into databases configured with single-factor authentication.
Snowflake is advising organisations to enable multi-factor authentication (MFA) and restrict network traffic to trusted locations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert recommending organisations to follow Snowflake's guidance to detect and prevent unauthorised access. Similarly, the Australian Cyber Security Centre (ACSC) warned of successful compromises of several companies using Snowflake environments.
Indicators of compromise include connections from clients identifying as "rapeflake" and "DBeaver_DBeaverUltimate." This advisory follows reports of increased malicious activity targeting Snowflake customer accounts.
Previously, cybersecurity firm Hudson Rock suggested that breaches at Ticketmaster and Santander Bank were due to stolen Snowflake employee credentials, a claim later retracted after legal intervention from Snowflake. ShinyHunters, who claimed responsibility for these breaches, dismissed Hudson Rock's explanation as disinformation.
Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine
A cyber attack targeting endpoints geolocated in Ukraine has been identified, aiming to deploy Cobalt Strike and seize control of compromised hosts. Fortinet FortiGuard Labs detailed that the attack begins with a Microsoft Excel file containing an embedded VBA macro to initiate the infection.
Cara Lin, a security researcher, reported that the attack employs a multi-stage malware strategy to deliver the Cobalt Strike payload and establish communication with a command-and-control (C2) server. The attackers use various evasion techniques to ensure the successful delivery of the payload.
Cobalt Strike, a legitimate adversary simulation toolkit developed by Fortra for red teaming operations, has been frequently exploited by threat actors using cracked versions. The attack commences with an Excel document that prompts the victim to "Enable Content" to activate macros, displaying content in Ukrainian related to military funding. Despite Microsoft blocking macros by default in Office since July 2022, enabling macros triggers the deployment of a DLL-based downloader via the regsvr32 utility.
领英推荐
The downloader is obfuscated and monitors for processes related to Avast Antivirus and Process Hacker, terminating itself if detected. If no such processes are identified, it reaches out to a remote server to fetch the next-stage encoded payload, proceeding only if the device is located in Ukraine. The decoded payload, a DLL, launches another DLL file, an injector essential for deploying the final malware.
The attack culminates in the deployment of a Cobalt Strike Beacon, establishing contact with a C2 server (simonandschuster[.]shop). The attacker uses location-based checks to mask suspicious activity and evade scrutiny. Encoded strings in the VBA conceal crucial import strings, aiding the deployment of DLL files for persistence and decryption of subsequent payloads. Additionally, self-deletion and DLL injector techniques are employed to evade sandboxing and anti-debugging mechanisms.
New V3B Phishing Kit Targets Customers of 54 European Banks
Cybercriminals are marketing a new phishing kit called 'V3B' on Telegram, currently targeting customers of 54 major financial institutions across Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy. The kit is priced between $130-$450 per month, depending on the features purchased, and includes advanced obfuscation, localisation options, support for OTP/TAN/2FA, live chat with victims, and various evasion mechanisms.
Resecurity researchers discovered V3B and noted that its Telegram channel already has over 1,250 members, indicating that this phishing-as-a-service (PhaaS) platform is rapidly gaining popularity in the cybercrime community. V3B uses heavily obfuscated JavaScript and a custom content management system (CMS) to evade detection by anti-phishing tools and search engine bots, and to protect from researchers. It features professionally translated pages in multiple languages such as Finnish, French, Italian, Polish, and German, enabling threat actors to conduct multi-country campaigns.
Designed for both mobile and desktop platforms, the V3B kit can intercept banking account credentials, credit card details, and other sensitive information. The admin panel, known as uPanel, allows fraudsters to interact with victims in real time through a chat system, facilitating the extraction of one-time passwords (OTPs) via custom notifications. The kit also includes a QR code login jacking feature to exploit the familiarity and trust associated with QR codes used by legitimate services.
Notably, V3B supports advanced authentication methods such as PhotoTAN and Smart ID, which are used by German and Swiss banks, indicating a shift towards bypassing more secure authentication technologies. This adaptation suggests that fraud prevention teams will face increased challenges in combating account takeovers for both private and corporate customers.
Phishing kits like V3B are crucial enablers of cybercrime, allowing low-skilled threat actors to launch highly damaging attacks. Recently, a significant PhaaS operation, LabHost, was dismantled by law enforcement, resulting in 37 arrests, including the original developer. LabHost had targeted mainly U.S. and Canadian banks, launching attacks through 40,000 domains with 10,000 users worldwide.
That's all folks!
Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous (SOC Analyst).
If you like what you've read, subscribe so you don't miss next week's roundup!