The cyber threat landscape continues to evolve as researchers from Trend Micro report that the perpetrators behind the RedLine and Vidar information stealers are shifting their tactics to include ransomware attacks. This alarming trend has been facilitated through phishing campaigns that distribute malware utilizing Extended Validation (EV) code signing certificates, which lend legitimacy to their malicious payloads.
In an analysis circulated this week, Trend Micro noted that a victim of these attacks first encountered an info-stealer variant equipped with EV code signing certificates, followed shortly by a ransomware threat delivered through the same phishing methodology. This evolution in tactics indicates a potential consolidation of operations by threat actors, who seem to be making their techniques adaptable for multiple malicious purposes.
The transition from information theft to ransomware is particularly concerning, as evidenced by a case involving a bogus TripAdvisor complaint email that served as the vector for ransomware deployment. While the initial malware was accompanied by EV certificates to circumvent security defenses, the files associated with the ransomware attack did not carry such protections. This suggests a strategic division of labor among the attackers, wherein one group specializes in creating the tools for payload delivery while another focuses on executing the ransomware component of the attack.
In a separate vein, IBM X-Force recently uncovered new phishing campaigns utilizing an enhanced malware loader known as DBatLoader. This loader, which has been operational since late June, has been crucial in distributing various malicious strains including FormBook and Remcos RAT. The versatility of DBatLoader includes capabilities for User Account Control (UAC) bypass, persistence, and process injection, all of which enhance the attacker’s ability to collect sensitive information and maintain control over compromised systems.
Attacks by DBatLoader have primarily targeted English-speaking individuals, although there have been incidents involving Spanish and Turkish speakers. Many of these malicious emails have successfully bypassed email authentication measures like SPF, DKIM, and DMARC, demonstrating the sophisticated control threat actors have over their email delivery systems. OneDrive has been frequently employed to host and disseminate additional payloads, with some campaigns relying on compromised domains or transfer services.
Amid this evolving threat landscape, a new malvertising scheme has emerged that aims to exploit users searching for Cisco’s Webex video conferencing software. As reported by Malwarebytes, unsuspecting users could be redirected to illegitimate sites hosting BATLOADER malware. This method leverages tracking template URLs, enabling threat actors to filter potential victims and determine which users are most likely to engage with their malicious offerings.
In terms of potential tactics and techniques leveraged in these attacks, various elements of the MITRE ATT&CK framework can be mapped to these incidents. Initial access is achieved through phishing and malvertising, while persistence is often established via loaders like DBatLoader. Techniques for privilege escalation and credential access are inherent in the nature of the payloads being deployed, which are designed to gather sensitive information for further exploitation.
As threats like these become increasingly common and sophisticated, it is imperative for organizations to remain vigilant and proactive in their cybersecurity posture. The intertwining of information stealing and ransomware tactics represents a significant risk that demands acute awareness and robust defenses from business owners, who must prioritize the safeguarding of their digital assets.
