20th November 2021, Kathmandu
Secure Email Getaway, also known as SEG, measures aren’t always adequate to keep phishing emails from infecting employees with ransomware, especially if the cybercriminals are leveraging genuine cloud services to host malicious URLs.
Researchers are warning of a phishing email that launched a Halloween-themed MICROP ransomware attack, which they discovered made its way into a target’s mailbox despite being protected by an SEG.
The original email claimed to require assistance with a “DWG following Supplies List,” which is allegedly connected to a Google Drive URL.
The URL is a link to an infection that downloaded a.MHT file. “Web browsers often use.MHT file extensions as a webpage archive,” Cofense researchers noted.”
After opening the file, the target is given a blurred-out and stamped form; however, the threat actor is exploiting the.MHT file to communicate with the malware payload,” the researcher continues.
The payload is delivered in the form of a downloaded.RAR file, which contains an.EXE file. According to the investigation, “the executable is a DotNETLoader that leverages VBS scripts to drop and run the MIRCOP ransomware in memory.”
The campaign isn’t particularly clever, but it was able to pass through SEGs thanks to the utilization of Google Drive.
“Its first attraction is business-oriented,” the researchers stated, noting that it uses a service – such as Google Drive – that organizations use to distribute files.” “This organization is unconcerned about being subtle, as evidenced by the quick rollout of the MHT payload to final encryption.
“Because this ransomware is so easy to spread, it’s extremely concerning that this email made its way into the inbox of a SEG-enabled environment.”
Cofense discovered the potential new danger after the recipient of this Halloween MICROP reported the email as suspicious.
A Gory Theme, Unusual Use of Skype
“The MIRCOP ransomware, also known as the Crypt888 ransomware, encrypts users’ files and holds them captive,” according to a Cofense expert.
“The threat actor offers to supply the decryption mechanism once the money requirement is met.
The threat actor leaves a set of instructions on the wallpaper for this attack.”
In addition, the user is unable to run any apps other than a few web browsers that provide them access to their email account, which is used to contact the attacker,” Cofense researchers noted in a recent publication.
“The email address is then used to set up the payment required to acquire access to the decrypting tool that the threat actor promises would unlock the files and applications,” the threat actor writes. “Since most organized ransomware gangs have specialized sites or mobile messaging apps,” they explained, “Skype as a medium for bargaining is uncommon.”
Watch Locally Stored Passwords
Another intriguing component of this campaign is a malicious program called “PI2.exe,” discovered by the Cofense team.
It collects passwords from popular online browsers such as Internet Explorer, Google Chrome, Firefox, and Opera, offering threat actors lateral network access and a point of entry for future attacks.
“Looking up the SHA256 hash of this executable on Virus Total, it can be linked to dozens of malicious executables dating back to June of this year,” according to researchers. According to Miclain Keffeler, an application security consultant with nVisium, this “tool” indicates that the shift to working outside the office exposes businesses to more of these types of attacks, which is why local password management as well as reining in cloud permissions is becoming increasingly important, as he explained to Threatpost.
“Crypt888 attempts horizontal privilege escalation by collecting passwords that users may have saved locally — passwords that will inevitably be exploited in various ways that will cause devastation on a corporation,” Keffeler warned.
According to the research, “as the cloud increases, these cached passwords become a major attack vector since they often allow vast quantities of access – with little to no security controls.”