“Devil with a Silver Tongue” and Attacks on Public Faces

Microsoft recently announced that Microsoft has quietly worked to develop countermeasures against malicious individuals attacking individuals. Among the latest attacks of this type, Candiru, the group responsible for the distribution of the DevilsTongue malware, can be singled out.

In general, over the past year, Candiru has operated under a variety of names, and one of the last was “Sourgum”. The attack affected more than 100 victims around the world, including politicians, human rights activists, journalists, academics, embassy officials, and even political dissidents. And the latest release of Patch Tuesday from Microsoft offered fixes for a number of vulnerabilities that Candiru exploited. However, there is no guarantee that all possible attack vectors were thereby closed.

The peculiarity of Candiru’s activities is that the criminal group uses undocumented exploits and attacks specific victims. Therefore, it will not work to counteract their activities only through patches and patches. This requires the use of behavioral suspicious activity detection.

Zip it up, zip it up again!

Researchers have discovered a new phishing campaign to distribute BazarBackdoor malware. To trick antiviruses, attackers archive malware several times and then pass it off as an image.

While this malware distribution and masking strategy are not new at all, it helps bypass a number of defenses and regularly leaks through some vendors’ email gateways. The attack that hit today’s digest used World Environment Day as a newsletter. And this helped to deceive a lot of users who decided to see what kind of picture was sent to them in honor of the date declared by the UN as the day of protection of nature.

By the way, according to our data, such attacks account for about 80% of security incidents, and 94% of malware is delivered to victim computers via email.

Cryptojacking Trojan Attacks Linux Systems

Another malicious campaign was launched from Romania and targets Linux systems, whose users often consider themselves safe from most threats. Once on the computer, the Trojan installs the XMRig Monero miner. To do this, the attackers first gain access to the system by brute-force selection of account data using a special tool called “Diicot brute” written in Golang.

In the past, this group of cybercriminals has already practiced installing IRC bots and various variants of the Demonbot DDoS botnet. Their tactics allow for reliable communication between the computers of the attacker and the victim through the Discord channel. As a result, there is no need for a central C&C server, which vigilant security services can simply turn off.

In the case of these Romanian attacks, there is nothing to turn off, and users can only rely on security systems that can detect intrusion into the computer and malicious activity.

The ‘new normal’ never became the norm in terms of phishing

The COVID-19 pandemic has created an ideal breeding ground for phishing specialists to attack hundreds of thousands of people working from home. Most of them rely on remote access systems, and a recent survey found that the situation in this area is alarming.

74% of companies have been victims of phishing attacks, and 40% in the last month alone. At the same time, 80% of organizations noted a significant increase in the number of phishing attempts aimed at their employees.

The root of this problem has long been known: many had to quickly switch to new digital solutions, without having a reliable infrastructure for this, established regulations, and practices. About 70% of respondents reported that they had not been able to conduct a sufficient number of information security training. 52% lack IT staff to support a distributed team. Under these conditions, it is not surprising that almost half (47%) of phishing attacks were successful. And often, by deceiving only one employee, attackers gain access to the entire corporate network.

Windows Trojan takes over Mac territory

A new variant of the world’s third most popular malware, FormBook, was first spotted on macOS. The Mac version turned out to be a port of the newest XLoader in the FormBook family and is already available on underground forums for just $ 49 a month.

In the meantime, XLoader has already been used for attacks in 96 countries, despite the fact that its focus was on the United States (53% of victims from this country). The Trojan horse can steal credentials from browsers, take screenshots, monitor keystrokes, and download and install any additional payloads.

I must say that today more and more malware attacks Mac systems because, in 2020 alone, about 20.2 million new Apple systems were sold. And even the manufacturer’s abandonment of Intel processors does not stop malware developers from increasingly trying to attack macOS, and these attempts are often successful. It seems that Apple users still need to consider the security system as the same must-have as the owners of Windows computers.