In recent developments, threat actors responsible for the RedLine and Vidar information stealers have exhibited a notable shift towards ransomware operations.
This transition has been primarily facilitated through phishing campaigns, deploying initial payloads that are cryptographically signed with Extended Validation (EV) code signing certificates. This strategic adaptation signifies a convergence of tactics, allowing these threat actors to optimize their nefarious activities.
Cybersecurity experts at Trend Micro have observed this evolution, highlighting the threat actors’ inclination towards multipurpose techniques. A notable incident, investigated by the team, involved an anonymous victim who initially encountered a piece of information-stealing malware equipped with EV code signing certificates. Subsequently, the same delivery method was employed to introduce ransomware into the victim’s environment.
It’s worth noting that prior to this shift, QakBot infections had utilized samples signed with valid code signing certificates to bypass security measures.
These attacks typically commence with phishing emails, leveraging well-established baiting tactics to deceive victims into executing malicious attachments. These attachments, often disguised as innocuous PDF or JPG files, are, in fact, executables that trigger the compromise process upon execution.
In one such campaign, while the victim initially received information-stealing malware in July, a ransomware payload was delivered in early August via an email attachment purporting to be a TripAdvisor complaint (“TripAdvisor-Complaint.pdf.htm”).
This sequence of events culminated in the deployment of ransomware. Notably, the files responsible for delivering the ransomware payload did not possess EV certificates, although they originated from the same threat actor and followed the same delivery method. This suggests a division of labor within the malicious group, with one party specializing in payload provision and the other in operational execution.
Simultaneously, IBM X-Force has identified new phishing campaigns disseminating an enhanced version of the malware loader, DBatLoader. This loader, which previously served as a conduit for distributing FormBook and Remcos RAT earlier this year, now exhibits enhanced capabilities, including User Account Control (UAC) bypass, persistence, and process injection.
These improvements indicate active maintenance aimed at deploying malicious programs capable of collecting sensitive information and enabling remote control of compromised systems.
These recent attacks, detected since late June, are designed to distribute various forms of commodity malware, including Agent Tesla and Warzone RAT. While English-speaking users have been the primary targets, emails in Spanish and Turkish have also been observed.
In several instances, threat actors have demonstrated control over email infrastructure, allowing malicious emails to pass SPF, DKIM, and DMARC email authentication methods. Additionally, a majority of campaigns have utilized OneDrive for staging and retrieving additional payloads, with some utilizing transfer[.]sh or newly compromised domains.
In a related development, Malwarebytes has unveiled a malvertising campaign targeting users seeking Cisco’s Webex video conferencing software on search engines like Google. This campaign redirects users to a counterfeit website that propagates the BATLOADER malware.
BATLOADER establishes contact with a remote server to download a second-stage encrypted payload, known as DanaBot. Notably, threat actors employ a novel technique involving tracking template URLs for filtering and redirection, enabling them to identify potential victims of interest.
These events underscore the evolving tactics and persistent threat posed by cybercriminals. Organizations and individuals must remain vigilant, enhance their cybersecurity measures, and stay informed about emerging threats to effectively counter these evolving challenges.
