Cyber Pulse: Edition 105

Hackers taking advantage of the spread of COVID-19

Hackers have been running several attack campaigns across various countries, taking advantage of the spread of the Coronavirus disease (COVID-19) to distribute trojans such as Emotet, AZORult and NanoCore to steal user credentials.

Email security experts Libraesva discovered and intercepted an email masquerading to be from the director of Milan, sent to universities and said to provide preventative steps for further spread of Covid-19. Brunel University London reports that the hackers’ motivation became clear when a malicious link asked for user login credentials. In one instance, an attacker designed an email to stoke curiosity by stating: “If you want to receive further information for a cure, you must click on the link below.”

One sophisticated attack method that researchers reported on contained an MS Word document from the World Health Organization (WHO) with an embedded URL that lead to a fake MS Office website. Also, some attackers prompt users to download an application to keep them updated on the situation. It simply displays a map of how COVID-19 is spreading. When a user is on the page, attackers attempt to generate a malicious binary file and install it on their computer. Currently, this practice is only affecting Windows systems.

Here are some preventative measures:

Avoid clicking on promotional links and baits in emails;
Google for general information, instead of clicking links from a suspicious/unknown sender;
Don’t proceed with any login procedure if unsure about the authenticity of a website.

New PXJ ransomware found by X-Force IRIS

Security researchers at IBM's X-Force Incident Response and Intelligence Services reported a new PXJ malware strain containing ransomware functions. Two samples were uploaded to VirusTotal by a community user. However, its initial infection vector is unknown. PXJ starts by attempting to disable recovered files from deleted stores. It then empties the recycle bin using the “SHEmptyRecycleBinW” function.

In the next step, it runs a series of commands to prevent data backup for data to be encrypted. After encryption, the ransomware drops the ransom note into a file (called “LOOK.txt”), requesting victims to pay the ransom in exchange for the decryption key.

The security researchers stated that the attacker’s email addresses all appeared to be the same across the two samples. However, a new network communication was found in one of the samples.

Microsoft takes down Necurs botnet affecting 9 million devices

Recently, Microsoft announced a takedown of the infamous Necurs botnet. The botnet had affected around 9.1 million computer systems so far. Necurs botnet is one of the largest spam botnets, has been active since at 2012 and is operated by the cybercrime gang tracked as TA505. It was involved in massive campaigns spreading malware such as the Locky ransomware, the Dridex banking Trojan, and the Scarab ransomware.

The lockdown operation reportedly saw the participation of partners from across 35 countries. The botnet was observed sending 3.8 million spam messages to over 40 million targets during a 58-day long investigation. As per Microsoft, “This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP).”

Two new vulnerabilities tracked as TRS-bypassing Rowhammer and Load Value Injection are affecting chip manufacturers

Security researchers have discovered two new vulnerabilities tracked as TRS-bypassing Rowhammer and Load Value Injection. These new vulnerabilities can be a matter of concern for chip manufacturers.

Target Row Refresh (TRR)-bypassing Rowhammer is a new vulnerability discovered by VUSec Lab. The flaw is tracked as CVE-2020-10255 and bypasses the suggested collective mitigation methods called ‘Target Row Refresh’ (TRR). The tool was tested on 43 DIMMs (Dual In-line Memory Module) and researchers found that 13 DIMMs from the three major DRAM vendors (Samsung, Hynix and Micron) are vulnerable to the new variations of Rowhammer. LVI-LFB (Load Value Injection in the Line Fill Buffers) is a new vulnerability that affects many processors made by Intel. The vulnerability is tracked as CVE-2020-0551 and is described as a reverse meltdown-type attack.

Researchers note that there are some limitations that make it difficult to carry out the attack. However, due to the criticality of the issue, Intel has issued new mitigation guidance and tools for LVI to reduce the overall attack surface.

Edited and compiled by cyber security specialist James Aguilan.

Subscribe to our weekly Cyber Pulse newsletter below.