Tweet

SophosLabs

1 Sep, 13 tweets, 4 min read

NEW: Fake pirated software sites serve up malware droppers as a service 🏴‍☠️

During our recent investigation into an ongoing Raccoon Stealer campaign, we found the malware was being distributed by a network of websites acting as a “dropper as a service,”... 1/00

... serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. 2/00

While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. 3/00

Multiple front-end websites targeting individuals seeking “cracked” versions of popular consumer and enterprise software packages link into a network of domains used to redirect the victim to the payload designed for their platform. 4/00

We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products. 5/00

As we researched the Raccoon Stealer campaign, we discovered multiple other cases where some of these sites had been tied to other malware campaigns. 6/00

We found a variety of information stealers, clickfraud bots, and other malware delivered through the sites, including Conti and STOP ransomware.

So we began to investigate the networks behind the sites themselves... 7/00

Most of the bait pages we found are hosted on WordPress blog platforms.

Some clicks on bait pages are directed to a download site that hosts a packaged archive containing malware. Others steer to browser plugins or applications that fall in a potentially unwanted grey area. 8/00

Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts. 9/00

The downloads contained a variety of potentially unwanted applications and malware. We downloaded installers for Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners (in addition to Raccoon Stealer). 10/00

In a bit of irony, many of these malware were delivered by downloads purporting to be installers for antivirus products, including 15 we examined that claimed to be licensing-bypassed versions of the Sophos-owned HitmanPro. 11/00

Almost all of these malware droppers are easily detectable, and all of them were detected either by signature or behavior by Sophos products. But because these packages are in encrypted archives, they do not get detected until they are unpacked. 12/00

@thepacketrat

Indicators of compromise relating to this research have been posted to the SophosLabs Github.

SophosLabs would like to thank Anand Ajjan and Andrew Brandt for their contributions to this report.

Read the full story from @thepacketrat and @yusufarslanp: news.sophos.com/en-us/2021/09/…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @SophosLabs

SophosLabs

@SophosLabs

3 Sep

NEW: Conti affiliates use ProxyShell Exchange exploit in ransomware attacks ⚠️

In one of the ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute...

1/14

ProxyShell represents an evolution of the ProxyLogon attack method. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July. 2/14

As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. 3/14

Read 14 tweets

SophosLabs

@SophosLabs

9 Aug

NEW 👇

BlackMatter ransomware emerges from the shadow of DarkSide

1/12

In late July, a new RaaS appeared on the scene.

Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. 2/12

We decided to take a closer look at the malware and the claims being made by the new adversary to see what’s really going on... 3/12

Read 12 tweets

SophosLabs

@SophosLabs

11 Jun

NEW insights ☠️

Relentless REvil, revealed: RaaS as variable as the criminals who use it

No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...

(a thread) 1/11

As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11

We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11

Read 11 tweets

SophosLabs

@SophosLabs

8 Jun

NEW on Patch Tuesday: Six in-the-wild exploits patched in Microsoft’s June security fix release

Security fixes address five critical vulnerabilities, including scripting and Defender bugs—and one actively exploited flaw in MSHTML...

(a thread) 1/7

The June security update drop has a mere 49 new vulnerability fixes, plus five synchronized fixes delivered by Adobe.

Only five of Microsoft’s bug fixes are rated as critical. But that doesn’t lessen the importance of applying patches as soon as possible. 2/7

All five critical patches are for bugs that are potentially exploitable for remote code execution (RCE). And one of them, a vulnerability in the Windows MSHTML “platform”, is already being exploited. 3/7

Read 7 tweets

SophosLabs

@SophosLabs

2 Jun

NEW: AMSI bypasses remain tricks of the malware trade

Malware developers continue to try to sabotage or evade Microsoft’s Anti-Malware Software Interface in “fileless” and living-off-land attacks...

(a thread) 1/13

As Windows 10 and the latest generation of Windows Server platforms have risen to prominence, malware developers and malicious actors have increasingly aimed to evade detection by taking out those platforms’ anti-malware traffic cop: Microsoft’s Antimalware Scan Interface. 2/13

AMSI, introduced in 2015, provides a way for software to talk to security products, requesting scans of files, memory, or streams for malicious payloads in a vendor-agnostic way. 3/13

Read 13 tweets

SophosLabs

@SophosLabs

1 Jun

A NEW ransomware enters the fray: Epsilon Red

A bare-bones ransomware offloads most of its functionality to a cache of PowerShell scripts...

(a thread) 1/13

Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red.

The malware was delivered as the final executable payload in a hand-controlled attack in which every other early-stage component was a PowerShell script. 2/13

While the name and tooling were unique to this attacker, the ransom note left behind resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections.

There were no other obvious similarities between the Epsilon Red ransomware and REvil. 3/13

Read 13 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!