New Emotet Campaign after 5 Months of Inactivity
After several months of inactivity, Emotet is back with a massive sending of reply-chain and payment emails, among others, that include malicious Word documents attachments aimed at users all over the world. Researcher Joseph Roosen stated that the Emotet botnet would be spewing forth massive amounts of spam, including malicious documents with updated URLs, commonly of compromised WordPress sites. Once the victim is infected, the malware would deploy further modules that steal the victim’s mail, spread to other computers, or use the infected computer to send spam.
Ransomware Incident against Blackbaud
Blackbaud, a software and cloud storage provider, has reported having suffered an unidentified ransomware incident. According to the company, last May actors performed an attack on its internal network with the aim of deploying ransomware. As a result, the security team managed to prevent the encryption of files belonging to Blackbaud by expelling the malicious actors from the network. However, prior to their locking cybercriminals out, these managed to steal the information of a small subset of customers, which have already been notified. Consequently, the attackers have already threatened to make the stolen information public unless a ransom is paid. The company has guaranteed that it will meet these demands and will pay for the deletion of the data. This incident adds to the current trend of double extortion that characterizes this type of attack, where not only is the information encrypted, but it is also stolen and a ransom is demanded, both to decrypt it and not to make the files public.
Exploit for RCE Vulnerability in SharePoint
Security researcher Steven Seeley has published details of how the critical vulnerability CVE-2020-1147 can be exploited in SharePoint to achieve remote code execution as a low-privileged user. In this case, Seeley has demonstrated how, by making use of DataSet objects, code execution can be achieved by using the “LosFormatter.Deserialize” method. To do so, a base64 payload must be generated. Once this has been done, this payload could be plugged into a specific DataSet and thus achieve remote code execution against the target SharePoint server. This method could be used against several applications built with .NET, so even if the user does not have a SharePoint Server installed, it could still be impacted by this bug.
Phishing Campaigns on Cloud Services
Check Point’s research team has published their research warning about the use of cloud services such as Google Cloud or Microsoft Azure for phishing campaigns. In January 2020, researchers detected a PDF document on Google Drive that included a link to a phishing page hosted on Google’s servers. In this incident, the threat actors spoofed a SharePoint login page requesting user or corporate credentials in order to exfiltrate the information. During all these stages, users do not suspect any malicious activity since the phishing page is hosted on Google Cloud Storage and the HTTPS encryption protocol is displayed. One way to identify these scams was to view the source code of the phishing page, because it could be identified that most of the resources were loaded from a website belonging to the malicious actors. However, more recent attacks reveal that threat actors have started using Google Cloud Functions, a service that allows the running of code in the cloud, thus obfuscating attackers’ malicious domains.
Emotet Botnet Is Spreading QakBot Malware
Cryptolaemus has reported that recently Emotet has started spreading QakBot malware. This campaign would use e-mails as attack vector for the spread of this malware obfuscated in malicious documents. It should be noted that in recent days the MalwareBytes team has warned of a new Emotet campaign after five months of inactivity, which has traditionally been linked to the distribution of another malicious tool named Trickbot. However, this new finding could show that there is a new trend regarding the distribution of Qakbot, as Cryptolaemus claims to have observed the absence of TrickBot in the most recent Emotet attacks. The researcher also indicated that there is a history of change in the distribution of malware, although this does not occur frequently. One such change was already observed last year, so it is considered likely that TrickBot will be used again in the future and resume its traditional attack methodology.