Latest Cyber-Attack Threats – September 2019

Spotted in the Wild

September 2019 has been a month full of surprises. With the return of Emotet, fEstasAzulCorrupta spotted again, more creative phishing campaigns and even more ransomware attacks, it has not been uneventful in the slightest. Here are some of the identifiers to look out for.

Emotet

First launched as a banking trojan back in 2014, Emotet has ‘evolved’ into an email spamming malware delivery system. It’s designed to evade detection by some anti-malware products and spreads between connected computers with its worm-like capabilities, dropping malware wherever it goes. The US Department of Homeland Security has concluded that it’s among the most costly and destructive malware, affecting government and private sectors, organisations and individuals at a cost of $1 Million US Dollars upwards per incident.

 

The above image was taken from the alert posted by the US Department of Homeland Security.

This is Emotet’s typical patch of attack. The full alert details are available on the CISA website here.

 

fEstasAzulCorrupta

This is a computer virus made specifically to corrupt MS Office files. It’s generally packed into compromised software found on file-sharing networks (e.g. torrents) or attached to freeware. Once executed, it injects files into Windows, like a trojan, and embeds itself into the registry to load at the Windows start-up process. fEstasAzulCorrupta will then proceed to add code into any and all MS Word, Excel and Powerpoint files stored on the infected computer rendering them unreadable and corrupted and renames the files to include its name. For example, ‘my document.docx’ will become ‘my document(fEstasAzulCorrupta).docx’ and no. Renaming it back will not fix the file.

 

This virus strain is not new and has sighting reports from 2013 with its behaviour that of an early-day ransomware package. Most, if not all modern anti-malware software, will detect and remove the malicious files. There are some cases where files have been corrupted and the malware removed afterwards. Luckily, this is not ransomware and the corruption is limited to a few lines of code in the documents. Tools are available to repair/recover files corrupted with this virus.

 

Local Phishing attack

Lastly, we have a credential phishing campaign looking to try to steal MWEB user credentials. It is specifically targeting MWEB subscribers and requests verification to enhance account security with the threat of being unable to enjoy full account access and limited service.

Ignoring one or two mistakes in the email body, all looks in order. The giveaway signs here are the sender’s email address, the email signature (mweb.co.za Administrator) and the advertising at the bottom. The ‘Register for Mweb.co,za’ link is also fake – it’s not really a link, just blue underlined words. All the working links in this email navigate away from MWEB’s website.

The ‘Click Here’ link navigates to blank login page which lacks any MWEB branding as seen in Figure 1 below.

Figure 1 ‘Click Here’ fake login page

 

When compared to the real MWEB login page in Figure 2, the difference is clear. This page has all the MWEB branding including the correct URL, a forgotten password link and a working chat/help window.

Figure 2 MWEB user login page

Anyone who completes the login request shown in Figure 1 is giving their credentials to an unknown, probably malicious, party.

Phishing attacks are successful because many don’t assess the legitimacy of the requests in these schemes. What happens after the credentials are stolen is sure to be bad. Depending on their intention, the thief may rack up exorbitant bills; transfer funds; spam all friends, family and associates; access other associated accounts or commit identity theft.

 

These threats and schemes are all currently circulating the internet. Be vigilant, cautious and mindful of attachments, links and the websites visited. Sometimes it’s good to be a little paranoid.