In the realm of cybersecurity, it is essential to remain alert to the evolving tactics of cybercriminals. Recently, the entities responsible for the RedLine and Vidar information stealers have adopted a new strategy: merging phishing campaigns with Extended Validation (EV) certificates to dispense ransomware payloads. This shift in tactics not only allows for a smoother operation but also enhances the success rate of their campaigns. Notably, these operations have exhibited a well-organized division of labor between the payload providers and operators. This article delves deep into the technical details of this emerging threat, emphasizing the techniques these criminals employ and their potential impacts.

Technical Analysis of the Recent Phishing Campaigns

Phishing Emails with Convincing Lures

Initially, these cybercriminals launch their attack through phishing emails. They craft these messages meticulously, focusing on current concerns such as health or hotel accommodations to grab the user’s attention quickly. This strategy instills a sense of urgency in the recipient, urging them to open attachments that seemingly contain relevant information. Unfortunately, these attachments, appearing as harmless PDF or JPG files, harbor malicious executable files. The criminals count on the likelihood that many users have file extensions hidden, concealing the true nature of these dangerous files.

Utilization of Extended Validation (EV) Certificates

To further the deception, the initial payloads of these phishing emails are signed with Extended Validation (EV) certificates. This step grants the attachments an aura of trustworthiness, which helps them bypass the security barriers that usually scrutinize unsigned or self-signed files. Subsequently, the cybercriminals proceed to distribute ransomware through the same method. Even though this ransomware does not bear the EV certificates, it maintains a link to the initial info-stealer campaign, thus creating a seamless operation that is harder to detect and counteract.

Inspiration from Historical Tactics

These tactics are not entirely new; they have historical antecedents. The use of valid code signing certificates has been a characteristic of QakBot infections, helping them evade security protocols successfully. This success has seemingly inspired the cybercriminals behind this recent wave of phishing campaigns.

Employment of DBatLoader with Enhanced Capabilities

The IBM X-Force has pinpointed the use of DBatLoader in these campaigns, a malware loader known for its enhanced capabilities, including User Account Control (UAC) bypass, persistence, and process injection. These functions enable it to distribute a myriad of malicious programs effectively. The recent wave of attacks, which started around late June, delivers malware such as Agent Tesla and Warzone RAT, targeting not only English speakers but also encompassing Spanish and Turkish audiences.

Control Over Email Infrastructure

The cybercriminals showcase a notable degree of control over email infrastructure, enabling them to circumvent SPF, DKIM, and DMARC email authentication methods proficiently. This control enhances the likelihood of their malicious emails reaching the inboxes of unsuspecting users. Additionally, platforms like OneDrive have become common staging grounds for these criminals to store and retrieve additional payloads, with some even exploiting transfer[.]sh or compromised domains for their operations.

The Menace of Malvertising Campaigns

Parallelly, another threat looms in the form of malvertising campaigns, specifically targeting users seeking Cisco’s Webex on search engines. Unwitting victims are redirected to counterfeit websites that distribute BATLOADER malware. This malware, in turn, initiates the download of DanaBot, a recognized information stealer and keylogger, further endangering the security of users’ data.

Conclusion

The emergence of this combined approach of phishing campaigns and EV certificates usage by cybercriminals to deliver ransomware payloads marks a significant escalation in cyber threats. It is evident that these criminals are continually honing their skills, adopting sophisticated tactics to enhance their success rates. Keeping abreast of these developments is crucial in formulating effective defensive strategies. It is incumbent upon individuals and organizations to remain vigilant, adopting stringent security measures to safeguard against these evolving threats.

Also Read: