Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads | Cybersecurity


Sep 15, 2023. THNRansomware / Cyber Threat.

The threat actors behind RedLine and Vidar information stealers have been observed pivoting to ransomware through phishing campaigns that spread initial payloads signed with Extended Validation (EV) code signing certificates.

“This suggests that the threat actors are streamlining operations by making their techniques multipurpose,” Trend Micro researchers said in a new analysis published this week.

In the incident investigated by the cybersecurity company, an unnamed victim is said to have first received a piece of info stealer malware with EV code signing certificates, followed by ransomware using the same delivery technique.

In the past, QakBot infections have leveraged samples signed with valid code signing certificates to bypass security protections.

The attacks start with phishing emails that employ well-worn lures to trick victims into running malicious attachments that masquerade as PDF or JPG images but are actually executables that jump-start the compromise upon running.

While the campaign targeting the victim delivered stealer malware in July, a ransomware payload made its way in early August after receiving an email message containing a bogus TripAdvisor complaint email attachment (“TripAdvisor-Complaint.pdf.htm”), triggering a sequence of steps that culminated in the deployment of ransomware.

“At this point, it is worth noting that unlike the samples of the info stealer we investigated, the files used to drop the ransomware payload did not have EV certificates,” the researchers said.

“However, the two originate from the same threat actor and are spread using the same delivery method. We can therefore assume a division of labor between the payload provider and the operators.”

The development comes as IBM X-Force discovered new phishing campaigns spreading an improved version of a malware loader named DBatLoader, which was used as a conduit to distribute FormBook and Remcos RAR earlier this year…

read more

FTC: We use income earning affiliate links. More on Sposored links.
Terms of use and third-party services. More here.

“Opportunity is missed by most people because it is dressed in overalls and looks like work.” —Thomas Edison
“Tell me, and I forget. Teach me, and I remember. Involve me, and I learn.” —Benjamin Franklin

Related Posts