Home Technology Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads | Cybersecurity

Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads | Cybersecurity

Technology

cyber.jpg

Sep 15, 2023. THNRansomware / Cyber Threat.

The threat actors behind RedLine and Vidar information stealers have been observed pivoting to ransomware through phishing campaigns that spread initial payloads signed with Extended Validation (EV) code signing certificates.

“This suggests that the threat actors are streamlining operations by making their techniques multipurpose,” Trend Micro researchers said in a new analysis published this week.

In the incident investigated by the cybersecurity company, an unnamed victim is said to have first received a piece of info stealer malware with EV code signing certificates, followed by ransomware using the same delivery technique.

In the past, QakBot infections have leveraged samples signed with valid code signing certificates to bypass security protections.

The attacks start with phishing emails that employ well-worn lures to trick victims into running malicious attachments that masquerade as PDF or JPG images but are actually executables that jump-start the compromise upon running.

While the campaign targeting the victim delivered stealer malware in July, a ransomware payload made its way in early August after receiving an email message containing a bogus TripAdvisor complaint email attachment (“TripAdvisor-Complaint.pdf.htm”), triggering a sequence of steps that culminated in the deployment of ransomware.

“At this point, it is worth noting that unlike the samples of the info stealer we investigated, the files used to drop the ransomware payload did not have EV certificates,” the researchers said.

“However, the two originate from the same threat actor and are spread using the same delivery method. We can therefore assume a division of labor between the payload provider and the operators.”

The development comes as IBM X-Force discovered new phishing campaigns spreading an improved version of a malware loader named DBatLoader, which was used as a conduit to distribute FormBook and Remcos RAR earlier this year…

read more thehackernews.com

FTC: We use income earning affiliate links. More on Sposored links.
Terms of use and third-party services. More here.

“Opportunity is missed by most people because it is dressed in overalls and looks like work.” —Thomas Edison
“Tell me, and I forget. Teach me, and I remember. Involve me, and I learn.” —Benjamin Franklin

Related Posts

us-government-space-drugs-factory-earth.jpg
Technology

US Government Won’t Let Space Drugs Factory Come Back to Earth | Technology

008kvz9mxmbAmtwgBglKKjn-3.fit_lim.size_1200x630.v1695156972.jpg
Technology

Hands On: Fuji’s Instax Pal Earns Points for Cuteness | Tech

asset_upload_file24045_282350.jpg
Technology

DoppelPaymer ransomware group suspects identified | Malware

b953fd6697023a57145ce9b66e0ee824.jpg
Technology

Star Trek’s very Short Treks Episodes Are Missing the Mark | Technology

winrar.jpg
Technology

Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with VenomRAT | Cybersecurity

Technology

Suppressing negative thoughts may be good for mental health after all, study suggests | AI