Criminal Actors Exploit SBV Collapse for Financial Gain
Criminal actors take advantage of the Silicon Valley Bank (SVB) collapse, likely to steal information and money (1). Security researchers have observed a large spike in typosquatted domains likely impersonating SVB (2). Several domains observed are part of a cryptocurrency scam that claim to be offering free United States Dollar Coins (USDC) as part of the SBV USDC payback program. The scam instructs the victim to scan a QR code using any cryptocurrency wallet. If scanned, the code will result in the compromise of the user’s wallet (1).
Criminal actors consistently use current major events to target victims for financial gain. The SVB collapse is not the first time threat actors have exploited a major event. During the COVID-19 pandemic, several actors used COVID-19 email phishing lures to encourage targets to click on the attachment (3). Actors were also seen to take advantage of sporting events such as the FIFA 2022 World Cup. Security researchers observed domains mimicking legitimate webpages, fake mobile apps, and fraudulent social media pages (4).
Emotet Distribution Returns After Three-Month Hiatus
The Emotet botnet resumed email distribution on March 7th 2023, replying to existing email chains with an attached ZIP file. The attached ZIP file is not password protected, uses themes related to finances and invoices, and contains a Microsoft Office document with macros. The macro downloads an Emotet DLL file and executes it on the system (5).
Emotet’s use of Macros are likely to be less effective than in earlier campaigns. Microsoft’s update in July 2022 disabled macros from files downloaded from the internet, including email attachments makes user execution of the macros more difficult (6). The operators of this campaign may switch to a different method to deliver the Emotet payload such as using Microsoft OneNote documents or LNK files.
BatLoader Likely Being Distributed by Google Search Ads
The downloader BatLoader has been observed abusing the Google Search Ads feature to deliver Vidar Stealer and Ursnif. Several websites were registered in February 2023 impersonating multiple software products and brands including, ChatGPT, Zoom, Spotify, Tableau, and Adobe. The sites were used as download pages to deliver BatLoader and likely abused Google Search Ads to get exposure to victims (7).
BatLoader is not the only malware family to abuse the Google Search Ads feature recently. Since December 2022, IcedID was observed abusing Google pay per click ads for distribution (8). The lockdown of macros by Microsoft has pushed actors towards different distribution methods to deliver malware (6). With the strong demand for stolen credentials and session tokens, actors are likely to continue to abuse the Google Search Ads feature in the short term.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
Please refer to our support page for guidance on how to access the feeds.
You might also be interested in:
Dark Pink APT Group Strikes Government Entities in South Asian Countries
Enabling File Integrity Monitoring on Windows with Osquery and EclecticIQ Endpoint Response
DeFi Hack Recovers Stolen Funds; Blacklotus Bypasses Windows Secure Boot
Appendix
- https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/
- https://isc.sans.edu/diary/Incoming+Silicon+Valley+Bank+Related+Scams/29630/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099a
- https://www.reliaquest.com/blog/cyber-threats-to-the-fifa-world-cup-qatar-2022/
- https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/
- https://learn.microsoft.com/en-gb/DeployOffice/security/internet-macros-blocked#block-macros-from-running-in-office-files-from-the-internet%22
- https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif
- https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
