Summary of Findings
- Anomalies associated with a ransomware attack on a Belgian hospital hub suggest a smokescreen.
- Mobile phone users in the UK are being targeted by phishing campaigns that impersonate banks and telecom companies.
- The Avaddon ransomware group has expanded its TTPs with DDoS attacks aimed at forcing victims to negotiate.
- Security researchers studying vulnerabilities are lured into malicious interactions by accessing false social media posts.
- The CrimsonIAS backdoor may possibly be a tool in the portfolio of Chinese espionage actor Mustang Panda.
- UK authorities arrest a man for allegedly operating SMSBandits, an online service that generated high-volume phishing campaigns via mobile text messages.
- A supply chain attack compromised the update mechanism of NoxPlayer, an Android emulator for PCs and Macs.
Belgian hospital hub hit with ransomware
On 17 January 2021, the hospital center of Wallonie Picarde, CHwapi, suffered a cyber attack that encrypted 80 out of 300 servers, causing major disruptions to IT services. Instead of relying on malware, the attackers used Windows BitLocker to encrypt 100TB of data. According to forensic investigators, the attackers did not leave a ransom note with contact and payment information.
On the 21 January, BleepingComputer reported that the alleged actors contacted them and asserted that they did leave a ransom note on the servers and CHwapi IT management lied about the absence of such note.
No data belonging to CHwapi has been dumped on ransomware leak sites, which is unusual since most ransomware operators try to maximize monetization by leveraging double extortion tactics.
EclecticIQ observes various anomalies in this incident:
- No ransomware malware employed.
- No ransom note left for the victim to contact the threat actors and pay the ransom.
- No double extortion tactics used.
- Conflicting reports from CHwapi IT management and the alleged threat actors.
Due to the presence of these anomalies, EclecticIQ analysts are currently assessing the ransomware as a smokescreen hypothesis. This is a scenario where ransomware or data encryption is used as a distraction from other nefarious activities related to the actual goal of the operation.
Financial phishing links target UK mobile users
EclecticIQ analysts identified an ongoing phishing campaign targeting UK-based mobile numbers. Our analysis revealed that:
- Phishing pages impersonating UK commercial banks and HM Revenue and Customs (HMRC) are being distributed over socially engineered SMS messages to UK phone numbers.
- Phishing pages impersonating UK telecommunication companies and UK commercial banks are hosted on related infrastructure.
The overlap in infrastructure shows a phishing campaign targeting multiple UK finance and mobile companies. Phishing pages hosted on Namecheap infrastructure or with the same JARM fingerprint have been identified for these UK banks: Lloyds, HSBC, Santander, NatWest, Bank of Scotland, and TSB. This is also true for phishing pages targeting the UK telecommunications providers O2, Vodafone, and EE.
It is probable that the threat actors will target Dutch and Irish phone numbers due to recently discovered domains. The newly registered phishing domains show a regional change in the threat actors’ targeting, with delivery over SMS likely.
Avaddon ransomware gang pressures victims with DDoS attacks
The Avaddon ransomware group has added DDoS attacks to their tactics, techniques, and procedures (TTPs). The group announced on their data leak site that "their [victim] site is currently under DDoS Attack, we will attack it until they contact us." Victim details were not released in the article discussing the new activity.
The use of DDoS attacks to pressure victims of ransomware to pay the ransom is not a new technique. In 2020, Radware published a detailed report on a global ransomware and DDoS campaign targeting finance and other industries.
Social engineering campaign targets security researchers
Threat actors with possible links to North Korea target security researchers using fake vulnerability research to lure them into interacting with malicious infrastructure. The attack vectors involve significant social engineering, supported by fake LinkedIn, Twitter, Telegram, Discord, and Keybase accounts. Phishing emails and fake blogs are also used.
Victims are known to be targeted in two ways:
- Through a malicious blog that initiates an unknown malware download. Sandbox analysis of interactions with the blog site shows a Microsoft Word document is downloaded onto the victim’s machine to begin the infection, possibly without user interaction.
- By sending the victim a malicious Visual Studio Project file after building rapport. The file contains malicious code to exploit an unknown vulnerability and a DLL file with custom malware that initiates connections to the C2 domains controlled by the threat actor.
CrimsonIAS backdoor may be linked to China-based APT Group TA416
Security researchers have assessed with low confidence that CrimsonIAS malware is associated with Chinese-based TA416 (aka Mustang Panda). PlugX (also tied to TA416) and CrimsonIAS share similarities in how the binary is packaged and launched.
According to the researchers, the reasoning behind their low confidence is the fact that some of the techniques shared between the CrimsonIAS backdoor and the PlugX malware is trivial to implement/copy.
CrimsonIAS launches netsh.exe to open a port on the local machine and starts a listener, a program that awaits a connection from an outside operator. The listener enables the attacker to send instructions that enable running of command-line tools, exfiltration of files, and uploading of files to the infected machine. The earliest compile time of CrimsonIAS dates to 2017.
SMSBandits, tied to OTP Agency for phishing services, is shut down
Authorities in the United Kingdom have shut down operations of the SMSBandits mobile spam service. SMS Bandits is a SMS-based spam and phishing service. Known lures have included COVID-19 pandemic relief efforts, PayPal scams, and spoofing of telecommunications providers and tax revenue agencies.
The SMS Bandits phishing service was tied to another crime-friendly service called “OTP Agency,” a for-hire bulk SMS provider that caters to phishing. The administrator stated on multiple forums that OTP worked directly with SMSBandits.
Android emulator company is compromised in supply chain attack
Hong Kong-based BigNox, a software development company that created the NoxPlayer Android simulator, was the target of a supply chain compromise affecting potentially millions of customers. An unknown threat actor compromised BigNox´s infrastructure to host malicious software. Three malicious updates were used to disseminate different final payloads, including Gh0st RAT, PoisonIvy and an unknown malware variant.
ESET researchers added an update to their report after BigNox contacted them. The company stated that it has taken steps to mitigate the threat:
- Using only HTTPS to deliver software updates to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
- Implementing file integrity verification using MD5 hashing and file signature checks
- Adopting additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information
BigNox also stated that it has pushed the latest files to the update server for NoxPlayer and that, upon start-up, NoxPlayer will now run a check of the application files previously installed on users’ machines.