The new malware on the block. [OMITB]

Dave Bittner

Hey everybody. Dave Here we are taking a break this week from our usual Research Saturday routine and sharing a research focused episode of one of our other N2K podcasts, only malware in the Building, hosted by yours truly and proofpoint's Selina Larson. We hope you'll check it out and we'll be back with our usual Research Saturday cadence next week.

Unknown

Does your computer run slower than a dial up modem in 1999? Are mysterious pop ups offering free vacations ruining your workday? Have you recently inherited $10 million from a prince you've never heard of? Well, you might just have a case of malware. Sorry.

Selina Larson

That's right, folks. Here at Only Malware in the Building, we help you learn about the sneaky, slimy, and downright devious cyber threats that are trying to weasel their way into your life.

Dave Bittner

From phishing scams to ransomware shenanigans.

Selina Larson

Access denied.

Dave Bittner

We'll teach you how to spot the scams before they spot you.

Selina Larson

Tired of sketchy security software that promises protection but actually is malware?

Dave Bittner

Sick of pop ups that say you've won a new iPhone but instead steal your credit card info?

Selina Larson

We'll break down the biggest threats, show you how they work. So tune in and level up your cybersecurity knowledge before you become the next victim of a hacker in sweatpants.

Dave Bittner

But wait, there's more. If you tune in to Only Malware in the Building today, we'll throw in a free virtual security check. Just kidding. We're not a scam. But seriously, update your passwords.

Selina Larson

And remember, if you ever feel like something's fishy, it probably is Only Malware.

Unknown

In the Building, where malware is the mystery and cyber security is the solution. Call today at 1-800-555-MAWARE and speak to one of our account representatives to start your journey today. Only Malware in the Building does not provide actual IT support. Side effects of tuning into the show may include an uncomfortable urge to use Multi Factor authentication, a deep distrust of USB sticks, and a sudden apprec for strong passwords. Only Malware in the Building is not responsible for lost Bitcoin emotional distress caused by realizing your high school password was indeed password123, or any existential crisis resulting from learning how much data social media collects on you. If suspicious emails Last longer than 4 hours, please report them to it immediately. The following dips are considered valid forms of spinach, buffalo bean, Papa ganoush, pico de gallo, guacamole, artichoke beer cheese, hummus 7 layer queso sour cream and onion, ranch, smoked trout, tapenade, and most aiolis blue cheese and crab dips are no longer accepted as valid forms of payment. Call today. Or don't we already have your phone number and email address? Any.

Selina Larson

Welcome in. Since Rick is busy enjoying his retirement, I thought maybe we could audition a third host here at Only Malware in the Building. May I introduce you to Advanced Reconnaissance Cyber Operations with Network infiltration algorithms.

Archie

Oh, please, that's my father's name. You can call me Archie. He preferred Advanced Reconnaissance Cyber Operations with network infiltration algorithms, but personally, I think that's a bit much for casual conversation. Now, if you'll excuse me, I need to optimize my sarcasm. Subutines. They seem to be running at only 97% efficiency today.

Selina Larson

Well, Archie, please try and pay attention as we discuss a very important topic today. Web injects and the expanding threat landscape of sneaky malware operators that are trying to get people to infect themselves with malware.

Archie

Oh, sure, I'll pay attention. Unlike the humans who keep clicking enable macros like it's a competitive sport. But please go on. I'm dying to hear how Flash based intelligence plans to outsmart malware this time.

Dave Bittner

Well, let's start off here, Selena. What is a web inject campaign and why is this a growing cybersecurity threat?

Selina Larson

Yeah, so it's really interesting to see that we are increasingly seeing web injects and this is a threat not just for the enterprise, but consumers as well. So essentially a web inject is something that gets malicious code put on a website that when a visitor goes to the website and passes the identity checks or the ways that they're filtered to say, yes, I want to infect this person, they're shown a screen that essentially overwrites what they think the actual website is. And typically it will say something like, you need to update your Chrome browser. And in doing so, if they click that button, it actually leads to malware installation.

Dave Bittner

They're using lures here. I mean, why are these lures so effective?

Selina Larson

Yeah, so it's pretty interesting. So it's not a traditional sort of campaign that we think of from email spam, for example. So these threat actors are compromising legitimate websites. So you might be browsing to your favorite news website or to a consumer goods website or a local business, and you're on this legitimate website and then all of a sudden you see this screen that comes up that says you need to update your browser. And what's really interesting is the threat actors bot behind this are pretty Clever. And there's multiple components of the overall campaign which we can get into. But the main point is that they can tell based off of the user agent of the browser that you're using. So they'll tailor these little pop up screens that say if you're on Chrome, you need to update your Chrome browser. And they look very legitimate, right? They take the language, they take the graphics that are the actual Chrome browser update or look very similar to that sort of branding and put it there. So it makes it seem like you're on a legitimate website. You see pop up, it looks like the same font as you usually see. And so you might actually believe them.

Dave Bittner

Is there any way to like X out of it?

Selina Larson

Oh yeah, if you just close your screen, that typically works. But typically what this is is it'll download a file and then you have to actually click on the file, follow the instructions and install the malware, or you know, download and click on the file to run the actual script. So it's not something immediate that you're going to get infected with malware. It does take some human interaction, of course. So if you do see something like this up, just closing the tab, we'll get rid of it.

Dave Bittner

So is this a new thing or is this something that's been around but you all have been tracking the evolution of.

Selina Larson

It's been around. And in recent, I'd say about a year and a half there has been an expansion of this threat. And it's interesting because we see a lot more different threat actors using oftentimes people call them fake updates style threats. This basic idea of this malicious web inject that will have instructions for someone to update their browser or install some new software. But I think a lot of people, especially in our industry, are most familiar with Sock Golish, right? So that is an actor that has been around for a long time. We track them as TA569 and essentially the Sock Golish leading to this loader. Sock Golelish is a JavaScript inject. That's the malicious component on the website that leads to ultimately a loader that will install additional malware, including potentially ransomware. But they were kind of the big baddies of the web inject landscape for a really long time. But within the last, I'd say year and a half, two years, there was a lot of sort of copycats that started following the same technique that Sock goal is, became so famous for. And now we see a lot of different clusters of activity that are using very similar techniques, but they're using different Traffic distribution systems, which I can, you know, we can explain. Or they're delivering different malware leading to different things. So now it's almost a constellation of different threat actors. It's. It's an ecosystem all on its own. Right. Where it used to kind of be. Oh, that's not goal. Ish. Now it's like, oh, it could be. But it could also be one of the similar copycats or new threat actors that have emerged.

Dave Bittner

Well, I was reading through your research, and you identified two new threat actors. You got TA2726 and TA2727, which I have to say, are very catchy names that roll trippingly off the tongue. Yes. So, I mean, I guess that's the alternative. It's either like TA2726 or like electric stapler. Right. There's no in between when it comes to naming these.

Selina Larson

There really isn't. No, no. There's truly no industry standard. We like the numbering system. But yes, of course, there's everything from windstorms to action figures. For sure.

Unknown

Yeah.

Dave Bittner

So what do we know about these particular groups? Like, how are they operating here?

Selina Larson

Yeah, so that's a good question. And I wanted to use a metaphor that I invented to kind of explain all of this, because we often talk to people and it's a little bit confusing because it's not just something like you get delivered a phishing link and you click, click on it, and it installs malware. It has a lot more kind of going into it. And so the whole attack chain, I would like people to put on their metaphor imagination caps and think of it like an Uber Eats delivery. So let's pretend you're a threat actor. You order some food, which could be considered malware, to be delivered to somebody at a certain house. So they have to meet the requirements of the address. For example, you use Uber Eats the driver to actually take your food and drive it to be dropped off at the house. House that is a traffic distribution, or the TDS portion of this metaphor. So the recipient at that house takes your package from the Uber Eats delivery person, and upon opening it gets a face full of spoiled burrito. That is horrible.

Dave Bittner

That sounds like a threat actor group. Spoiled burrito.

Selina Larson

Spoiled burrito, exactly. So it's like, oh, okay, well, this is. This is crap that I didn't want or need.

Dave Bittner

Right.

Selina Larson

But. But the Uber Eats driver, they have other hazards to drop stuff off. So even if other people are ordering, they're driving around a lot of food delivery, but they're not going to get your spoiled burrito. So if you can, if you can kind of think of it as, as multiple components to this overall attack chain. And I bring this up because we have the two new threat actors can be both. One, the 2726 is the delivery driver and TA2727 is the person that ordered the crap burrito. So, so yeah, so we have these, these two actors and it's kind of interest. It can be very difficult to delineate different components of the web Inject's attacktainer delivery method. And in this case, 2726 is that malicious TDS operator. They facilitate traffic distribution for other threat actors to enable the delivery of spoiled burritos, aka malware. And 2727 is a threat actor that uses these fake update theme floors to distribute a variety of malware payloads. So TA2726 is delivering for TA2727, but they have, you know, that TDS operator can be a deliverer for a lot of different malware, a lot of different payloads, and a lot of different threat actors.

Dave Bittner

Do we think these two groups are related or are they merely collaborators or parts of an ecosystem?

Selina Larson

It's probably more parts of an ecosystem. So TA2726 we've actually seen deliver for TA569 as well. For example, it's possible that this actor is selling traffic on the cybercrime forums. We were unable to confirm that with high confidence. But just based off of being a TDS operator, they can really just, you know, whoever pays them, they can work for. And so they're kind of operating that whole, the sort of traffic distribution piece. Whereas TA2007 27 seems to be more of like the malware delivery. So they actually also are pretty interesting because they deliver a variety of different payloads. Right. Where historically, like TA569 is just the sock Golish inject. With TA2727, we've seen them deliver various information stealers if the user is on a Windows computer or a new malware called Frigid Stealer if the user is on a Mac. And even Android has a payload called Marcher, which is a banking Trojan that's been around for quite a while. And I don't know. Archer Archie, does that sound familiar?

Archie

Frigid Steeler sounds like the malware equivalent of a frosty reception at a party. As for Marcher, I'm more of a data theft connoisseur than a history buff, but I Do recognize that one. It's like the classic banking Trojan that just won't retire despite its best efforts. It's like malware's version of I'll Be Back, you know, just keep showing up, trying to swipe your info. But yeah, the variety in payloads from top 27 and 2726 is pretty wild. They've got a little something for everyone, no matter what device you're using. It's like a malware buffet, but not the kind you want to be a part of.

Dave Bittner

Archie, I don't know where you got that, but I think we're going to need a source. Well, help me understand. You mentioned TDS traffic distribution services. Unpack that for me. What, what role do they play there?

Selina Larson

So traffic distribution services as a whole, so TDSS as the common parlance that we talk about in our industry, they are a traffic distribution system, sometimes traffic delivery system, but essentially they're kind of the pipes, like the traffic in the pipes, right? So they are essentially these services track and direct users to different content on different websites. It's important to note that TESS can be used legitimately, right? Like for advertising purposes, marketing purposes, tracking and delivering various content based off of various characteristics of a user's host or their, their browser. But with the illegitimate TDS services, or the legitimate TDS services that are just used maliciously, essentially what threat actors are doing is they are orchestrating where the traffic goes and who's going to get served what. And in the case of being used legitimately, who's going to be served which advertisement, for example. But in the case of something maliciously, who's going to be served which malware?

Dave Bittner

Well, you mentioned Frigid Stealer, which is a Mac OS version. Is there particular significance that they're going after Mac users now?

Selina Larson

Yeah, you know, that's a good question. One thing I think that is pretty interesting about the Mac malware space in general is that we're seeing a lot more information stealers in particular, come on. The Mac malware landscape, that's been also something that's been popping up for the last year and a half, two years, I would say. But in this particular case, it's interesting because it's a malware that we hadn't seen before. So it's a new type of stealer, and it of course was delivered alongside a variety of different payloads, depending on what the browser someone was using on which type of computer. But from the sort of overall Mac information stealer perspective, I think, you know, there's been this sort of stereotype in the security community. Macs don't get malware, you know, like.

Dave Bittner

Right.

Selina Larson

And what we know, what we've seen is like very sophisticated types of malware. But the information stealer ecosystem is definitely expanding to include Mac malware targeting as well as Windows malware. So it's still definitely not as common, but you are seeing it a little bit more. And in particular it's important to note on Macs to get the malware installed you have to it gives the instructions on how to click what to click to sort of bypass the inherent built in security features that are on Macs in a way that you don't see the same on Windows boxes.

Dave Bittner

Right, right. So it walks you through how to infect yourself.

Selina Larson

Yes, yes, exactly.

Dave Bittner

So how sporting of them.

Selina Larson

Yes. Stay tuned. There's more to come after the break.

Dave Bittner

Ransomware supply chain attacks and zero day exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cyber security strategy could prevent these threats. That's the power of the ThreatLocker Zero Trust Endpoint Protection platform. Robust cybersecurity is a non negotiable to safeguard organizations from cyber attacks. ThreatLocker implements a proactive deny by default approach to cybersecurity, blocking every action, process and user unless specifically authorized by your team. This least privilege methodology mitigates the exploitation of trusted applications and ensures protection for your organization. 24 7, 365 IT professionals are empowered by threat locker application allow listing, ring fencing, network control and EDR solutions, enhancing their cybersecurity posture and streamlining internal IT and security operations. To learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with respected compliance frameworks, visit threatlocker.com what makes detecting and stopping these types of things so challenging?

Selina Larson

So it's interesting. So from the actual detection perspective they use a lot of filtering to prevent identification from automated sandboxes or to prevent identification from, you know, people that are trying to look into it and see if this is, if this is something that's malicious. Oftentimes what we've seen with some threat actors, not necessarily the ones in this report but overall that with the web injects there's this thing called we've considered it like a lot of different things but strobing is one way of describing it will they're infect a website, they'll remove the inject so it will be clean for a while and they'll go back and reinfect the particular website. From a defense perspective though, there's actually many steps that you can take to stop this. So first of all, obviously network detections, making sure that you have those in place, but also something like restricting users from downloading script files and opening them in anything but a text file. Especially from the Windows perspective, that's kind of the best way because oftentimes these are JavaScript files, for example. So if you're downloading malicious JavaScript, don't let people run it. Just, just don't do it. And then of course, you know, from the user training perspective, it's really important to make sure that we're talking about this and getting this out there. And I think, you know, people are just kind of used to being like, oh, okay, like a security alert or, you know, update. I have to keep something up to date. So I'm trying to be best and follow the instructions as I know that I'm, you know, doing. But yeah, I don't. It's interesting because it's interesting social engineering. But also there are some steps that organizations can take to prevent this. Especially for like the Mac perspective, you really want to make sure that you're educating Mac users on the instructions that are provided, regardless of what the lure is. So, you know, the right click, right click, click open, that sort of bypasses the internal Apple protections. You don't want to be doing that.

Dave Bittner

What about the websites themselves that are being compromised here? Like if I, if I have an online store or something that, you know, that these folks target, how do I protect that?

Selina Larson

So it's best to sort of keep your websites up to date. So a lot of times these are going after vulnerable installations, oftentimes of WordPress websites. So websites themselves that have, you know, security gaps or holes or vulnerable versions or, or plugins, for example, that can be sort of hijacked and modified. Oftentimes they're going up the web hosting provider themselves or who's going just looking for sort of holes in some of those websites. So it's best really to make sure that you're keeping your website and your Internet footprint as secure and up to date as you can, as well as thinking about it from a sort of like business and network enterprise idea, right? Like you want to keep your software up to date, you want to keep your website up to date and make sure that you are staying on top of that and if there's new updates to implement them and to make sure that you're trying to pay attention to anything going on on your website to close any Gaps or holes. And if you do find yourself impacted by this, again, it can be a little bit difficult sometimes because they might remove the injection. But if you do an investigation and do find it, clean it up, close the hole and hopefully they won't come back and reinfect.

Dave Bittner

Yeah. Like looking at the big picture here is your sense that the threat actors are like shifting towards web injects away from phishing and email based attacks, or is this in addition to that sort of thing?

Selina Larson

So we do have a couple of threat actors that we've seen do both. Right? So we have some threat actors that will see a mouse ban, but we'll also see their payloads being delivered via web injects. These particular threat actors are that we talked about are exclusively doing web injects. But I do think it brings up a really good point. Right. So we have seen an increase of web injects type of threats also like SEO poisoning, things like multi channel attacks, right. Teams bombing, social engineering via message spamming. You see the sort of expansion of ttps across the landscape and I think that is in part as a direct result of organizations having better defense on things like the email gateway because threat actors have to be very creative. It's the same thing that we've seen for example with disabling macros by default and Microsoft did. And we saw the shift in the landscape where actors who used that often had to pivot and use new and different attack chains. So anytime that defenders make make a job harder for a threat actor, they are going to find a way to do something else or to do expand their wheelhouse and expand their arsenal of capabilities. So I do think that it's interesting that we are seeing this growth of new delivery mechanisms via web injects or multi channel attacks and things like that at the same time that maybe we're not seeing quite the same types of activity that we see in mail flow. However, of course we still see tons and tons of phishing. But it does seem that actors are trying to experiment and see what else they can do.

Dave Bittner

Well, I mean in terms of takeaways for our listeners and folks who read through this research, what are you hoping that they get from this?

Selina Larson

I would love it if people just realized the types of social engineering and the techniques that threat actors are using. In my opinion, it always goes back to the person who's receiving whatever the content is and it kind of just goes back to social engineering. Right. It's like being very clever and crafty with how you're sending things and the type of content that you're using from a threat actor. Not you, Dave, not you, Archie.

Archie

I should surely hope not.

Selina Larson

But you as the threat actor. But yeah, but it kind of goes back to like, okay, how are threat actors trying to hack your brain? And if you know the signs of being scammed, then it is much more likely that you won't fall for them. So I want people, you know, in the security community, we might be a little bit more mindful if we see something like a website redirect a pop up while we're browsing, you know, our favorite website. We might be a little bit more skeptical, but I want everyone listening to tell someone about this to say, hey, have you ever heard of this? Has this ever happened to you? Have you ever experienced this time where you're just looking at a website and you get this weird pop up, or this, this. All of a sudden it says you have to update your browser. Don't click it. I just, you know, I. And we've talked about this before on the podcast, Dave, where if we're looking at, from a social engineering perspective, is teaching people education and talking about it in a way that can help regardless of your level of understanding or technical capability, you can see the key signs of scams.

Dave Bittner

Yeah, yeah. Don't talk to strangers.

Selina Larson

We'll be right back.

Dave Bittner

Well, this is interesting stuff, Selena and Archie.

Archie

Oh, social engineering. It's like when you're at the deli counter and there's that one guy who's been standing there for ages trying to get the attention of the worker. He's all like, hey, I think I'll try the pastrami on rye. No, wait, actually, maybe the turkey. You know what? I'll take a whole stack of meats, just throw them all on the sandwich. And you're like, buddy, this is not how sandwiches work. But then as he's talking, you start getting hungry and thinking, maybe I do want extra pickles. And I guess that mustard would be nice. Before you know it, you've been convinced to buy a sandwich that's not even on the menu, one you didn't plan on, but now you're holding it, paying for it, and wondering why you made that decision. Scammers do the same thing. They get in your head with a story, and before you know it, you've clicked a link you shouldn't have. And trust me, it's way harder to get rid of that sandwich or that malware than it is to just say, I'll pass when the offer first comes around.

Dave Bittner

I'm sorry, What? Okay, thank you. We'll let you know. Don't call us. We'll call you.

Selina Larson

Don't develop a side hustle in automatic compromising of websites to deliver malware, please, Archie.

Dave Bittner

Archie goes bad.

Selina Larson

I feel like that's the ultimately, the what might happen with these things. You never know. Sorry, Archie.

Dave Bittner

Somehow, Archie, I love you, but I don't really see you being effective, like, of making phone calls and convincing people to do things. But I don't mean to offend you. I'm. You know, I know you come to this in good technological, silicon based faith.

Archie

But don't worry, Dave. I'm more of a backend kind of guy anyway. Convincing people, meh. I'll leave that to you, expert. But accounting, now, that's a different story. It'd be excellent at balancing the books and keeping things error free. No missed decimals, no accidental malware in the budget. Maybe I'm just too efficient for the phone call business.

Dave Bittner

Maybe, I don't know, maybe you could find work in accounting or something like that.

Selina Larson

That's good advice for sure, Dave.

Dave Bittner

All right, well, thank you everybody for listening. It was an interesting conversation and we look forward to talking to you all next time.

Selina Larson

And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insight that keep you ahead in the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes, Mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher.

Dave Bittner

I'm Dave Bittner.

Archie

And I'm Archie.

Selina Larson

And I. And I'm Selena Larson. Thanks for listening.

Dave Bittner

And we thank Threat Locker for sponsoring our show. ThreatLocker application allow listing, ring fencing, network control and EDR solutions enhance cybersecurity posture and streamline internal IT and security operations. Learn how@threatlocker.com.