Using Trojans to deploy Ransomware Attacks; Not uncommon

Using Trojans to deploy Ransomware Attacks; Not uncommon

Disclosure Technology
June 20, 2020 by admin
544
Kroll’s Cyber Risk team identified a growing trend in Qakbot (also known as Qbot) cases targeting locally stored emails to commit a sophisticated phishing method known as email thread hijacking. A study by Kroll, suggested a growing trend in the use of Qakbot Trojan, or Qbot, to launch email thread hijacking campaigns and to deploy ransomware attacks.
Qakbot trojan to Ransomware attacks during COVID-19 pandemic

This increase, merged with intelligence gathered by Kroll and analysts from the National Cyber-Forensics and Training Alliance (NCFTA), points out that Cybercriminals are after stealing financial data from different industries like media, education, and academia. However, the healthcare sector has been targeted too due to the COVID-19 pandemic.

The ProLock ransomware gang operators use the Trojan being as a “point of entry”. The report suggests that victims are easy targets due to the sophisticated phishing structures established by the criminals.

How does the Qakbot Trojan work

“Qakbot is a banking Trojan that has been active for over a decade”, says Kroll, and “relies on the use of keyloggers, authentication cookie grabbers, brute force attacks, and windows account credential theft, among others.”

This new tactic of exfiltrating emails opens Qakbot victims up to multiple issues:

First, if the exfiltrated emails contain sensitive customer or patient data, there could be costly notice obligations to disclose the leaked data.

Second, similar to how Emotet acts as a dropper for Ryuk ransomware, recent news indicates that Qakbot is being used as a point of entry by the operators of ProLock ransomware, meaning that users falling for these sophisticated phishing lures risk encrypting their entire networks.

Email thread hijacking occurs when cybercriminals respond to or forward legacy email threads with new phishing lures. Even though the threads may originate from a compromised user account or an actor-controlled system, by leveraging existing email threads and adding a malicious link or attachment, these messages help threat actors evade phishing detection software such as antivirus or spam filters. In addition, these threads appearing to come from a trusted sender increases the likelihood that others will click on the message, thereby exponentially spreading the infection.
In this flood of recent incidents, Kroll observed the attackers scraping and exfiltrating locally stored emails to an actor-controlled system where the actor can continue to hijack email threads.

COVID-19 effect on Cybercrime

Laurie Lacono, a vice president of Kroll’s Cyber Risk team said that the use of trojans by Ransomware is not rare and gives an example of the Ryuk attacks that are preceded by the installation of the Emotet trojan, and DoppelPaymer attacks preceded by Trickbot injections.

She also alerts that with more working from home due to the COVID-19 crisis, they see “an uptick in attacks exploiting vulnerabilities in remote work applications such as the Citrix exploit.”

These applications and un-secure home PCs and devices give the attackers more opportunities for phishing and other scams. Especially the lack of Cybersecurity services and protection in this era and these situations.

To sum up – Using Trojans for ransomware attacks is common. One of the most popular methods for performing these scams in Email Phishing. There have been attacks on big companies even with Cybersecurity services. Basically working from home due to COVID-19 makes great attack opportunities for criminal gangs due to lack of security firewalls and services.

ProLock: is a rebranded version of PwndLocker ransomware, it was discovered by PeterM. This ransomware encrypts files with the RSA-2048 algorithm, modifies their filenames, and creates a ransom note.
Emotet: is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via a malicious script, macro-enabled document files, or malicious link.
Ryuk: is a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid.
Trickbot: is a modular banking Trojan that targets sensitive information and acts as a dropper for other malware.

References
https://cointelegraph.com/news/hackers-increasingly-rely-on…
https://www.facebook.com/krollwire/posts…
https://www.pcrisk.com/removal-guides/17366-prolock
https://www.malwarebytes.com/emotet/
https://www.cisecurity.org/white-papers/security-primer…
https://www.cisecurity.org/white-papers/fall-2019-threat-of…

3 Comments

Add a comment