IT Security Information

On 2020-07-17 the Hornetsecurity Security Lab detected the return of Emotet malspam. The reemerging Emotet malspam was already blocked by existing detection rules. The current Emotet malspam wave again uses malicious macro documents spread either via attachments or via malicious download links. As usual, the VBA macros in the document download the Emotet loader that the Hornetsecurity Security Lab has previously analyzed.

On 2020-07-07 Mozilla temporarily disabled their Firefox Send service due to abuse by malware. Hornetsecurity’s Security Lab explains how malware was abusing the Firefox Send service. To this end, a malspam campaign distributing a variant of the Ursnif malware is analyzed. The campaign used the Firefox Send service to host its malicious downloader and send victims these malicious Firefox Send links. Such abuse prompted Mozilla to disabled the Firefox Send service, because the service is currently lacking a feature to report abuse. Meaning even if researchers found these malicious links they could not be reported to Mozilla for takedown. However, our analysis further reveals that malware already abuses other services, hence, disabling Firefox Send – even though it was the right decision – has no impact on malware campaigns.

In this article Hornetsecurity’s Security Lab outlines one of the current infection chains by the operators behind the Clop ransomware. The outlined infection chain starts from an email with a malicious HTML attachment. This attachment redirects the victim to an XLS document containing the Get2 loader. This loader then installs a remote access trojan (RAT) on the system, which is used to prepare the victims network for the deployment of the Clop ransomware. The goal of the attack is to encrypt as many systems in the victims organization as possible in order to extort the highest possible ransom. To this end, the attackers also threaten to publish stolen data if the ransom is not paid.

On 2020-06-03 it was reported that a new ransomware calling itself Avaddon was seeking partners for their affiliate program, i.e., someone installing the ransomware on victim systems. Just two days later on 2020-06-05 malspam distributing the Avaddon ransomware has been observed…

Our journey through the history of cryptography is coming to an end, but we still have a few last stations ahead of us. First we dealt with symmetric encryption and the encryption methods of Data Encryption Standard (DES) and Advanced Encryption Standard (AES), and in the last blog we introduced asymmetric encryption. In our final piece of the Cryptography triology, we will dive deeper into asymmetric encryption. Attack techniques such as man-in-the-middle attacks and brute force attacks will be examined. Finally, we will present a wide view into the future – keyword: quantum cryptography…

Hornetsecurity’s Security Lab presents insights into a long running information stealer campaign targeting German HR contacts with fake CV files.