The NJCCIC recommends network administrators proactively block outbound connections to the domains coinhive[.]com and coin-hive[.]com and monitor network activity for anomalies that indicate cryptocurrency-mining activity. We also recommend end users install a reputable browser extension designed to block these scripts and report signs of cryptocurrency miners, such as a degradation of system performance after visiting a website or installing a browser extension.
FBI Arrests Email Fraudsters
The FBI announced the arrest of 74 individuals from several nations, including 42 from the United States, for conducting email fraud. The threat actors used tactics from social engineering to computer intrusion to convince victims into wiring funds to accounts controlled by the perpetrators. (See my previous article, link is below). These methods are used to target businesses and defraud them of thousands, or even millions, of dollars. The recent arrests reflect the increased effort in recent years by US law enforcement to publicly hold threat actors accountable for online crimes against US citizens, organizations, and government entities.
Patchwork Cyber-Espionage Group Expands Targets
Patchwork, also referred to as Dropping Elephant, is a cyber-espionage group that targets diplomatic and government agencies, private businesses, and, most recently, US think tank organizations. As the name suggests, the group is known for rehashing tools and malware in its campaigns to obtain sensitive and confidential data. Patchwork employs social engineering tactics, backdoors, and exploits known vulnerabilities in Dynamic Data Exchange (DDE) and Windows Script Component (SCT). The group recently expanded their spear-phishing campaigns to track which recipients opened emails and incorporated topics related to the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS). Currently, Patchwork is leveraging the open-source malware Quasar RAT to enable functionalities such as remote desktop access, webcam viewing, keylogging, file management, and the ability to download, upload, and execute files remotely. Patchwork has been observed distributing Quasar RAT in spear-phishing emails that contain hyperlinked text leading to a malicious Rich Text Format (RTF) document that, when opened, downloads and executes the malware on the targeted system. Organizations should educate their users on spear-phishing and other social engineering tactics, deploy proactive defenses such as email gateways, firewalls, and endpoint protection, employ the Principle of Least Privilege on all user accounts, and always keep hardware and software updated.
Microsoft Excel IQY Attachment Malspam Campaign
Antivirus platform Barkly published a report on a new malspam (malware spam) campaign spread via the Necurs botnet and targeting users by taking advantage of Microsoft Excel’s .iqy file type. When these files are opened, a connection is made to a website listed within the file and then pulls data from that website into an Excel spreadsheet. This data executes a PowerShell script that then installs the FlawedAmmyy remote access trojan, providing attackers with remote access to administrative functions on the infected device. This attack has evaded antivirus detection as its file content is not explicitly malicious. If Excel is configured to block external content, which is often the default, users will be prompted with a “Microsoft Excel Security Notice” when an .iqy file type is opened. Users are advised to select “disable” to prevent the malicious script from executing. Emails sent with this campaign include subject lines referencing unpaid invoices, scanned document attachments, or purchase orders and may come from an email address seemingly internal to your organization. Set Excel from starting other applications or creating external connections, adjust firewall settings and email filters to block .iqy files, or , if this file type is necessary for your operations, set the default option to open with Notepad where the malicious script will not run, instead of Excel which is the default setting.
Internet Safety Month
Just a quick reminder about my previous TLS article which includes important tips for Internet Safety Month. Please take a look at it here:
As always, thank you to The Lakewood Scoop for allowing me the privilege to post Cybersecurity news and tips. And thanks for everyone’s kind feedback.
Wishing all of you and your families a safe and secure summer.