Is Your Computer Making Millions For Others? – by Ron Benvenisti

The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) continues to detect attempts to mine cryptocurrency using New Jersey government systems.

In a recent email campaign, messages with subject lines such as “911 Dispatch Tips & Tricks 19” and “RE: Desperate request for materials (time sensitive)” were sent to numerous state employee accounts. These emails contain an embedded URL that, if clicked, redirects users to websites infected with Coinhive. Coinhive is a piece of JavaScript code placed within websites, malware, applications, or browser extensions that is designed to use a system’s CPU to mine cryptocurrency. Threat actors have increasingly leveraged Coinhive and similar scripts to generate a profit by mining cryptocurrency. Many antivirus software vendors and security appliances have begun flagging network activity associated with Coinhive and may proactively block access to websites that contain the script. However, as mining tactics continue to evolve, it is likely that other instances of cryptocurrency-mining activity may go undetected. In response to the rise in cryptocurrency-mining malware, the NJCCIC recently launched a Threat Profile page dedicated solely to malware variants that have a cryptocurrency-mining component.

The NJCCIC recommends network administrators proactively block outbound connections to the domains coinhive[.]com and coin-hive[.]com and monitor network activity for anomalies that indicate cryptocurrency-mining activity. We also recommend end users install a reputable browser extension designed to block these scripts and report signs of cryptocurrency miners, such as a degradation of system performance after visiting a website or installing a browser extension. 

FBI Arrests Email Fraudsters 

The FBI announced the arrest of 74 individuals from several nations, including 42 from the United States, for conducting email fraud. The threat actors used tactics from social engineering to computer intrusion to convince victims into wiring funds to accounts controlled by the perpetrators. (See my previous article, link is below). These methods are used to target businesses and defraud them of thousands, or even millions, of dollars. The recent arrests reflect the increased effort in recent years by US law enforcement to publicly hold threat actors accountable for online crimes against US citizens, organizations, and government entities. 

Patchwork Cyber-Espionage Group Expands Targets 

Patchwork, also referred to as Dropping Elephant, is a cyber-espionage group that targets diplomatic and government agencies, private businesses, and, most recently, US think tank organizations. As the name suggests, the group is known for rehashing tools and malware in its campaigns to obtain sensitive and confidential data. Patchwork employs social engineering tactics, backdoors, and exploits known vulnerabilities in Dynamic Data Exchange (DDE) and Windows Script Component (SCT).  The group recently expanded their spear-phishing campaigns to track which recipients opened emails and incorporated topics related to the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS). Currently, Patchwork is leveraging the open-source malware Quasar RAT  to enable functionalities such as remote desktop access, webcam viewing, keylogging, file management, and the ability to download, upload, and execute files remotely. Patchwork has been observed distributing Quasar RAT in spear-phishing emails that contain hyperlinked text leading to a malicious Rich Text Format (RTF) document that, when opened, downloads and executes the malware on the targeted system. Organizations should educate their users on spear-phishing and other social engineering tactics, deploy proactive defenses such as email gateways, firewalls, and endpoint protection, employ the Principle of Least Privilege on all user accounts, and always keep hardware and software updated. 

Microsoft Excel IQY Attachment Malspam Campaign 

Antivirus platform Barkly published a report on a new malspam (malware spam) campaign spread via the Necurs botnet and targeting users by taking advantage of Microsoft Excel’s .iqy file type. When these files are opened, a connection is made to a website listed within the file and then pulls data from that website into an Excel spreadsheet. This data executes a PowerShell script that then installs the FlawedAmmyy  remote access trojan, providing attackers with remote access to administrative functions on the infected device. This attack has evaded antivirus detection as its file content is not explicitly malicious. If Excel is configured to block external content, which is often the default, users will be prompted with a “Microsoft Excel Security Notice” when an .iqy file type is opened. Users are advised to select “disable” to prevent the malicious script from executing. Emails sent with this campaign include subject lines referencing unpaid invoices, scanned document attachments, or purchase orders and may come from an email address seemingly internal to your organization. Set Excel from starting other applications or creating external connections, adjust firewall settings and email filters to block .iqy files, or , if this file type is necessary for your operations, set the default option to open with Notepad where the malicious script will not run, instead of Excel which is the default setting. 

Internet Safety Month 

Just a quick reminder about my previous TLS article which includes important tips for Internet Safety Month. Please take a look at it here:

https://thelakewoodscoop.com/2018/06/hackers-target-real-estate-agents-lawyers-title-agencies-and-buyers-by-ron-benvenisti.html 

As always, thank you to The Lakewood Scoop for allowing me the privilege to post Cybersecurity news and tips.  And thanks for everyone’s kind feedback.

Wishing all of you and your families a safe and secure summer.

Ron

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.