The employees’ computers have been used as a step in the corporate networks of their businesses as part of what looks like a series of coordinated drive-by assaults.
Symantec confirmed that “dozens of U.S. newspaper websites owned by the same parent company have been compromised by SocGholish injected code.”
Many of WastedLocker’s target companies may have been compromised when an employee browsed the news on one of its websites, “says Symantec.
Experts with the Threat Intelligence team at Symantec who found these attacks say the organization that operates the compromised news sites was alerted and the malicious code deleted.
UPDATE on our #WastedLocker investigation. Dozens of US newspaper websites owned by the same parent company were compromised by attackers in order to infect potential targets. Symantec has notified the company and it has now removed the malicious code. https://t.co/28E9iNr0o3
— Threat Intelligence (@threatintel) July 1, 2020
In a study published on June 26, Symantec previously reported that it blocked the Evil Corp gang from deploying WastedLocker ransomware payloads in attacks against 31 large private companies, including 30 US businesses, including “11 listed firms, eight of which are Fortune 500.”
“At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher,” researchers at Symantec explained.
“The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks.”
Evil Corp concentrated their attacks on companies such as manufacturing (five of the 31 targets), as well as information technology (four orgs) and telecommunications (three entities) both included in the top three most targeted industries.
“Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec added.
As Symantec researchers explained, the attacks by Evil Corp started with the use of the SocGholish framework to infect targets that visited more than 150 hacked websites (dozens of them being US newspaper websites as stated in today’s update).
This is done by displaying fake software update alerts in the form of fake program updates that deliver malware payloads to the targets’ devices.
The hackers used the Cobalt Strike threat emulation program and other living-off-the-land devices to “steal passwords, escalate privileges, and push around the network” with the end goal of encrypting computers using the WastedLocker ransomware after a company’s employee got infected.
They also disabled Windows Defender over the entire network of victims using PowerShell scripts and legitimate tools prior to deploying the ransomware.
If the WastedLocker payloads are deployed successfully using the Windows Sysinternals PsExec tool, it encrypts the data of the victims and deletes the volumes of Windows shadows to wipe backups and file snapshots to make recovery impossible.
The cybercrime group Evil Corp (aka the Dridex gang) has been involved since at least 2007 and later circulated the Dridex malware toolkit used to spread the malware payloads of other threatening actors.
They also participated in the Locky ransomware distribution, as well as their own ransomware strain known as BitPaymer until 2019.
Since then, Evil Corp has refreshed their tactics and is now again involved in the “business” ransomware, deploying its new WastedLocker ransomware in targeted attacks against businesses and asking for millions of dollars in ransoms.