The Evil Corp gang used fake software update alerts displayed by the malicious SocGholish JavaScript-based framework to hack into dozens of U.S. newspaper websites owned by the same company to infect the employees of over 30 major U.S. private companies.
The employees’ computers have been used as a step in the corporate networks of their businesses as part of what looks like a series of coordinated drive-by assaults.
Symantec confirmed that “dozens of U.S. newspaper websites owned by the same parent company have been compromised by SocGholish injected code.”
Many of WastedLocker’s target companies may have been compromised when an employee browsed the news on one of its websites, “says Symantec.
Experts with the Threat Intelligence team at Symantec who found these attacks say the organization that operates the compromised news sites was alerted and the malicious code deleted.
In a study published on June 26, Symantec previously reported that it blocked the Evil Corp gang from deploying WastedLocker ransomware payloads in attacks against 31 large private companies, including 30 US businesses, including “11 listed firms, eight of which are Fortune 500.”
“At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher,” researchers at Symantec explained.
“The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks.”
Evil Corp concentrated their attacks on companies such as manufacturing (five of the 31 targets), as well as information technology (four orgs) and telecommunications (three entities) both included in the top three most targeted industries.
“Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains,” Symantec added.
WastedLocker targets by industry sector (Symantec)
As Symantec researchers explained, the attacks by Evil Corp started with the use of the SocGholish framework to infect targets that visited more than 150 hacked websites (dozens of them being US newspaper websites as stated in today’s update).
This is done by displaying fake software update alerts in the form of fake program updates that deliver malware payloads to the targets’ devices.
The hackers used the Cobalt Strike threat emulation program and other living-off-the-land devices to “steal passwords, escalate privileges, and push around the network” with the end goal of encrypting computers using the WastedLocker ransomware after a company’s employee got infected.
They also disabled Windows Defender over the entire network of victims using PowerShell scripts and legitimate tools prior to deploying the ransomware.
If the WastedLocker payloads are deployed successfully using the Windows Sysinternals PsExec tool, it encrypts the data of the victims and deletes the volumes of Windows shadows to wipe backups and file snapshots to make recovery impossible.
Example fake software update alert
The cybercrime group Evil Corp (aka the Dridex gang) has been involved since at least 2007 and later circulated the Dridex malware toolkit used to spread the malware payloads of other threatening actors.
They also participated in the Locky ransomware distribution, as well as their own ransomware strain known as BitPaymer until 2019.
Since then, Evil Corp has refreshed their tactics and is now again involved in the “business” ransomware, deploying its new WastedLocker ransomware in targeted attacks against businesses and asking for millions of dollars in ransoms.
Category: NewsJuly 2, 2020Leave a comment
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
