Threat Intel Digest

April 2020

COVID-19 and Phishing

Every holiday and event seems to include phishing emails. COVID-19 triggers not just a regular event, but a global pandemic. Yes, the World Health Organization has officially declared COVID-19 a pandemic.

COVID-19 initiates a domino effect, shaking the global economy, global politics, and almost every aspect of human life. On the digital security side, the bad actors are using it to bring more pain to other people by distributing phishing campaigns to infect the already suffering users. The attackers send emails that appear to come from HR about travel and health guidance, or emails that appear to come from vendors about mask and hand sanitizer sales, or emails about other topics related to COVID-19. Some emails contain a malicious document that opens a back door on the user’s computer, or a malicious Microsoft Word document that downloads and installs malware on the unsuspecting user’s computer. Also, most of the phishing emails in the wild contain a suspicious link that can lead users to more threats.


Ryuk Ransomware and Networking

The main goal of ransomware is to encrypt files in the computer system. Once a machine is infected, the ransomware traverses the computer’s file system to encrypt files. Most ransomware encrypts files from a specific list of file types that allow the operating system to continue working.

Ryuk ransomware encrypts specific types of files to keep the infected machine working. It uses common techniques that can also be found in malware such as code injection and termination of processes that may interfere in its execution. It also prevents the operating system from restoring some of the files by deleting shadow copies. To optimize the infection, Ryuk looks to infect machines that are connected to the network. Uniquely this ransomware uses the Wake-on-LAN feature of networked devices to turn on the connected devices, if they are not active. Once Ryuk infects a machine connected to a network, the rest of the computers within the network are susceptible to its attack.


It is Just a Trick

Macro viruses are text-based malware. They are an executable script commonly embedded in Microsoft Word documents. Mostly, they run whenever you open the document.

Trickbot starts as a macro virus embedded in a Word document. If macro execution is disabled in Word, the malware asks the user to enable editing of content. Since Trickbot is text-based, its initial anti-analysis trick is using a highly obfuscated JavaScript code. The malware downloads different payloads that perform various malicious activities in the infected machine. Trickbot is also a modular trojan where it can perform different tricks at any given time. Because of its modularity, it can update every malicious module separately. Its modularity, combined with the simplicity of embedding the macro in a document, make it persistent in staying in the wild.