Emerging Threats

CISO Monthly Roundup: Attacks on jobseekers, AveMaria infostealer evolves, ArkeiStealer hits traders, Album Stealer invades Facebook, and Zscaler AI initiatives

Feb 01, 2023
CISO Monthly Roundup, January 2023 CISO Monthly Roundup, January 2023

The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. Over the last month, ThreatLabz observed a campaign targeting jobseekers, tracked the evolution of AveMaria, investigated an ArkeiStealer trading scam, analyzed a new infostealer (Album Stealer), delved into benefits of Zscaler AI, and made predictions for 2023.

Attackers target jobseekers by impersonating companies 

Over the past several years Threatlabz has observed several generic job scams featuring work from home themes and offering amazing hourly pay. More sophisticated threat campaigns target companies and their executives by leveraging recruitment themes and utilizing weaponized resumes or job description documents to compromise company assets.

In this most recent campaign, threat actors are targeting jobseekers while the tech industry continues to experience significant layoffs. Attackers are posing as recruiters from a hiring company and using the LinkedIn InMail feature (and emails) to lure jobseekers into providing sensitive information. 


Figure 1: A fake job description using lower experience requirements to attract more applicants.

To increase believability, threat actors are presenting themselves as recruiters from specific companies in the US and Canada. They are also registering malicious domains using real company names with top-level domain (TLDs) such as .online, .work, .live, etc. Attackers are scraping real job postings from sites like SmartRecruiters and LinkedIn to create convincing listings to deceive jobseekers. In some cases, threat actors will set up meetings with job-seekers over Skype to lend credibility to the scam and gather additional information. People sending applications, filling out forms on malicious sites, or communicating directly with attackers risk having their information stolen for future malicious use.

ThreatLabz recommends jobseekers contact companies directly about employment postings or limit their searches to known and trusted job sites. Avoid communicating with suspicious email addresses or responding to text messages without verifying they are associated with legitimate companies. When dealing with an unknown company, search their name along with the term “fraud” or “scam” to see if they have a suspicious history. Being asked for money to cover various fees is a strong indicator of a job application scam. Do not send any money or provide financial information to people asking for funds as part of their job application process.

More information on avoiding this scam

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection.

AveMaria's dynamic distribution strategy

AveMaria is a remote access trojan (RAT) armed with remote camera operation and privilege escalation capabilities. It has been growing in popularity since its appearance in 2018. AveMaria attacks generally begin with a phishing email that tricks users into performing actions that drop a payload onto their workstation. Once installed, the malware decrypts its command-and-control (C2) connection and establishes contact over a non-HTTP protocol. During the past seven months AveMaria’s architecture and the tactics, techniques, and procedures (TTPs) used in its deployment have gone through significant changes. 

Figure 2: One of seven separate AveMaria attack chains observed between July 2022 and January 2023. This attack begins with a phishing email containing a fake purchase order.

The most recently observed variant of AveMaria uses a custom downloader that performs typecasting during the decryption process to unpack an obfuscated payload. Given the short intervals between AveMaria’s upgrades, it is safe to assume the malware is under active development. Adversaries are innovating new AveMaria TTPs as old ones are discovered on a monthly basis, or faster, in an attempt to keep their activities hidden. Current Zscaler customers are protected from AveMaria by our multilayered cloud security platform. The Zscaler Sandbox also detects and analyzes files associated with AveMaria attacks.

Read extensive technical analysis of seven AveMaria attacks

Zscaler Zero Trust Exchange Coverage:  Advanced Threat Protection, SSL Inspection, Cloud Sandbox, Data Loss Prevention.

Threat actors target stock traders

ThreatLabz discovered attackers distributing ArkeiStealer through Windows Installer binaries hidden inside of a fake TradingView application. The malicious application also has a backdoor version of SmokeLoader, which allows threat actors to download additional malware onto infected devices. This campaign is similar to the MiniBridge RAT attacks ThreatLabz observed in May 2021.

Figure 3: The SmokeLoader/ArkeiStealer attack chain.

During this investigation ThreatLabz initially detected C2 beaconing events directed to an IP address with a low domain and ASN reputation. Further examination revealed a recently registered domain masquerading as the official TradingView website. The real TradingView website offers apps that run on Windows, MacOS, and Linux. The fake site only provides a Windows version of the app which is infected with Smokeloader. When run, the malicious trading app downloads ArkeiStealer onto the victim’s machine.

Read the full details of the ArkeiStealer campaign

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox, Data Loss Prevention.

Album stealer targets facebook adult-only content seekers

ThreatLabz has identified a new information stealer called Album, hosted on fake FaceBook pages. Album Stealer presents itself as a photo collection of adult images available for download. Users attempting to download the file receive a zip archive hosted on OneDrive or a secondary site. When executed, Album Stealer uses a side-loading technique that calls on legitimate applications to execute malicious DLLs. This technique allows the malware to avoid multiple methods of threat detection.


Figure 4: Album Stealer attack chain

The Album.exe file is a TresoritPdfViewer executable signed by “Tresorit kft”. It loads a malicious dependency named PdfiumControl.dll. Album Stealer collects cookies and stored browser credentials from the victim’s machine. It also steals information from Facebook Ads Manager, Facebook Business accounts and Facebook API graph pages. The malware uses the ConcurrentDictionary class to obfuscate important strings and data. When data from a target machine is stolen it is exfiltrated to a C2 server. 

Read ThreatLabz technical analysis of Agent Stealer

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Data Loss Prevention.

Zscaler AI/ML initiatives

One of the important charters for my team is to continuously enhance AI/ML adoption across the Zscaler platform and operations. Over the past several years, we have leveraged multiple AI/ML models to enhance our threat detection capabilities (phishing, malware, C&C, etc.) across the platform. They continue to deliver great results. In addition to threat detection, we also embarked on a journey to help customers make smart policy decisions (e.g. Sandbox AI/ML quarantine) that are assisted by AI/ML. One of the key initiatives in this area involves working with customers to optimize their zero-trust security policies. A number of early access customers (including one of the world's largest electric vehicle companies) have successfully reduced the attack surface exposure of their critical applications with ZPA Intelligent Policy.

Figure 5: Zscaler AI-driven intelligent policy offers quantifiable benefits to customers

Our ML team has also integrated Large Language Models such as ChatGPT and are fine-tuning techniques into our AIOps project. These initiatives are helping us improve the reliability and availability of our Zero Trust Exchange services, as well as significantly improve our NOC/OPS response times.

13 Predictions for Cybercrime in 2023

Deepen Desai, Zscaler CISO, and the ThreatLabz team assembled a list of 13 predictions about cybercrime in 2023. These predictions are based on information drawn from reverse engineering, behavior analytics, data science, and decades of threat hunting experience. The ThreatLabz team works 24/7 to identify and prevent threats uncovered by analyzing over 300 trillion daily signals from the Zscaler Zero Trust Exchange. 

Insights revealed in the article include:

  • Leaked source code will lead to forks: Leaked code can lead to updated and forked versions of malware, complicating threat detection efforts. Malware developers will increase obfuscation efforts and continue to use control flow flattening and virtual machine-based packers to bypass static signature detection in 2023.
  • Endpoint protection will not be enough: Attackers will continue to focus on bypassing AV and other endpoint security controls. Expect to see adversaries focus on core business service technologies, e.g. VMware ESX. Ransomware groups will likely continue to encrypt data troves before exfiltration to bypass firewalls and other legacy technology.
  • Wipers will be used in political conflicts: Nation-states are deploying wipers disguised as ransomware against other governments. By disguising the wipers as ransomware, the aggressors hope to achieve plausible deniability by claiming the attacks came from groups motivated by profit, not politics. Many of the wipers ThreatLabz encountered were easily identifiable as state-backed attacks. This trend is likely to continue in 2023.

Read the original article for the full list of 13 cybercrime predictions.


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.


The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers, securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.


What to read next: 

Unpacking the risks of encrypted traffic

Looking back at the biggest cybersecurity storylines from 2022

State of Encrypted Attacks 2022 Report