Emerging Threats

ThreatLabz Research July 2021

Aug 10, 2021
ThreatLabz Research July 2021

Ransomware rebranding, enterprise IoT report, Joker in Google Play, and Netwire RAT

The world is slowly starting to move back from mandatory remote work, and as part of that process it’s important for security experts at organizations to assess the measures and modifications made during the pandemic to accommodate change.

The ThreatLabZ team has been reviewing billions of transactions gathered via the Zero Trust Exchange and finding new and interesting data about cyberattack strategies employed by cybercriminals. This month the team watched malware such as DoppelPaymer rebrand itself to avoid detection, released a report on enterprise IoT vulnerabilities, investigated how Joker keeps propagating in Google Play, and tracked a new variant of Netwire RAT targeting government organizations. 

Ransomware rebranding - a new trend?

Over the last few months, the ThreatLabZ team (and the entire cybersecurity community) have seen multiple cybercriminal groups go suddenly quiet, only to pop up again with a new name. We’re seeing this trend expand to ransomware cyber threat actors, with numerous examples emerging from the past few months. These include: WastedLocker (changing to Hades), DoppelPaymer (changing to Grief), DarkSide (changing to Blackmatter), and more. 

Why this new tactic with ransomware operators? A few key reasons include:

  • Avoiding governmental scrutiny and crackdowns that include sanctions by distancing themselves from known criminal activity.
  • Attempting to confuse security researchers and law enforcement 
  • Changing the infrastructure of their ransomware operations (server locations, mode of payment, etc.)

As a clear example of this tactic, the ThreatLabZ team observed a decrease in DoppelPaymer ransomware activity in May 2021—but only so that the threat group behind DoppelPaymer could rebrand the ransomware under the name Grief (aka Pay OR Grief). 

An early Grief ransomware sample was compiled on May 17, 2021. This sample contains the Grief ransomware code and ransom note, but the link in the ransom note points to the DoppelPaymer ransom portal. This suggests that the malware author may have still been in the process of developing the Grief ransom portal. Ransomware threat groups often rebrand the name of the malware as a diversion.

The Grief ransom portal differs from the DoppelPaymer portal in that the ransom demand is for  Monero (XMR) instead of Bitcoin (BTC). This switch in cryptocurrencies may be in response to the FBI recovering part of the Colonial Pipeline ransom payment. The Grief ransom portal, however, kept the same live chat code that allows victims to resume a previous conversation or to start a new conversation.

Figure 1. Grief ransomware (left) and DoppelPaymer (right) victim ransom portals

In our blog, we compare the similarities between DoppelPaymer and Grief ransomware.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

IoT in the Enterprise Report: Empty Office Edition

In a new blog post, the ThreatLabZ team outlines the latest research report on IoT. 

Using data collected between December 14 and December 31, 2020, when most non-essential business offices were shut down, we completed two studies: an IoT device fingerprinting study that identified IoT devices and traffic and an IoT malware study based on data from the Zscaler cloud. The result—an eye-opening deep dive into both sanctioned and unsanctioned IoT devices and IoT malware attacks, showing tremendous growth in both.

Key findings in the reports:

  • IoT malware on corporate networks has increased by 700 percent year-over-year, despite much of the global workforce working from home
  • Entertainment and home automation devices posed the most risk due to their variety, low percentage of encrypted communication, and connections to suspicious destinations
  • 76 percent of IoT communications occur on unencrypted plain text channels
  • Gafgyt and Mirai—malware families popularly used in botnets—accounted for 97 percent of the IoT malware payloads blocked by the Zscaler cloud
  • Technology, manufacturing, retail and wholesale, and healthcare industries accounted for 98 percent of IoT attack victims
  • Most attacks originated in China, the United States, and India
  • Most targets for IoT attacks were in Ireland, the United States, and China

When offices and manufacturing facilities emptied in response to the pandemic, employees went home, but IoT devices remained behind, and “on,” pinging the internet, refreshing data, performing functions. Of more concern, threat actors quickly identified the devices as attack opportunities, resulting in a staggering 833 IoT malware blocked every hour by the Zscaler cloud.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

Joker Joking in Google Play: Joker malware targets Google Play store with new tactics

“Joker” is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware. The Joker malware continues to appear in Android applications in the Google application market. Joker malware has evaded Google detection by employing changes in its code, execution methods, or payload-retrieving techniques. 

This prompted the ThreatLabZ team to evaluate how Joker continues to successfully get around the Google Play vetting process. We saw 11 different samples regularly uploaded to Google Play recently, clocking 30 thousand installs.

Joker malware authors have targeted some categories of apps more than others. Based on the 50+ payloads we have seen in the last quarter, the following five categories were the most heavily targeted:

Figure 2: Targeted Joker categories

The infected software included PDF reader and messaging apps. 

Joker is known for changing its tactics to bypass the Google Play store vetting process. This time, ThreatLabZ saw Joker using URL shortener services to retrieve the first level of payload. Unlike the previous campaign, where the payloads were retrieved from the Alibaba Cloud, in this campaign Joker-infected apps downloaded the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im, or 27url.cn to hide the known cloud service URLs serving stage payloads.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

Targeted Attack on Government Organizations Delivers Netwire RAT

The Zscaler ThreatLabz team observed an interesting spear phishing campaign in July 2021 targeting a wide range of Pakistani organizations. The attack delivered NetwiredRC as the final payload. The combination of spear phishing and the information-stealing RAT payload indicates a complex cybercrime targeting multiple government organizations in Pakistan along with other industry verticals.

Figure 3: NetwireRC RAT attack chain

This attack:

  1. Uses email info stolen from an actual Pakistan government website (Ministry of Information Technology and Telecommunication).
  2. Downloads its payload from the compromised website of the National College of Nepal located in Kathmandu.
  3. Delivers NetwireRAT, a well-known malware for stealing sensitive information, as the final payload.
  4. Sends stolen information via a proxy server in obfuscated form using the APIWinHttpGetIEProxyConfigForCurrentUser() to command and control server 66[.]42.43.177:443

In our post, we deconstruct the RAT-malware campaign attack chain, from initial email to payload deployment to data exfiltration to command-and-control (CnC) server. 

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 100 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next

5G and zero trust: An introduction for CXOs

The CIO Evolution podcast - This thing called zero trust: How CIOs use it to drive strategic value