ThreatLabZ September 2021 Report: Fake Olympics streaming, new CloudFall campaign, and heightened skimmer activity signal busy fall cybersecurity season
Sep 21, 2021
In the past month and a half, we identified and documented malware campaigns targeting the Tokyo 2020 Olympic Games, a novel multi-stage attack chain attributed to the new "CloudFall" threat group, and an alarming rise in FakeClicky skimmer activity.
Cybercriminals target would-be streamers with Tokyo Olympics-themed malware campaigns
Whenever a popular global sporting event like the World Cup or the Olympics is held, we see hackers targeting victims with themed campaigns. The malicious software deployed can range from ransomware to coin miners.
The recent Tokyo 2020 Olympic Games were no exception: Threat adversaries created fake websites to scam and steal from users. This year, we saw fake sites aimed at deploying three common malware variants: credit-card payment credential stealers; the irrelevant browser extension YourStreamSearch, which is a known browser hijacker; and OlympicDestroyer, a malware app that deploys credential-stealing data-exfiltration code onto a victimized device.
In the credit-card payment credential stealer example, hackers employed newly-registered domains (NRDs) to create fake streaming sites, as in Figure 1 below.
Figure 1. Fake streaming site tied to the Tokyo 2020 Olympic Games.
Even though it promises free access to streaming Olympics content, this particular fake site solicits user payment details as part of “registration.” Hackers then resell the credit card details on the dark web, or steal from associated accounts.
To protect against these attacks, we recommend these guidelines:
- Verify the source of emails with “too good to be true” deals. Be wary of any suspicious attachments.
- Avoid unofficial mobile application stores.
- Verify the authenticity of the URL or website address before clicking on a link.
- Stay away from emailed invoices - this is often a social engineering technique used by cybercriminals.
- Use two-factor authentication whenever possible, especially on sensitive accounts such as those used for banking
- Always ensure that your operating system and web browser have the latest security patches installed.
- Backup your documents and media files - this is extremely important with ransomware infections.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection.
New “CloudFall” hacking group targets scientists and researchers
ThreatLabZ has identified a new threat actor we’re calling “CloudFall” based on the network architecture the group uses. The cybercriminal group has developed a multi-stage attack chain that exploits CloudFlare web servers via compromised Microsoft Word files. We have also determined -- based on the social-engineering lures in the group’s campaign content -- that the gang is targeting Eastern European and Central Asian scientists and researchers who were invited to several international military conferences.
The group uses new tactics, techniques, and procedures (TTPs) that we haven’t seen before, particularly with regard to the complex logic of its multi-stage attack chain, some steps of which run in parallel tracks. In its exploits, CloudFall is able to abuse Microsoft Office Word features to evade detection, even from automated analysis systems.
ThreatLabZ has documented two variants of the CloudFall group’s complex multi-stage attack chain, as illustrated in Figures 2 and 3 below.
Figure 2. Attack chain of first variant.
Figure 3. Attack chain of the second variant
In both cases, the CloudFall group hides its first-stage malware to be deployed in a Microsoft Word document. In the first variant, subsequent malware execution displays dummy content while malicious binary code runs in the background. In the second variant, the malware unpacks XML code that reinstalls the persistence template, resulting in the malicious binary code executing.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, Advanced Cloud Sandbox.
FakeClicky skimmer activity spikes
ThreatLabZ has seen a recent spike in skimming activity, in particular the use of the FakeClicky skimmer loader, which we’ve tracked for the past two years.
FakeClicky leverages newly registered domains, uses a fake Google Analytics script as a loader, and injects malicious skimmer code on the checkout page. The loader script is injected in all the pages on the compromised e-commerce website, but the skimmer is only loaded on the ‘Checkout’ page. The loader script uses the tag “<!-- Google Tag Manager -->,” making it appear to be a real GTag script, as shown below in Figure 4.
Figure 4. Skimmer loader injected inline in the compromised website.
Most of the websites with FakeClicky skimmer code have newly-registered domains, most of which resolve to one of two different IP addresses, 195.54.160[.]61 and 195.54.160[.]161. We analyzed the fake sites to deconstruct the FakeClicky skimmer flow which involves loading, stealing payment details, base64 encoding the information and exfiltration.
Unfortunately, skimmers like FakeClicky are becoming more commonly-deployed. The Zscaler ThreatLabZ team will continue to monitor skimmer activities to ensure coverage for Zscaler customers.
ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.
The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.
What to read next: