Malware activity for various families continues to ebb and flow; with a popular malware called LookBack recently discovered in a slew of campaigns, and Emotet and other malware variants that were quiet over the summer set to make a dangerous comeback.
Researchers believe that nation-state actors are behind several spearphishing campaigns targeting U.S. utility companies with a newly-identified malware called LookBack, which has the capabilities to view system data and reboot machines.
Meanwhile, other malware strains like Emotet and Retefe were quiet over the past few months, but researchers at Proofpoint believe that developers behind these malware families are only in “vacation mode” and are set to return. Indeed, just this week researchers pointed to new activity by Emotet in malspam campaigns aimed at English, Polish, German and Italian recipients.
Threatpost talks to Sherrod DeGrippo with Proofpoint about the top malware trends of 2019 so far.
Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost and I’m here at Black Hat 2019 in Las Vegas with Sherrod DeGrippo with Proofpoint. Sherrod how is your Black Hat going?
Sherrod DeGrippo: Well, I just got here, but I can feel a lot of excitement. People are ready to get crazy with security, which is always nice.
LO: It looks to be a couple of exciting days coming up, so really pumped about that. So Sherrod, can you just tell us a little bit about your role at Proofpoint and kind of what your expertise is in cyber security.
SD: Sure. So I lead our threat research and detection teams. Essentially, to boil it down our team pulls down viruses and different kinds of threats, analyzes them, potentially reverse engineers and then writes detections, as well as provides intelligence out to our customers of all the threats that we see.
LO: Great. Well, you guys had some really interesting research that came out right before this conference, actually. And it was about how you uncovered a spearphishing campaign that had been targeting utilities firms, and it was peddling a new malware called LookBack. So can you tell us a little bit about that?
SD: Sure. So that campaign happened from July 25, to July 30. And that was targeting utilities that had something to do either with water or electric power generation of some kind. They were all utilities in the United States. It’s a very sophisticated campaign. So you could tell that they had really chosen who their targets were going to be in that particular organization, and it bears a lot of resemblance to potential nation state activity. It was a really interesting campaign too because this was a style of malware that we hadn’t seen in the past. But it was leveraging something that we see all the time, which is malicious documents, those are really, really common, sending those and trying to get them in the inbox and trying to get the user to click on them.
LO: Yeah. So what were the emails purporting? Why were they so specific? Who are they trying to pretend to be?
SD: So something that I actually really find interesting about this campaign is that the lure pretended to come from an accrediting body for licensure for engineers. So the NCEES, it was spoofing their branding, their URL, trying to get people to click on the idea that they had failed their licensing exam for their engineering license.
LO: What happened once a victim was to click on the malicious Word document?
SD: So it would install the look back malware, which is a piece of malware that we hadn’t seen before, even though it had a lot of similarities to some activity that had been seen in the past. We couldn’t correlate exactly who the actor was. So it just definitely has that hallmark of being very sophisticated because of the way that it behaves, essentially it installs a backdoor capability within it. And it allows the attacker to have remote access to those particular machines that they’ve targeted.
LO: Was there any sort of particular capabilities that the malware had?
SD: So it was a pretty extensible backdoor, what we’ve been seeing in landscape lately is that everything is becoming a lot more modular and flexible. So a piece of malware that used to do one specialized thing, now we’re seeing them become these really extensible modules where the threat actor can put lots of different pieces into them. And this one had a lot of those characteristics as well, it could give that remote access and allow the attacker to kind of do whatever they wanted to do next.
LO: Yeah, I feel like that’s really scary, especially given kind of the utilities threat landscape that we’re seeing right now. Can you talk a little bit more about that?
SD: Sure. So we have a lot of data around municipalities, utilities, kind of these organizations that aren’t really commercial. And we see them getting attacks very frequently, a lot of them have a targeting against a person. So a lot of times, they’ll have a threat actor that’s gone and done, intelligence research on who they’re targeting. And they’ll create something really specific for that particular target. And in threat research and in security, we have to always think like an attacker. So on my team, we’re always kind of trying to figure out who these people are, what they do, what their role is, where they were, who they report to. And we do the same for all of our verticals. But utilities, of course, is very unique, because it affects everyone. They have customers and users that, you know, are just about every one of the United States.
LO: Now switching gears a little bit, looking at Black Hat and even beyond to trends of 2019. Is there anything that is sticking out to you about different malware variants in general, anything we should be looking out for?
SD: Yeah, so I think that’s a good question. So our team is always really interested and excited about what’s going to happen next. We’ve seen a lot of things disappear this summer, Emotet, for example, dropped off May 31. That was the last time we saw campaign from them. They had been hammering the landscape, both in volume and incredible efficacy. They were really creative. They went back and forth between attachments and URLs, they were using lots of different factors. We haven’t seen a campaign from them since May 31. A lot of people believe that they’re gone for good; Proofpoint typically has an attitude that nobody ever like leaves forever, we think everyone will come back. I think that will be back in the Fall. So I don’t like to make big predictions like that kind of stuff. But yeah, would not be surprised at all if September comes and we start seeing more campaigns from Emotet. Something else that we’ve been noticing that hasn’t been around is that we haven’t seen Retefe, which is a banking Trojan that typically hits those specialized banks in Switzerland and Liechtenstein, and Luxembourg. And that area. We haven’t seen that one since July 4. And that’s another one that I really think is in potentially vacation mode. And that once that threat actor comes back from vacation, they’ll most likely start sending those campaigns again.
LO: Yeah, so what’s usually the cause behind these, you know, as you put it, like vacation mode kind of breaks for certain Trojans and malware campaigns?
SD: A lot of times it truly is that the threat actors are on vacation. Eastern Europe is where a lot of our threat actors are based, and they have a culture that really dictates a lot of vacation time. We also see that they make a lot of money. And so if you have a lot of money and a flexible schedule, a summer vacation for a couple months is nice thing to have on the docket. Occasionally, we do see them motivated by arrests, right. Retefe for example, potentially could be motivated by an arrest, we saw some law enforcement activity from the Swiss law enforcement agencies around that. But most of the time, it’s really just motivated by a genuine wanting to take a break and wanting to kind of enjoy some of the success that they’ve had getting things into people’s machines.
LO: Yeah, I’m curious to what you’re seeing in different kind of geo locations. You know, when it comes to different threats and malware attacks and campaigns, are there any specific trends that you’re seeing for the U.S. versus other areas?
SD: Sure. So something specific around Australia is really timely right now. It’s their tax season. So just like in the US, we have tax season around April 15. This is the tax season for Australia, we did a lot of research, and we found a ton of phishing and leveraging the Australian tax revenue service branding. And those are, of course, going to Australian users. Yeah, we also have TA505, which does a lot of banking Trojans sending really specialized campaigns to Middle East. So the UAE and Saudi Arabia, those are typically government and sort of those non-government agencies getting hit with that kind of banking Trojan activity, as well as financials in the Middle East. Big Banks in the Middle East, Saudi Arabia, UAE, again, getting that targeting from the financial actors.
LO: Yeah, it’s interesting, you mentioned about kind of timeliness because I know, at least in the U.S., when we have different fishing campaigns around like Black Friday or certain other, there might be like the World Cup or things like that. So I’m sure that’s a big factor that plays into it as well.
SD: Seasonality is a really big thing. You know, there’s ones that we think would be huge, like Christmas, but they’re really not. It’s more of those kind of event type things where they can play on the emotions of people being upset or panicking, like the tax revenue service, or we see a lot of them from the UK, which is Her Majesty’s royal customs and tax service as well. We see a ton of branding like that just because it plays on people’s emotions. And it’s a great form of social engineering to say someone’s taxes are due.
LO: Right. Well, I know. Yeah, that would definitely play on my emotions. Sharrod, thank you so much for coming to chat with us at Black Hat this year.
SD: Thanks a lot. It was great to meet you too. Thanks.