News Wrap: GandCrab Operators Resurface, Utilities Firms Hit By LookBack Malware

cobalt malware threadkit

The malware landscape continues to evolve with the re-emergence of the GandCrab operators and a continued spearphishing attack spreading the LookBack RAT.

On this week’s news wrap podcast, Threatpost editors Tara Seals and Lindsey O’Donnell break down the top news, including:

For the full podcast listen below or download here.

Below find a transcript of this week’s Threatpost news wrap.

Lindsey O’Donnell: Welcome back to the Threatpost news wrap podcast for the week ended September 27. You’ve got Lindsey O’Donnell-Welch and Tara Seals here with Threatpost to talk about the biggest news stories of this week. Hi, Tara.

Tara Seals: Hi, Lindsey. How are you?

LO: I’m good, good. So Tara, you’re actually going to Virus Bulletin next week. Is it in London?

TS: Yeah, it’s next Wednesday through Friday, first week in October in London. And yeah, I’m excited that there should be some really good research presented and I will be there on the ground, trying to live tweet and definitely writing up anything interesting.

LO: Is there anything in particular you’re looking forward to, any sessions, any keynotes that are going to really make a splash there?

TS: Yeah, so I sent out some feelers to find out what people were going to be talking about. And there is going to be a bit of discussion on new APT stuff. But there should also be some interesting sessions on the pen testing front. I know, like avionics, for example, is something that we’ve been following a semi-regular basis with Threatpost and said there should be some developments there. And, basically it’s just a who’s who of the security research community. So I’m just excited to talk to people informally as well, and get the pulse for where things are and what emerging trends are and things like that.

LO: Well for listeners, be sure to keep up with Threatpost and all of Tara’s coverage of Virus Bulletin next week. So looking at this week, it’s been a pretty busy week news wise, I know we’ve written some big data privacy stories, there was some malware news and even patches. I was surprised to see a few vendors issuing some unscheduled fixes this week as well.

TS: Yeah, absolutely. No rest for the weary that’s for sure on the security front.

LO: Yeah, for sure. Well, just to start out, I was surprised to see again, GandCrab make the headlines again this week, especially given that I thought that they were going into retirement and I know you kind of covered what that was. Can you talk a little bit about the story there?

TS: Yeah, definitely. So you know, this came as a somewhat of a surprise to me, although the security researchers that I talked to didn’t seem completely shocked, given how much money they had made from the ransomware. But I don’t know if you remember but back in June, the GandCrab operators basically said that they were shuttering their operations that they were going into retirement. They made $2 billion off of selling their malware as ransomware as a service as well as using it on their own. And they were done and they were going to go cruise around and do whatever cybercriminals do when they make good. And then this week, turns out that the operators have resurfaced with the REvil malware, which is sort of an emerging ransomware strain.

So until just recently researchers actually thought REvil was unrelated to GandCrab, but the technical analysis shows that they are indeed related.

LO: So that is interesting. Now REvil ransomware, that was the one that was behind the big coordinated ransomware attack of those Texas government city halls and also various dentist offices around the country, right?

TS: Yeah, so the people that have been perpetrating attacks using rebel have basically been taking a supply chain approach to things so they’ll infiltrate one supplier to all 400 dentists offices that were affected in that particular attack, for example. It’s been in the headlines for kind of high profile cases like that, but come to find out it’s also starting to emerge on the dark web is a viable ransomware as a service option for lower level cyber criminals as well.

LO: So how did they figure out that the developers behind GandCrab and that threat actor was behind REvil as well? Were there kind of similarities in code? Or was there just similarities within the campaigns? Did they find anything that was similar there?

TS: Yeah. So basically, their bread crumbs or fingerprints and side code that can be linked to, you know, certain authors, essentially. And so that’s what they found, was that there was a custom encoding, decoding logic. And both malwares that basically, you wouldn’t be able to replicate it, like you wouldn’t just stumble upon it. If you were a malware author. You wouldn’t just happen to replicate the same thing again, it’s too complex and too unique. And it’s not something that would happen by chance. So there are two explanations for that either the source code was stolen or leaked somehow, or it’s the same authors. And so according to the researchers, I spoke to at Secureworks, they basically said that, they’re pretty sure that it’s just the GandCrab operators resurfacing.

LO: I know that after GandCrab retired, quote unquote, researchers were kind of looking around the cybercrime market looking for what the next ransomware as a service model would be. So, you know, does this show that that might be REvil, or do you think that researchers have any kind of indication about what this means for the cyber criminal market?

TS: Yeah, I mean, definitely, REvil is poised to become the next big thing. Sort of a darling, I think, particularly with the success with the dentists offices and Texas municipalities. So, you know, it should it should end up being a formidable threat if the track record of the GandCrab operators is anything to go by. So we’ll see.

LO: Yeah, for sure. I mean, I remember back when the GandCrab crew announced that they were retiring, I was kind of a little dubious feeling like I was kind of like, is this going to be the end of them? Are they going to go sit on a beach in Florida or something?

TS: Yeah. Exactly.

LO: It is interesting looking at how different malware strains are ebbing and flowing. And I know we discussed on last week’s news wrap the Emotet trojan returning after taking a break there for four months. And so it sounds like there’s a lot of that at this month in terms of both GandCrab, Emotet. And then speaking of malware that keeps reemerging, the LookBack malware which was spotted over the summer is also back and has been spotted in a campaign as well. And so it just kind of goes to show that malware continues to reemerge.

TS: Yeah, definitely. And you wrote a story about LookBack, I believe, right?

LO: Yeah, yeah. So basically this week, researchers with Proofpoint came out with a new report that they had found a spearphishing campaign targeting, I think it was now up to 17 U.S. utility companies with the LookBack malware variants. And so LookBack was first discovered, I believe, over the summer, I think it was first spotted like earlier in July or something. It basically is a RAT and essentially what it tries to do is view system data, reboot machines and all kinds of other malicious purposes, and so in the previous campaigns that first sent phishing emails in between July 19 and 25th, I believe, they were targeting utility companies and basically pretending to be a compliancy organization within the utility sector and were saying, “click on this link, you have failed this, examination for compliance.” And so this most recent campaign see appears to be something similar in that they are now obviously targeting more U.S. companies in the utility sector, but they’re now pretending to be a similar type of kind of compliance agency asking about training and certification programs. And they attached a malicious Word document. And so once the company’s clicked on that, it would download this LookBack malware. So I think it just is it goes to show that utilities companies are kind of a big target. And this is just a new threat that we really need to look out for.

TS: Yeah, definitely. I think obviously, everybody will hear that utility headline and be taken aback by that. But that is just one of those things. I mean, obviously our critical infrastructure is increasingly vulnerable. And I know we’ve covered this before at Threatpost multiple times, but the confluence of IT and the operational technology together, that’s creating a new threat surface so we’ll likely probably see more campaigns like that. So Lindsey, speaking of targets, I was shocked to read the story that you wrote about – maybe I shouldn’t be shocked, maybe I should be more cynical – about the the U.S. veterans being targeted by the watering hole site.

LO: Yeah, that was definitely a icky story that that we had to report on. So basically, researchers found a fake website that purports to be a website that helps U.S. military veterans search for jobs. And it actually was hosting malware. So the website was spoofing a legitimate website that was offered by the U.S. Chamber of Commerce. And it’s for U.S. military vets. And it aims to help them find jobs. But this fake website instead prompted them to download an app for guests visiting the website and from there, it would download malware that deployed spyware and other tools on to victim systems. So I mean, yeah, you hate to see this. It’s one thing to just go after the broad audience but like to go after veterans looking for jobs is kind of next level sketchy.

TS: Yeah, no, I mean, that’s just really reprehensible. And, you know, obviously we hear stories all the time about how cyber criminals target the elderly population or, or the disabled population or what have you. Obviously, these demographics that might not be as savvy as others, but you know, I just really feel like it’s kind of a new low. I mean, our military, really?

LO: Yeah. And not just that, they were like looking for jobs like trying too, just getting back into society. And so I know that the researchers who discovered this website, who are with Cisco’s Talos security team, were also nervous because given the support that a lot of Americans have for the veteran population, the website has a kind of a high chance of gaining traction, because users will try to share the link and trying to kind of help and support veterans. So yeah.

TS: That’s a really good point, the viral aspect of it, right? I mean, so it’s very savvy on the criminals’ part, and sad, and it also requires a lot of us that do share such things via social networking to be more on high alert, and I think that just goes back, again, to user awareness.

LO: Right, going back to your point to about just targeting more highly susceptible, vulnerable people like the elderly or like I remember you wrote an article a few months back, I think it was like someone getting caught up in like a romance scam – and things like that.

TS: Yeah, really targeting vulnerable types of people is just a terrible thing. And, I just feel like karma has to come around somehow.

LO: So the group behind this, they were actually able to link it to a threat group that it has been previously identified and Symantec called them Tortoiseshell. So they researchers were able to attribute it to Tortoiseshell, I guess because the backdoor in this most recent campaign was also used in previous Tortoiseshell campaigns. And it’s actually interesting because previously, this threat group had a completely different kind of technique and targeting level. So I believe it was earlier, September 19, so like not even a week or two ago, they basically were launching supply chain attacks against an IT provider in Saudi Arabia. So very, very different types of attacks, different targeting there.

TS: Now, that’s interesting that they’re sort of, equal opportunity, just wherever they can see a way through to making some money. I guess that’s that’s the economy there.

LO: Right, for sure. But well, I think that’s some of the bigger news stories we had this week. Tara, thanks so much for coming on to talk about the biggest news and you know, have a great weekend.

TS: Thank you so much for having me. And you have a great weekend too.

LO: Great and catch us next week at the Threatpost news wrap.


Suggested articles