Hackers Compromised Russian Bank And Used SWIFT for Withdrawal

On 15 December 2017, a Russian bank lost somewhere between $100,000 and $1 million US dollars after hackers sent SWIFT wire transfers abroad to Europe, Asia, and America. The bank was compromised (medium confidence) by a hacker group who sent malicious attachments to a number of different banks a few weeks prior. SWIFT was not compromised, but was used as a tool to siphon money from the compromised bank. The bank is going through ownership reorganization. Prior to this incident, it was receiving financial regulator warnings regarding its cyber security posture.

Wapack Labs has cataloged and reported on attacks targeting banks and SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Gibon Ransomware Analysis

TLP AMBER ANNOUNCEMENT:

Wapack Labs analysts recently observed a handful of Gibon malware samples in the wild and are providing this report in the event the malware becomes more widespread. Gibon is a new ransomware family named due to its USER-AGENT and name in the specimen’s ASCII strings. The malware was originally marketed on May 11 and 12 to several hacker forums for $500. Advertised functionality includes recursive encryption of all files that are on the computer, a README.txt file with instructions to the victim, and encryption/decryption keys which are sent to the admin panel and used for decryption. It is delivered via spam emails with a link to download a Microsoft Word document.

Wapack Labs has cataloged and reported on ransomware variants in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: Nov 12, 2017

Wapack Labs identified connections from the following 256 unique IP addresses checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these email accounts in a monitor or block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Nov 7-12, 2017

Between Nov 7-12, 2017 Wapack Labs identified the following 366 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members. 

B.I.T.S Loader Attracting Cybercriminals

TLP AMBER ANNOUNCEMENT:

The Background Intelligent Transfer Service (BITS) is a legitimate Microsoft program used for creating and monitoring jobs over the network. Since it is a Windows legacy program it isn’t widely detected by AV solutions, making it attractive to cybercriminals for malware delivery and persistence. Recent emails targeting the Financial sector utilize BITS functionality by embedding it in heavily obfuscated Word documents, and with the use of LNK files. Monitoring BITS jobs in work environments is important to identify unwanted or unauthorized downloads and uploads. In the past, BITS was used to deliver banking trojans like DarkComet and GlobeImposter ransomware, and it is assessed with high confidence that it will continue to be utilized for both malware delivery and persistence, particularly against Windows based systems that would otherwise be considered highly locked down or security hardened. This report focuses on these two recent implementations of BITS, and looks at other ways BITS is leveraged in the wild.

Wapack Labs has cataloged and reported on malware targeting the financial sector in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target.

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

DDoS Attacks and Typo-Squatting of Popular Tor Markets

Wapack Labs observed several popular Tor underground markets suffering concurrent DDoS and typo squatting attacks. On 16 October 2017, only two of the big five illegal drug markets were active, Silk Road 3 and Valhalla. The most popular forums, TradeRoute (AlphaBay replacement), Tochka, and Dream Market were all offline. Wapack Labs believes with medium confidence that hackers are likely typo squatting these forums by phishing those domains. The newer forums, Wall Street Market and RsClub Market, were also offline and being typo squatted.

While the typo squatting and DDoSing of popular onions is historically common, simultaneous occurrence of both these activities is of analytical interest. It is unclear at this reporting who is conducting these attacks, but Wapack Labs believes with medium confidence these actions may be in response to recent international law enforcement takedowns of several similar major dark web markets. Wapack Labs will continue to monitor the Tor network for current and new fraud markets, as these forums directly affect financial fraud.

WWW.WAPACKLABS.COM

New Emotet Tactics Employing Embedded URL Links

Emotet is a credential stealing trojan with the ability to drop payloads and move laterally through networks. Emotet spreads by E-mail to addresses gained from the address books of previous victims. In October of 2017, Wapack Labs observed a new Emotet campaign targeting multiple industries. This recent campaign is characterized by changes in Tactics, Techniques, and Procedures (TTPs). These changes include the use of embedded URLs (or links) instead of attachments, and newly adopted obfuscation techniques. Emotet’s ability to spread to compromised email contacts aids in the increase of infections. E-mails propagated in this manner likely have a higher infection rate as they originate from a known contact. This report looks at the new TTPs observed including changes in delivery, obfuscation, and the Visual Basic embedded macros.

WWW.WAPACKLABS.COM