Blog

Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. 

Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. Over its history, TrickBot has largely been propagated through phishing and MalSpam attacks, tactics that remain prominent in TrickBot operations today.

Though the Russian espionage campaign that compromised the SolarWinds supply chain is progressing, public-facing research into the campaign seems to have stopped. The last significant public-facing research into the SolarWinds campaign from the private industry came in March of 2021, more than a month before this publication. Since then, our collective understanding of the campaign has atrophied due primarily to the adversary's steps to thwart forensic analysis. These impediments to analysis impacted both the tactical and strategic responses to the campaign.

This gap in the analysis happened mainly because piecing together what has happened so far is exceptionally challenging. The threat actor, identified by the U.S. Government as APT29 but tracked in the private industry as UNC2452 (Nobelium, StellarParticle, Dark Halo), went to great lengths to avoid creating the type of patterns that make tracking them simple. For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them.

RiskIQ’s Team Atlas detected an additional 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware. These servers represent a 56% increase in the size of the adversary's known command-and-control footprint and will likely lead to newly identified targets after further analysis. 

For several years, researchers have tracked a phishing kit authored by an actor known as Shadow Z118. Unlike many traditional phishing kits designed only to steal credentials, a handful of the observed Shadow Z118 kits also steal victim identities, payment, and even verify the legitimacy of entered credit information under the false pretext of verifying a user for "security purposes." 

Shadow Z118 kits have been active since at least 2017, and Johannes B. Ullrich at SANS has analyzed it here. The kit's occasional focus on stealing a user's identity and credit information, known as 'Fullz,' sets it apart and has earned it a strong reputation as an effective solution for criminals. 

Since the kit initially appeared, there have been multiple iterations, with many actors copying the original version to create unique variants. RiskIQ's threat research team analyzed several of these variants. In most cases, the phishing pages are constructed well and have multiple steps to trick users into a false sense of security.

For many of us, what draws us into cybersecurity is that original promise of the internet—bringing people together. That idea of creating connections across the world and making sure those connections are safe is something worth defending every single day. 

Recently, that promise has come into jeopardy like never before. There have been over a dozen 0days in the past few months alone. We're just months removed from SolarWinds, an unprecedented attack in the level of privilege and access to networks. Since then, we've dealt with the Microsoft Exchange vulnerability, an incident even more significant in scale and effect, initially affecting more than 400,000 servers worldwide.

The sheer size of these attacks goes beyond our original concepts of security. In reality, these new global-scale attacks aren't a security problem; they're a big data problem that requires a new type of security intelligence. 

Fake banking apps laced with malware continue to be an effective tool for threat actors. For the Yanbian Gang, a criminal group centered in Yanbian, China, that targets organizations across Asia, it's a craft they've been improving on for over a decade. 

The Yanbian Gang has targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's more recent activity in this vector to analyze their malware of choice and the large-scale hosting infrastructure they use to distribute and control it.

For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and map the relationships between its infrastructure to show customers how they, and attackers targeting them, fit within it. To continue to strengthen our Internet Intelligence Graph, RiskIQ's research team has begun analyzing popular malware families' known campaigns to fingerprint trends in threat infrastructure. 

We analyzed infrastructure that likely belongs to Agent Tesla remote access trojans (RATs) to determine commonalities and identify trends that will help us detect them. 

The digital, cloud-centric transformation that was already enveloping the enterprise was set into overdrive by changes driven by the COVID-19 pandemic, and there's no going back.

Unfortunately, this breakneck speed in digital transformation creates significant hidden risks—global-scale vulnerabilities enable massive APT attacks like the ones against Microsoft and SolarWinds servers, and threat infrastructure hides in plain sight across the internet, meshing with the benign to remain well-hidden. Meanwhile, a surge in digital threats is fueled by global events and the advent of easy access to malicious systems, kits, and infrastructure that even novice threat actors can use to execute effective cyberattacks.

For security teams, the best defense against this new threat landscape is next-gen security intelligence that evolves as fast as the threat actors do; intelligence fortified with real-world observations of the enterprise attack surface coupled with deep insight into global threat infrastructure. 

The Forrester Wave™: External Threat Intelligence Services, Q1 2021, evaluated 12 top security intelligence vendors to educate security and risk professionals about which is right for them. Participants were judged on 26 criteria to determine rank. With RiskIQ mapping the relationships between internet infrastructure, both good and bad, for more than a decade, RiskIQ's Illuminate Platform received the highest possible scores in six criteria, including Brand Threat Intelligence, Market Approach, and Information Quality. 

Frankly, it's a tough time to be in cybersecurity. Perhaps the toughest ever. There have been over a dozen zero-days in the past three months alone, with countless organizations across the world affected. 

We're barely four months removed from SolarWinds—a watershed attack some thought would set the standard for the impact a vulnerability could have—and already dealing with a new attack that dwarfs it in scale. While it started with espionage actors Hafnium, ESET Research shows that at least 10 APT groups have exploited Microsoft Exchange vulnerabilities. Now more are jumping in, and some organizations are seeing ransomware actors leveraging the vulnerability as well. 

With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem. 

RiskIQ has continuously collected internet data for more than a decade to solve such a problem. We built our technology to help security teams handle global attacks, and we're experts at discovering attack surfaces from organizational to global in scale. Now, we're working overtime to put this vulnerability’s scope into context and help the world understand if they are exposed and enable them to respond rapidly.

When cryptocurrency value rises, we can expect a parallel rise in crypto-related crime, including phishing, fake brokers, and scams impersonating exchanges and other legitimate services. As expected, the recent surge in the global cryptocurrency market has made it a hot target for cybercrime. 

While the blockchain technology that protects cryptocurrency investments is robust, widespread fraud on social media and across the web circumvents those protections, targeting the general public directly to fool and ultimately rob them. As a result, keeping the pulse of the crypto-threat landscape requires an always-on, internet-wide view. At RiskIQ, we've been tracking crypto-threats to understand their prevalence and how they're evolving. 

Below, we've outlined the most prevalent that we see, including infrastructure analysis via our Internet Intelligence Graph to drill down into the mechanics of each threat and show how they work and why they're effective.