RAT Targets US Taxpayers – Experts Insight

Free Services to help you during COVID-19 Learn More

Support Request a Demo Contact Us Blog
Business Data Breach

Expert(s) | Informationsecuritybuzz.com »

Cybereason published Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware – re an ongoing phishing campaign attempting to take over computers using malware to steal sensitive personal and financial information.

EXPERTS COMMENTS
Saryu Nayyar

| March 19, 2021

Saryu Nayyar, CEO, Gurucul

A complete security stack can help, but well trained users are less likely to become victims.

Malicious actors know that users are the weak link in the security chain. They know that a timely and relevant hook can be all it takes to get a victim to reveal their credentials or download a malicious application. For much of the last year, they used Covid 19 as the hook. Now that it’s tax season in the US, they’re shifting to tax related hooks.

The technical methods attackers have adopted to bypass anti-virus and anti-malware applications is evolving, but it still comes back to the Human element. Which means user education remains the first line of defense against malicious actors. A complete security stack can help, but well trained users are less likely to become victims.

 

| March 19, 2021

Lewis Jones, Threat Intelligence Analyst, Talion

The attackers are delivering the Phishing email with the Remcos and NetWire remote access trojans.

Threat actors are clearly seizing the opportunity to target taxpayers who will be rushing to complete tax returns making them more susceptible to slipping up and falling for the phishing attack. In this case, the attackers are seeking out sensitive data which can be used in an impersonation scam or sold as part of a credential sale. The attackers are delivering the Phishing email with the Remcos and NetWire remote access trojans, which could grant them full access and control over the victims’ machines.

The attackers have attempted to stay hidden by using various techniques such as steganography and exploiting DLL sideloading against legitimate software to avoid detection. The use of both Remcos and NetWire remote access trojans is common, mainly due to its effectiveness and low cost with a subscription to the services starting from only $10 per subscription.

Phishing continues to be the go-to choice for threat actors looking to infiltrate a network, with a significant increase in attacks over the past 12 months. Many threat actors are carrying out reconnaissance prior to attacks in an attempt to make the phishing attacks appear legitimate using a topic to provoke a response. The use of social engineering to lure in victims is an increasing tactic by threat actors which stresses the importance of not oversharing sensitive information online.

Users should stay vigilant to phishing attacks and follow these simple steps:

– Think before you click
– Keep software & anti-virus up to date
– Never give out personal information
– Verify a site’s security
– Do not open or download an attachment you are not expecting without caution.

 

| March 19, 2021

Hank Schless, Senior Manager, Security Solutions, Lookout

NetWire’s Android RAT bears many similarities to PWNDROID4, Android malware created by Winnti in 2015.

This attack is the perfect example of how attackers leverage deadline-driven events like Tax Day to pressure individuals into taking action. Since the target only has to open the malicious Word document to execute the hidden macro and download the OpenVPN client, an attacker could use basic social engineering such as posing as a member of the Accounting department or IRS to successfully carry out the attack.

Since tax forms have so much sensitive personal information on them, attackers can create high-pressure situations that get people to be less cautious. While this variant is PC-focused, NetWire also has a strong Android malware component that Lookout researchers have been tracking and protecting mobile users against since 2017.

Researchers posit that NetWire was likely first created by the Chinese hacking group Winnti Group and sold through the front company World Wired Labs. Both the desktop and mobile versions of NetWire have been sold and used by hacking groups around the globe. NetWire’s Android RAT bears many similarities to PWNDROID4, Android malware created by Winnti in 2015.

Lookout researchers have observed active Netwire Android campaigns being conducted by Chinese and Middle Eastern APTs, as well as cybercriminals. Lookout researchers discovered that the malware family was present on devices across the United States, Middle East, and Europe. Attacks like this could be adjusted to target mobile users, especially if the malware family has a known Android or iOS component.

We frequently see malicious campaigns that target both mobile and PC users because it expands the likelihood of success on the part of the attacker. A campaign like this one that leverages a malicious attachment to kick off the attack chain could easily be delivered through email, SMS, or third-party messaging platforms.

There are plenty of VPN apps that could be automatically downloaded to the mobile device and open a connection to malicious command and control (C2) servers in the exact same way this campaign is doing for PCs.

This incident highlights the importance of securing both the endpoints accessing your cloud infrastructure as well as their connection to your cloud resources. As malware campaigns become more complex, an endpoint-to-cloud security approach will ensure a strong security posture. Cloud based security with a Zero Trust Network Architecture (ZTNA) will ensure only healthy mobile devices and laptops safely access corporate infrastructure.

 

| March 19, 2021

Javvad Malik, Security Awareness Advocate, KnowBe4

In 2017, the NotPetya attack was spread as a result of Ukrainian accounting software being infected.

As tax season approaches, criminals know that it is a ripe opportunity to take advantage of organisations of all sizes looking to submit their tax filings.

This is not a new avenue, but it is increasing in popularity. In 2017, the NotPetya attack was spread as a result of Ukrainian accounting software being infected.

It’s a good reminder that organisations need to invest in effective security measures to prevent these attacks from being successful. These include the likes of endpoint protection, monitoring controls, good credential management including multi-factor authentication, as well as providing adequate security awareness and training to staff. This is particularly important with relation to staff that are responsible for accounts or any financial responsibilities to be vigilant against malware and social engineering attacks.

 

| March 19, 2021

Jorge Orchilles, CTO, SYTHE

Organizations need to operate in “assumed breach mode”, where they know they will eventually be compromised.

We have invested heavily in preventing malware from running in out environments and that is clearly not working as advertised. Organizations need to operate in “assumed breach mode”, where they know they will eventually be compromised. How they detect and respond to the inevitable is what is differentiating victims. We need to work together to improve people, process, and technology.

All users must remain cautious and vigilant to all types of scams, from emails to text messages and phone calls. Scammers will use any current event to take advantage of the most vulnerable to make a quick profit. It is unfortunate but that is the online world we live in today.

 

| March 19, 2021

Brad Keller, JD, CTPRP, CTPRA, Chief Strategy Officer, Shared Assessments

Most individuals are unaware of phishing methods and are not able to identify them.

Phishing continues to be a major threat because it remains a very successful method for obtaining credentials and other information directly from a user’s system. Having run the anti-phishing programs at two major US financial institutions I understand how difficult it is to create meaningful employee awareness and training to identify phishing emails. Taking those awareness programs to customers is an even more daunting task.

While most major companies have initiated robust anti-phishing programs, smaller companies do not have the resources to develop and maintain these initiatives making them ideal targets for phishing campaigns. Most individuals are unaware of phishing methods and are not able to identify them, unless they work for a company that provides robust anti-phishing training.

RAT Targets US Taxpayers
External Link: RAT Targets US Taxpayers – Experts Insight

Share this page:

Related Posts