Phishing campaigns via Google Ads target password managers to steal vault credentials

Threat actors are constantly improving their evasion tactics by introducing new modules to enable their spread, distributing malware via phishing campaigns, and compromising networks with open-source tools. This past week saw hackers exploiting Windows domains, Google Ads and PoS transaction networks to infect systems and access sensitive information.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New SwiftSlicer wiper is now being used to target Windows domains

A new data-wiping malware named SwiftSlicer has been discovered in a recent cyberattack against a target in Ukraine and is attributed to Sandworm, a hacking group working for Russia’s General Staff Main Intelligence Directorate (GRU). According to security researchers, Sandworm launched SwiftSlicer using Active Directory Group Policy, that allows domain admins to execute scripts and commands throughout all the devices in Windows network.

SwiftSlicer was installed to delete shadow copies and to overwrite critical files in the Windows system directory, particularly drivers and the Active Directory (AD) database. SwiftSlicer overwrites data using 4096 bytes blocks that are filled with randomly generated bytes and after this, the malware reboots the system. It is recommended to adopt the principle of least privilege for AD Security and clean up inactive user accounts as these accounts pose a serious security risk to the AD environment.

2. Bitwarden password vault targeted in Google Ads phishing

Bitwarden and other password managers are being targeted in phishing campaigns via Google Ads, with the goal of stealing users’ password vault credentials. The phishing campaign used the domain ‘appbitwarden[.]com’ in the ad, redirecting users to ‘bitwardenlogin[.]com’ when clicked. The page at ‘bitwardenlogin.com’ was a perfect replica of the official Bitwarden Web Vault login page.

The phishing page collects the credentials, and then redirects users to the genuine Bitwarden login page after submission. To avoid being a victim of such phishing campaigns, it is advised to stay cautious when clicking on Google Ads, even if they appear legitimate and always verify the authenticity of the website before entering any information. Additionally, use a reliable ad-blocker to prevent malicious ads from appearing on the device.

3. Mimic ransomware exploits the ‘Everything’ Windows search tool to target and encrypt files

A new type of ransomware, named Mimic, utilizes the APIs of the Windows file search tool ‘Everything’ to locate and encrypt targeted files. It begins with an executable delivered via email, which when executed extracts four files including the main payload, additional files, and tools to disable Windows Defender on the targeted system. The utility ‘Everything’ is a popular filename search engine for Windows developed by Void Tools. It is known for its speed and low system resource usage, as well as its support for real-time updates.

Mimic ransomware encrypts files and adds the “.QUIETPLACE” extension to them. It also drops a ransom note which demands payment in Bitcoin to recover the encrypted data. It is recommended to keep all software and operating systems up to date to reduce the risk of vulnerabilities being exploited. Regularly back up important data to an offline location to ensure its restoration in case of a ransomware attack.

4. Gootkit malware continues to evolve with new components and obfuscations

Gootkit, also known as Gootloader, is transmitted through compromised websites that victims are persuaded to visit when searching for business-related documents like contracts and agreements using a method known as search engine optimization (SEO) poisoning. A new variant of this malware was identified in November last year, using a new infection chain, tracked as GOOTLOADER.POWERSHELL.

A malicious ZIP file containing a.JS file is downloaded onto the device whenever a user accesses a website that has been infected by UNC2565. This JavaScript file obfuscates data by inflating a file with a.LOG extension and tons of junk code when it is launched. Later, this is renamed and granted a.JS extension. It then creates a PowerShell process that collects device information and delivers it to the C2 server. When the C2 receives all the data, it responds with a payload that further infects the target device with other payloads, such as FONELAUNCH and an in-memory dropper that commonly distributes Cobalt Strike beacon.

5. Prilex modification now targeting contactless credit card transactions

Brazilian threat actor behind point-of-sale (PoS) malware, Prilex, is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware, which is the most advanced PoS threat seen so far. Its new updates allow it to block contactless payment transactions to steal from NFC cards. The main agenda behind the new functionality discovered is to disable the contactless payment feature to force the user into inserting the card in the PIN pad reader.

This effectively permits the threat actors to capture the data coming from the transaction by using various techniques, such as manipulating cryptograms, forcing protocol downgrades, and performing a GHOST attack. This can be accomplished even on cards protected with the so-called unhackable CHIP and PIN technology. PoS software developers are advised to implement self-protection techniques in their modules to prevent malicious code from tampering with the transactions managed by those modules. Additionally, all EMV validations must be implemented to protect against counterfeit fraud through authentication of unique data that resides on chip cards, smart phones, and other devices.