Last week in security news, researchers detailed the multiple layers of obfuscation, fileless tactics and polymorphism techniques employed by the Dexphot malware campaign. Researchers also uncovered a new family of ransomware that attempts to disable several security solutions on infected Windows PCs. A Netflix account freeze scam rounded out the holiday weekend.

Top Story of the Week: The Dexphot Campaign’s Complex Attack Chain

The Microsoft Defender APT Research Team first learned of the Dexphot campaign back in October 2018. It found that the attack employed a complex attack chain for which it wrote five files to disk. Many of those files used various obfuscation techniques including encryption and living-off-the-land (LOL) tactics to help the campaign evade detection.

Dexphot’s sophistication didn’t end there, however. The campaign also used polymorphism across its malware binaries and regularly scheduled malware updates to further lead security tools astray.

Source: iStock

Also in Security News

  • DePriMon Uses Port Monitors Installation Technique to Avoid Detection: ESET analyzed DePriMon and found that the threat downloaded its third-stage DLL as a port monitor. Researchers observed that the malicious downloader likely used this installation technique, which is described in the MITRE ATT&CK framework, as a means to evade detection.
  • New Fullz House Actor Engages in Phishing Attacks, Card Skimming: RiskIQ observed that a threat actor named Fullz House began conducting card skimming in addition to maintaining its phishing activity. For these new attacks, Fullz House developed its own card skimmer and used man-in-the-middle (MitM) attacks in e-commerce transactions.
  • Malwarebytes, Native Windows Security Tools Targeted by Clop Ransomware: In its analysis of Clop, Bleeping Computer found that the ransomware targeted several security solutions so that it could successfully encrypt a victim’s data. For instance, it configured the Registry values to disable Windows Defender on infected machines.
  • Phishing Scam Uses Threat of Fake Account Freeze to Steal Netflix Credentials: The editor-in-chief at Naked Security received a phishing message that informed them of an overdue Netflix invoice. The email used this premise as a lure to trick recipients into clicking on a button that redirected them to a Netflix phishing website.
  • Security Threat Aimed at Apache Soir Reclassified to “High Severity Status”: According to Tenable, researchers reclassified a security threat affecting Apache Soir, a Linux enterprise search tool, to “high severity status” following the release of exploit code. That code, in turn, put affected hardware at risk of remote code execution attacks.
  • Legitimate Email Accounts Leveraged by TICK to Deliver New Malware: In its analysis of TICK’s new campaign, Trend Micro observed the digital espionage group using new malware that elevated privileges and employed evasion tactics. TICK delivered these new malware threats using legitimate email accounts and credentials.
  • YouTube Descriptions Used by Stantinko Botnet to Hide Cryptominers: Researchers at ESET examined Stantinko and found that the botnet embedded the IP addresses for its command-and-control (C&C) servers within multiple YouTube video descriptions. This technique helped the botnet conceal the communication channels used for its cryptomining attacks.

Security Tip of the Week: How to Defend Against Fileless Attacks

Security professionals can help their organizations defend against fileless attacks by disabling PowerShell and other legitimate services that aren’t necessary to the business. Doing so will prevent malicious actors from abusing those services to prey upon the company. Security teams should also consider using endpoint protection solutions to defend their assets against more sophisticated attacks, such as those that use fileless techniques to distribute ransomware.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read