Security Week 22: Malicious Video Streaming

A recent study of the BazaLoader malware campaign demonstrates an example of a sophisticated attack targeting regular users. The work, prepared by ProofPoint specialists, describes the first stage of infecting a computer, a logical continuation of which is the blocking of data by one of the most widespread ransomware (Ryuk and Conti are mentioned).



The scheme works like this: the user is sent a letter stating that the trial subscription to the video streaming service is about to expire. Wanting to avoid unnecessary spending, the victim calls the phone number indicated in the message. At the other end of the line, the potential victim is given a link to the site, possibly in an attempt to avoid early detection of the infrastructure. On the page with information on unsubscribing, the user downloads an Excel file with a macro, the activation of which and downloads the malware.



We cannot fail to note the creative approach of cybercriminals: the fake streaming site BravoMovies is very similar to the real one, even posters of non-existent films were made for it.







Previous research on the same campaign offers an explanation of why attackers chose the sophisticated method of making a phone call. When you open an infected file, Microsoft Excel displays all the necessary warnings:





In the transcript of a conversation with a “call center operator” (this time a fake book subscription service), given in the study, the victim is asked to call the confirmation code allegedly contained in this file. In this way, campaign operators increase the chances of infecting the computer by convincing the user to disable macro blocking in Excel and creating a hectic atmosphere. The resulting backdoor provides full access to the computer and is later used to install an ransomware or other malware.



What else happened



The first hardware vulnerability was discovered in the Apple M1 processor, known as M1racles ( project site , news and discussion on Habré). The bad news is that M1racles really breaks the application isolation principle and allows two programs to covertly communicate with each other. The good news: the discoverer of the vulnerability did not find any way to do any damage or steal secrets. The only possible scenario is tracking user activity in different applications for advertising campaigns. But for this, many other simpler methods are available.



Kaspersky Lab specialists investigatethe JSWorm family of ransomware Trojans. The article describes the features of different variants of malicious code starting in 2019. Despite the name, the first versions of JSWorm were written in C ++, then the trojan was rewritten from scratch in Go. The article shows the evolution of malware, switching the attention of attackers from ordinary users to organizations. In addition, vulnerabilities in encryption mechanisms are mentioned, in some cases allowing data to be decrypted without ransom.



Seen attacks on Software Control Web Panel (formerly known as CentOS Web Panel), exploiting a number of serious vulnerabilities detectedLast year. Successfully hacking the virtual server control panel unlocks the victim's hardware resources, which are likely to be leased out on the black market.



Microsoft officials are reporting a Nobelium phishing campaign purportedly linked to an attack on vendor SolarWinds last year.



Fixed a critical bug in VMware vCenter Server software. The vulnerability can lead to arbitrary code execution and is a major threat if the cloud infrastructure management software is available from the network.



All Articles