Emerging Malware Threats in the COVID-19 Era
Malware researcher Ankit Anubhav discusses the challenges and evolving tactics in combatting malware threats during the COVID-19 era. Insights include remote work vulnerabilities, social engineering tactics, and recent malware techniques to stay vigilant against. The discussion covers specific attack campaigns in Thailand, the Lemon Duck Miner, Agent Tesla geolocation campaigns, and evading detection strategies employed by cybercriminals.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
MALWARE THREATS IN THE COVID 19 ERA - Ankit Anubhav, Malware Researcher (Agoda)
COVID 19 Challenges and discussion points Remote work - BYOD can bypass security policies, lead to more distractions. Increased usage of social media and other outlets not protected by email gateway. COVID 19 lures can be effective tools for social engineering. Campaigns keep evolving to bypass detection mechanisms. Attacks discussed related to COVID 19. Thailand specific attack campaigns. Recent malware techniques to stay under the hood.
About me Incidence response and malware research at Agoda. A decade of malware research and detection authoring at FireEye and McAfee. Passionate about finding IoT vulnerabilities and botnet research. https://www.ankitanubhav.info for security research / blogs / podcast. Twitter : @ankit_anubhav for security microblogging.
Line or Mine ? Lineinstaller -> cmd -> tar.exe -> xmr-stack-xr.exe -> xmr-asia1.nanopool.org : 14444
Agent Tesla : Geolocation specific campaign Multiple families migrated from attachments to live links to avoid antivirus detection. Tesla Live links hosted on AWS, onedrive.live to avoid reputation detection. Gzip archives to avoid hash detection. Context awareness ( bank to victim mapping ) and better translation than Google translate Credentials and keylogs sent on email via smtp.
Evading detection Dridex Space obfuscation in password protected malware to block automated unzipping. Direct API calls from Macro instead of intermediate like PowerShell to avoid endpoint detection. TA551 Qbot breaking parent process C:\Windows\explorer.exe /factory,{75dff2b7-6936- 4c06-a8bb-676a7b00b24b} -Embedding changing WinWord -> Explorer -> HTA to WinWord -> Explorer -> Explorer -> HTA
Evading detection (Zloader/HawkEye) UAC Bypass via Environment variable tampering
Conclusion Commodity malware still need a human point of interaction. Stolen email thread, old chains used by Emotet / Qbot / icedid End user should be less click friendly, avoid macro enabling , use 2FA as much as possible as often campaigns are just interested in plaintext credentials. While security products still help, it will always be a game of the cat and mouse. Ransomware going down due to several takedowns by law enforcement, miners will be increased. Trickbot moving to greenminer after years of data theft and ransowmare In corporate, track usage of CPU for miners. Educate non-tech people to exercise caution on links and file attachments. Encourage Linux end points.