One sentence summary – Threat actors are using phishing campaigns with EV code signing certificates to distribute ransomware, while IBM X-Force has identified new phishing campaigns spreading an improved version of the malware loader DBatLoader, and Caesars Entertainment fell victim to a cyberattack resulting in the theft of its loyalty program database, leading the company to pay a $15 million ransom to prevent the online leak of customer data.
At a glance
- Threat actors are using phishing campaigns with EV code signing certificates to distribute ransomware.
- The same actors behind RedLine and Vidar information stealers are orchestrating these campaigns.
- Phishing emails deceive victims into running malicious attachments disguised as PDF or JPG images.
- Victims receive info stealer malware signed with EV code signing certificates, followed by ransomware.
- IBM X-Force has identified new phishing campaigns spreading DBatLoader malware with Agent Tesla and Warzone RAT.
The details
Threat actors are now employing phishing campaigns to distribute ransomware, using Extended Validation (EV) code signing certificates to bypass security measures.
These campaigns are being orchestrated by the same actors behind the RedLine and Vidar information stealers.
The initial payloads of these attacks are signed with EV code signing certificates, a technique similar to previous QakBot infections.
The attacks commence with phishing emails that deceive victims into running malicious attachments disguised as PDF or JPG images.
Once the victim is deceived, they receive info stealer malware signed with EV code signing certificates.
This is followed by ransomware from the same threat actor, using the same technique.
IBM X-Force Identifies New Phishing Campaigns
IBM X-Force has identified new phishing campaigns spreading an improved version of the malware loader DBatLoader.
This improved version includes Agent Tesla and Warzone RAT.
The threat actors have control over the email infrastructure, allowing them to bypass authentication methods.
They also use OneDrive for staging and retrieving additional payloads.
Malvertising Campaign Targets Cisco’s Webex Users
A malvertising campaign has also been identified, targeting users searching for Cisco’s Webex video conferencing software.
This campaign redirects users to a fake website spreading BATLOADER malware.
BATLOADER then downloads a second-stage encrypted payload known as DanaBot.
Tracking template URLs are used to identify victims.
Caesars Entertainment Falls Victim to Cyberattack
In a separate incident, Caesars Entertainment, the largest U.S. casino chain, fell victim to a cyberattack.
This attack resulted in the theft of its loyalty program database.
The stolen data includes driver’s license numbers and social security numbers.
However, there is no evidence to suggest the compromise of member passwords/PINs, bank account information, or payment card data.
In response to the attack, Caesars decided to pay a $15 million ransom to prevent the online leak of customer data.
This payment was made in response to an initial $30 million demand.
However, the deletion of the stolen data cannot be guaranteed.
Caesars is now actively monitoring the web for evidence of further sharing, publishing, or misuse of the stolen data.
The attack has not impacted Caesars’ customer-facing operations, including online/mobile gaming apps and physical properties.
Scattered Spider Suspected in Caesars Attack
A group known as Scattered Spider, a financially motivated threat group, is suspected of conducting the attack.
Scattered Spider employs social engineering, multi-factor authentication fatigue, and SMS credential phishing attacks to steal user credentials.
New Ransomware Family Introduced by LockBit Affiliate
In another separate incident, a LockBit affiliate has introduced a new ransomware family called 3AM.
This new ransomware was introduced after LockBit’s execution was blocked.
The 3AM ransomware attempts to disable security and backup processes, delete volume shadow copies, and encrypt files using the “.threeamtime” extension.
The malware is written in Rust and deployed as a 64-bit executable.
It scans drives for specific files, encrypts them, and leaves ransom notes.
The attackers performed reconnaissance, deployed Cobalt Strike components, and exfiltrated victim files.
This brief provides a comprehensive overview of the available facts and information about these incidents, prioritizing accuracy and completeness while maintaining a neutral perspective.
Article X-ray
Here are all the sources used to create this article:
A lock symbolizing ransomware being unlocked by a key with a code signing certificate hanging from it.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Threat actors behind RedLine and Vidar information stealers are now using phishing campaigns to distribute ransomware. – |
| The initial payloads are signed with Extended Validation (EV) code signing certificates. |
| – QakBot infections have previously used valid code signing certificates to bypass security protections. – |
| The attacks begin with phishing emails that trick victims into running malicious attachments disguised as PDF or JPG images. – |
| The victim received info stealer malware with EV code signing certificates, followed by ransomware using the same technique. – |
| The ransomware payload did not have EV certificates, but it originated from the same threat actor and was spread using the same delivery method. – IBM X-Force discovered new phishing campaigns spreading an improved version of a malware loader named DBatLoader. – DBatLoader has new capabilities for UAC bypass, persistence, and process injection. – |
| The attacks since late June also deliver commodity malware such as Agent Tesla and Warzone RAT. – |
| The threat actors have control over the email infrastructure to bypass email authentication methods. – OneDrive is used to stage and retrieve additional payloads, with some campaigns using transfer[.]sh or new/compromised domains. – |
| A malvertising campaign is targeting users searching for Cisco’s Webex video conferencing software. |
| – |
| The campaign redirects users to a fake website that spreads the BATLOADER malware. |
| – BATLOADER downloads a second-stage encrypted payload known as DanaBot. – |
| The threat actor uses tracking template URLs to determine potential victims of interest. – Visitors who don’t meet the criteria are directed to the legitimate Webex site. – |
| The ads used in the campaign appear legitimate and are likely to be clicked on by users. – |
| The threat actors are interested in corporate victims for credentials and potential ransomware deployment. |
| bleepingcomputer.com |
|---|
| – Caesars Entertainment, the largest U.S. casino chain, paid a ransom to prevent the online leak of customer data stolen in a recent cyberattack. – |
| The attackers stole Caesars’ loyalty program database, which contains driver’s license numbers and social security numbers of customers. – Caesars is still investigating the extent of any additional personal or sensitive information that may have been acquired by the unauthorized actor. – |
| There is no evidence to suggest that member passwords/PINs, bank account information, or payment card information were acquired. – Caesars paid approximately $15 million in response to the attackers’ initial demand of $30 million. – |
| The company cannot guarantee that the stolen data has been deleted by the unauthorized actor. |
| – Caesars is monitoring the web for any evidence of further sharing, publishing, or misuse of the stolen data. – |
| The attack has not affected Caesars’ customer-facing operations, including online/mobile gaming apps and physical properties. – |
| The attack has not impacted customers who are not enrolled in Caesars’ loyalty program. |
| – |
| The incident has been reported to law enforcement. – Caesars did not attribute the attack to a specific cybercrime gang, but a report suggests it was conducted by a group known as Scattered Spider. – Scattered Spider is a financially motivated threat group that has been active since at least May 2022. – |
| The group uses social engineering, multi-factor authentication fatigue, and SMS credential phishing attacks to steal user credentials and breach targets’ networks. – Caesars will notify all affected individuals in the coming weeks. |
| securityweek.com |
|---|
| – A LockBit affiliate has deployed a new ransomware family called 3AM after LockBit’s execution was blocked. |
| – |
| The 3AM ransomware attempts to stop security and backup processes and delete volume shadow copies. |
| – In the observed attack, the threat actor dumped policy settings, deployed Cobalt Strike components, and attempted to escalate privileges. – |
| The attackers performed reconnaissance, added a new user for persistence, and exfiltrated victim’s files. – |
| When LockBit was blocked, the attackers switched to the 3AM ransomware and successfully executed it on a single machine. – |
| The 3AM ransomware appends the ‘.threeamtime’ extension to encrypted files and drops a ransom note. – |
| The malware is written in Rust and deployed as a 64-bit executable. |
| – It scans drives for specific files, encrypts them, and deletes the originals, leaving a ransom note in each scanned folder. – Other ransomware affiliates have also been observed deploying multiple ransomware families in the same attack. |
| – Symantec warns that the use of 3AM as a fallback suggests it may be of interest to attackers and could reappear in the future. |
English 
Portuguese 
Turkish 
Chinese 
German