Posted on July 12, 2022 at 6:26 PM
A recent report has revealed that threat actors are now planting malware on targeted systems using fake Google and Microsoft Google updates. Security researchers from Trend Micro discovered that one of the ransomware “HavanaCrypt”, was used by these threat actors.
In the example, the hackers used ransomware in the wild to disguise it as a Google software update app. The C2 server of the malware is hosted on the Microsoft Web hosting IP address. This, according to the researchers, is an unusual hosting medium for ransomware.
The researchers also stated that the HavanaCrypt ransomware utilizes several techniques to verify whether it is operating in a virtual environment. The malware utilizes a .Net function known as “QueueUserWorkItem” to accelerate its encryption. It also utilizes a code from KeePass Password, an open-source manager, during the encryption.
According to Trend Micro, the malware could have more capabilities because it acts as if it’s still under development. It could still be a work-in-progress because it has not started including a ransom note on infected systems.
More Threat Actors Use Fake Versions Of Windows Updates To Fool Users
HavanaCrypt is one of the rapidly increasing ransomware tools that have been distributed in the form of fake updates for Google Chrome, Microsoft Exchange, and Windows 10.
Earlier in May, security researchers identified ransomware named “Magniber” which disguises itself as Windows 10 updates.
The operators were looking to deceive users to download the malware by arranging the malware as a Microsoft Edge update. Earlier this year, Malwarebytes researchers discovered hackers operating the Magnitude Exploit Kit.
At the time of the discovery, the Malwarebytes researchers stated that fake Flash updates were usually linked to Web-based malware campaigns until the technology was discontinued by Adobe due to security issues.
Since then, threat actors have resorted to using fake versions of the regularly updated software products to launch their attacks. They try to deceive the users into downloading the malware, with many of the hackers targeting browsers.
Threat actors have made it very easy to create fake software updates. They generally use these updates as a way of distributing all manner of malware, including Trojans, info stealers, and ransomware. According to a researcher and analyst with Intel 471, the threat actors usually deceive a non-technical user using such methods, but incident responders or SOC analysts may not be fooled.
Security Experts Advise On Multi-Layered Defenses
The level of attacks on organizations and individuals is increasing regularly. As a result, security experts have always advised users to use multi-layered security systems to protect their devices and defend against ransomware attacks.
These include strong identity and access control, encryption, network segmentation to reduce lateral movement, user and identity behavior-monitoring capabilities, and a strong control and response to endpoints and other attacks. The researchers have also advised using multi-factor authentication to make it more difficult for a threat actor to have full access to their systems.
Since most of the attacks are usually on end-users, it’s also important for organizations to deploy strong security measures to educate users about social engineering scams and phishing risks. The researchers advised that once more sensitization and education are given out, it will go a long way to reduce the level of these attacks on end-users.
Most of the attacks are designed to get the end-users to follow links to credential harvesting sites or download malware.
The Malware Attacks Systems In Four Approaches
The researchers pointed out that the HavanaCrypt is a .Net malware that utilizes an open-source tool known as Obfuscar to obfuscate its code. After the malware has been deployed, it is first used to find out whether the “GoogleUpdate” registry is not present.
After registering its presence, the malware moves through four stages to find out whether the compromised system is in a virtualized environment. At the onset, it looks in the affected system for services like Vmmouse and the VMWare that virtual machines generally use. Afterward, it checks for files used for virtual applications before looking for specific names used in the virtual environment. The fourth stage is to compare the unique identifier prefixes and the MAC addresses of the infected systems. The unique identifier is generally used in virtual machine settings.
Once any of the verifications show that the compromised system is in a virtual environment, the malware automatically terminates itself. But when it is not in a virtual environment, it goes further to probe and gain more ground within the system.