COVID-19 ‘Relief Check’ Scam, TrickBot Campaigns, and a Prison Sentence for ‘Bitcoin Scam’ Hacker

Your Weekly Cybersecurity News Recap … Byte Sized News

It was just a matter of time before the COVID-19 stimulus checks were used as the basis for a scam attempt. Seems like time is already up.

On top of a new email-based scam focused around “$4,000 COVID-19 stimulus checks,” this week’s stories include a new advisory from CISA about a TrickBot, an 18-year-old sentenced to prison for a Bitcoin hacking attempt, and much more.

If only there was an awesome blog post you could read every week that walks through five of the biggest stories in the industry in a condensed format … Oh wait, there is, and you’ve found it.

Let’s get to the news. 

Better reports. Deeper assessments. More insights. Do more with PlexTrac. Learn more here.

$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware

According to Threatpost, The American Rescue Act is the latest “zeitgeisty lure” being circulated on the Internet. Cyber criminals wasted no time latching onto the AMA as a lure for email-related cyber scams.

Researchers at Cofense, a cybersecurity firm, say that a campaign began circulating in March that capitalized on Americans’ interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS — using both the agency’s official logo and a spoofed sender domain of IRS[.]gov — and claim to offer an application for financial assistance. In reality, the email offers its victims the Dridex banking trojan. 

The email says, “It is possible to get aid from the federal government of your choice” and then offers “quotes” for a pie-in-the-sky litany of great (completely fabricated things, like a $4,000 check, “skipping the line” for a vaccination, or even free food.

There’s a button on the email that says “Get apply form.” If clicked, users are taken to a Dropbox account with an Excel document. If users fill out the document in full and “enable content” they trigger macros that set off the infection chain indirectly, according to Cofense.

To learn more about the latest scam relating to COVID-19 and the Dridex banking trojan from Threatpost, click here.

CISA Issues Advisory on TrickBot Campaigns

The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) and the FBI warn security teams to guard against Trojan malware, according to DARK Reading.

New cybersecurity schemes that employ TrickBot malware are popping up again in North America, according to CISA. “A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the agencies note in an advisory on the malware.

TrickBot is an advanced Trojan first identified in 2016. Originally designed as a banking Trojan to steal financial data, it is now highly modular, multistage malware. Attackers often use TrickBot in order to drop other malware, such as Ryuk and Conti ransomware, or to serve as an Emotet downloader.

Last year, US Cyber Command — along with a Microsoft-led private industry group — attempted to take TrickBot down. Weeks later, researchers noticed a new version being distributed via spam. 

In CISA’s advisory, the agency recommended security teams block suspicious IP addresses and train employees on awareness and phishing tactics to guard against TrickBot.

To read more about CISA’s advisory on TrickBot campaigns from DARK Reading, click here.

18-Year-Old Hacker Gets 3 Years in Prison for Massive Twitter ‘Bitcoin Scam’ Hack

According to The Hacker News, a Florida teen accused of masterminding the hacks of several high-profile Twitter accounts last summer as a part of a widespread cryptocurrency scam pled guilty to fraud charges in exchange for a three-year prison sentence.

Graham Ivan Clark — the 18-year-old Floridian — will serve an additional three years on probation. 

This development comes after the U.S. Department of Justice (DoJ) charged Mason Sheppard (aka Chaewon), Nima Fazeli (aka Rolex), and Clark (who was then a juvenile) with conspiracy to commit wire fraud and money laundering. 

More specifically, 30 felony charges were filed against Clark, including one count of organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information, and one count of access to computer or electronic device without authority.

This sentence comes in wake of July 15, 2020, a day where Twitter suffered one of its biggest security breaches in its history after attackers managed to hijack nearly 130 high-profile accounts. These accounts included names like Barack Obama, Kanye West, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Warren Buffett, Uber, Apple, and more.

To read more about sentences in wake of the massive Twitter account breach from The Hacker News, click here.

A New Global Model Is Needed to Dismantle Ransomware Gangs, Experts Warn

Ransomware gangs are making a killing in today’s modern world — encrypting data at schools, hospitals, and organizations across the globe at an alarming rate. Hundreds of millions of dollars’ worth are being made by these criminals. But according to Cyberscoop, it doesn’t have to be this way.

Both seasoned security experts and former diplomats are in the early stages of urging governments to work together to create a different kind of world — one with fewer examples of hackers taking data hostage or knocking organizations offline to demand ransom or extortion fees … A world where hackers are held responsible for targeting vulnerable organizations.

Government officials have increasingly been working together to tamp down on malicious cyber activity in recent years. One example of this is the European Union sanctions regime focus on hacking rolled out this past year. However, a massive rise in ransomware attacks has ignited interest in recasting the playing field so it doesn’t advantage the attackers.

Major issues for diplomats around the world to tackle include the idea of eliminating “safe havens” for attackers and shifting the infrastructure and culture of the cybersecurity industry. These issues are easier said than done, but a lot of effort is being put into finding real solutions to an enormous issue.

To learn more about the work being done to dismantle ransomware gangs and shift the culture from Cyberscoop, click here.

State-Sponsored Threat Groups Target Telcos, Reveal 5G Secrets

Our last story from the week details researchers who say China-linked APTs lure victims with bogus Huawei career pages, dubbed “Operation Dianxun.” Threatpost brings us more on this story.

Chinese-language APTs are targeting telecom companies in cyber espionage campaigns aimed at stealing sensitive data and trade secrets tied to 5G technology, according to researchers. 

“While the initial vector for the infection is not entirely clear. [We believe] with a medium level of confidence that victims were lured to a domain under control [a] the threat actor, from which they were infected with malware,” according to McAfee researchers in a Tuesday report.

Given the specific tactics used in this campaign, researchers surmised it to be the work of known Chinese-language APTs RedDelta and Mustang Panda. RedDelta was last believed to be behind cyber attacks against the Vatican and other Catholic Church-related institutions last year. In those attacks, adversaries leveraged spear phishing emails laced with malware that ultimately pushed the PlugX remote access tool (RAT) as the final payload.

Meanwhile, Mustang Panda has been linked to cyberespionage attacks on non-governmental organizations (NGOs) with a focus on gathering intelligence on Mongolia by using shared malware like Poison Ivy or PlugX. The group also is known to shift tactics and adopt new tools quickly, researchers have noted.

This time around, the groups seem focused on retrieving sensitive data and aiming to spy on companies related to 5G technology. The campaign is likely related to a number of countries’ decision to ban the use of Chinese equipment from Huawei in the global rollout of the next-generation wireless telecommunications technology.

To learn more about the Chinese-sponsored campaign focused on 5G technology from Threatpost, click here.

Check Out More Byte Sized News