Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, March 14, 2023, 4:01 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Emotet Bloats Files to Avoid Detection

Emotet, a botnet operation which originally started as a banking trojan back in 2014, has emerged again after a three-month hiatus, according to analysts at Trend Micro. To date, the Emotet operators have built three different botnets, known as Epochs 1, 2 and 3, but in the last few weeks Epoch 4 has emerged, delivering malmails to victims.

The primary infection technique is the use of macros in malicious Microsoft Office documents. While Microsoft disabled the execution of macros in files which bear the Mark of the Web, the document template employs social engineering techniques to trick the user into enabling macros. The Emotet crew have also taken to binary padding the documents, increasing the file size to well over 500 MBytes in order to avoid being scanned by anti-malware products - this will work because the padding comprises only 00 bytes, so that the compressed version originally downloaded is very much smaller.

The document macro will download a ZIP file from any of seven C2 servers, then extract the contents to a folder before using regsvr32.exe to load a DLL file in order to infect the victim machine. Once the machine is infected, Emotet will run infostealer and spam relay routines, which it creates by creating a copy of the certutil.exe utility, starting it in a suspended state and then replacing its code by process hollowing.

The increasing use of evasion and anti-forensic techniques highlights the importance of security education, training and awareness; alert and suspicious users really are the last line of defence against these kinds of attacks.

Kenefick, Ian, Emotet Returns, Now Adopts Binary Padding for Evasion, blog post, 13 March 2023. Available online at https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html.

Infostealers Spread to Crackers via AI-Generated YouTube Videos

Just about the most vulnerable users on the Internet are those who want to use pirated copies of expensive software by cracking the copy protection and licence-checking features of these programs. The web is rife with malware binaries which claim to crack popular programs, but which really infect the naive victim's machine.

By now, these victims must be getting gun-shy, so often are they infected (although they may not even realize it, in some cases). As a result, simple Google ads and forum posts are decreasingly effective, and the malware operators are looking for new ways to social-engineer their victims into downloading their warez.

Their latest technique, according to CloudSEK researchers, is to use YouTube videos to appeal to the victims; after all, real people must be more trustworthy than featureless and anonymous ads, right? But actually, the videos do not feature real people at all - they are generated by artificial intelligence platforms like Synthesia and D-ID, with facial features designed to appeal to the victims, and pretend to be tutorials on how to download cracked versions of software products like Photoshop, Premiere Pro, AutoCAD and others.

In order to reach as many victims as possible, as quickly as possible, the hackers will use a variety of techniques such as phishing to take over popular YouTube accounts - ideally, with 100,000 subscribers or more. They then upload their fake video(s), adding fake comments to lend credibility to the content, and using region-specific SEO tags to improve the video's search engine rankings. For a popular YouTube channel, it will not take long for the channel owner to discover the hack and regain control, but if the video remains online for even a few hours, they can still infect hundreds of victims. On less active channels, the videos can remain online for months at a time, especially if the channel owner simply never bothers to reclaim their channel.

This entire process is highly automated, making it an efficient operation. Typically, the malware payload will be an infostealer such as Vidar, Redline or Raccoon, and it will plunder the victim's credentials, cryptocurrency wallets and other applications.

M, Pavan Karthick and Deepanjli Paulraj, Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware, blog post, 13 March 2023. Available online at https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware.

Free Economics Glossary

Courtesy of security maven Robert Slade comes a highly useful resource for cybersecurity management professionals: a glossary of economics terms. Given that a common complaint of boards and C-suites is that security wonks just don't understand business, this could be a way of fighting back. Granted, it is restricted to purely economics terms - from 'absolute advantage' to 'zero-sum game' - and doesn't cover wider business jargon, but then, so much of that is mal-adapted from the tech world anyway (exhibit 1: the way business has adopted the term "agile", perverting it along the way).

Uncredited, The A to Z of economics, online glossary, undated. Available online at https://www.economist.com/economics-a-to-z.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: