Tax-related scams surge around tax deadlines worldwide, leveraging social engineering to steal money or personal information. Talos links ongoing campaigns to GhostSec and Stormous, detailing double extortion ransomware activity and related activities across various targets and devices.
Keypoints
- Tax-themed scams use social engineering to trick targets into engaging with fraudulent offers or links.
- GhostSec and Stormous have increased ransomware activity, employing double extortion and launching a new RaaS program called STMX_GhostLocker.
- Attacks have impacted multiple countries, showing cross-regional reach beyond any single industry.
- WordPress sites are targeted via implants that inject admin bypass tools to facilitate access.
- A fake ransomware gang claiming Epic hacks demonstrates fraud and the sale of fake ransomware infrastructure.
- IoT devices (white-label security cameras) contain vulnerabilities allowing covert surveillance, aided by lack of FCC ID and easy pairing.
- Change Healthcare suffered a major data breach that offline-ed healthcare payment systems, prompting authorities to seek alternatives for providers.
MITRE Techniques
- [T1566] Phishing – Use of tax-related topics in spam emails and social engineering campaigns to steal money or information. “adversaries all over the globe are going to be leveraging tax-related topics in their spam emails and social engineering campaigns in the coming weeks, trying to steal money, infect devices with malware, or steal critical personal information.”
- [T1190] Exploitation of Public-Facing Application – WordPress admin bypass and hacking tool injected into the WordPress CMS. “injects an admin bypass and hacking tool targeting the WordPress content management system.”
- [T1068] Exploitation for Privilege Escalation – Admin bypass used to gain elevated access on WordPress. “injects an admin bypass…” (context described as bypassing admin controls to operate within WordPress).
- [T1486] Data Encrypted for Impact – Ransomware activities described as “double extortion” with GhostLocker/Stormous. “increased its ransomware activities… conducting ‘double extortion’ ransomware attacks…”
- [T1041] Exfiltration Over C2 Channel – Double extortion implies data exfiltration as part of the attack flow. “double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims…”
Indicators of Compromise
- [File Hash] – a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91, and 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
- [MD5] – 7bdbd180c081fa63ca94f9c22c457376, 2915b3f8b703eb744fc54c81f4a9c67f
- [File Name] – c0dwjdi6a.dll, VID001.exe, Wextract, xmrig.exe, ggzokjcqkgcbqiaxoohw.exe
- Additional hashes and file names are listed in the Malware telemetry section of the article.
Read more: https://blog.talosintelligence.com/threat-source-newsletter-march-7-2024/