Blog

PDF File Attachments Used for Distributing QBot Malware

When Microsoft started blocking macros in Internet-delivered Office files, threat actors had to come up with new ways of distributing malware via email. Since then, there has been a rise in the use of OneNote files in phishing attacks. OneNote files allow scripts to be embedded and serve as an ideal replacement for Office files and macros; however, Microsoft has responded with security updates for OneNote to prevent this technique from being used for malware distribution. There has also been an increase in the use of container files to bypass protections, which include compressed files such as .rar and .zip, and .iso files.

Another method of bypassing these protections has been adopted to distribute QBot malware. QBot is used to gain initial access to business networks and is often used to drop malware payloads for other threat actors. QBot used to be delivered via phishing emails using malicious macros in Office file attachments, but that technique is no longer viable due to Microsoft’s updates. Instead, the threat actor is now using a combination of .pdf files and Windows Script Files. The phishing emails have a .pdf attachment, which downloads a .wsf file, which is used to deliver QBot.

The emails used in this campaign are reply chain emails, which makes it appear that the emails have been sent as a reply to a previous conversation. That increases the chances of the email being opened as employees are usually trained to be suspicious of unsolicited emails from unknown senders. If the attachment is opened, the PDF file states that the document is protected, and the user is required to click an ‘open’ link, which will trigger a download of a .zip file that includes a Windows Script file.

If the user double clicks that file, the script will be executed, which will run a PowerShell script that will deliver QBot from a hardcoded URL and execute the malware. QBot will be injected into the Windows Error Manager program and will run silently in the background. QBot will steal sensitive data and can move laterally and compromise other devices on the network. Once data has been stolen, access to QBot-infected devices is sold to ransomware gangs. A single device infected with QBot can easily end with large-scale data theft and a network-wide ransomware attack.

The latest campaign involves PDF file attachments, but the methods used for distributing malware such as QBot often change and will continue to do so. The key to improving security is to adopt a defense-in-depth approach, where there are multiple overlapping layers of security in place. If any one measure fails, others will be in place to continue to provide protection.

An email security solution such as SpamTitan is a good place to start. SpamTitan Email Security adds multiple layers of security to your defenses by performing extensive checks on all inbound and outbound emails. Message headers are checked, as is the reputation of the sender, and machine learning techniques are used to identify messages that deviate from the normal messages a user receives. Multiple scans are conducted on email attachments looking for malware and malicious scripts, including signature-based and behavior-based detection through dual antivirus engines and a Bitdefender-powered sandbox. Links are checked and followed to block phishing and malware downloads.

A web filtering solution is an important security measure for blocking the web-based component of these attacks. All attempts to connect with a URL – including automated attempts and clicks by users – will be assessed in real time and blocked if an attempt is made to connect to a known malicious URL. WebTitan can be configured to block downloads of executable files, such as .wsf files, and controls can be implemented to restrict access to websites to confirmed benign URLs.

Email-based attacks attempt to exploit human weaknesses so it is also important to improve your human defenses through security awareness training. The SafeTitan security awareness training platform can be used to automate workforce training and teach security best practices and eliminate risky behaviors, and make employees aware of the threats they are likely to encounter. The platform also includes a phishing simulator with hundreds of phishing templates to test employees to see how they respond to real-world threats, and automatically assigns further training modules if they fail a phishing simulation. These three solutions can be adopted by businesses to greatly improve their security posture against current and evolving threats. Speak with TitanHQ today to find out more.

Effective Workforce Training to Improve Cybersecurity in Healthcare

On March 30, 2022, the U.S. Senate Homeland Security Committee cleared the Healthcare Cybersecurity Act – new legislation that promises to strengthen the cybersecurity posture of the U.S. healthcare and public health sectors. The U.S. healthcare sector has taken a battering in recent years as cybercriminals have stepped up attacks on the sector. Healthcare organizations are an attractive target due to the vast quantities of sensitive data they store. The data can easily be monetized and used for identity theft and medical fraud, and preventing access to that data puts patients at risk, which increases the probability that extortion attempts will be successful. Cyberattacks on the healthcare sector have proven to be lucrative, with healthcare providers often forced into paying huge ransom demands to decrypt their files, prevent the exposure of stolen data, and get critical systems back up and running quickly to improve patient safety.

In 2020, healthcare cyberattacks increased by 55% breaking the record set the previous year. More than 26 million medical records were compromised that year, which increased to over 40 million records in 2021 and 2022. 2023 looks like it will see similar numbers of records compromised. Healthcare is a critical industry and healthcare cybersecurity is a patient safety issue. Action is desperately at the federal level to improve resilience to cyberattacks and the Healthcare Cybersecurity Act is a step in the right direction. The Healthcare Cybersecurity Act calls for the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate and come up with a plan for improving the security posture of the sector. Within a year of the legislation being passed, CISA is required to complete a detailed analysis of the risks to healthcare assets and data, identify the information security challenges faced by organizations in the sector and come up with a plan to address the shortage of cybersecurity staff, including making recommendations for cybersecurity training for the workforce and enhancing incident response. The legislation also calls for the creation of a Cyber Security Operations Center specifically for the healthcare sector to share real-time threat intelligence to help defend against and respond to cyberattacks.

In the meantime, the cyberattacks continue. While hospitals and health systems are investing heavily in cybersecurity and are improving their technical defenses, hackers are developing new methods to attack the sector, often by exploiting human weaknesses. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health plans, and other covered entities to develop a security awareness training program for employees, but the legislation was signed into law two decades ago and provides little in the way of detail as to what such a program should include or how often training should be conducted. Follow the letter of the law and you will be compliant but will do little to improve your security posture. What is required is a comprehensive training program that can be easily tailored to all members of the workforce and training them on how to recognize the specific threats they are likely to encounter.

The ultimate goal of security awareness training is to develop a security culture, and that simply isn’t possible with an annual training session. Security awareness training needs to be ongoing, with employees up to date on the latest threats, and training needs to be reinforced. This is an area where TitanHQ can help. TitanHQ offers healthcare organizations an easy-to-use platform for developing healthcare-specific training courses covering a broad range of security topics. The platform includes training content on hundreds of topics, delivered through computer-based training courses, videos, and quizzes. The content is engaging and gamified and has been developed to be easy to fit into busy healthcare workflows, with the training content taking no more than 10 minutes per module.

Administrators can easily develop training courses for individual employees, roles, and departments to ensure it is relevant, and the platform is behavior-driven, with training content automatically generated based on specific employee behaviors such as failed phishing simulations and security errors, such as saving sensitive data in an insecure location. Since the training is generated instantly, it ensures employees receive the training when it is likely to have the maximum impact – immediately after a security mistake is made.

The platform also has enterprise-level reporting, which provides executives with a 360 view of the entire organization and the return on investment, with the data provided in an easily digestible format for management, and detailed reports for the compliance team to demonstrate full compliance with the training requirements of the HIPAA Security Rule.

If you want to improve your organization’s security posture, training the workforce to be more security aware is a great place to start. For more information on SafeTitan, to sign up for a free trial, get in touch with the TitanHQ U.S. team today.

Top Malware Threats and How to Prevent Infections

QBot, Emotet, and Formbook are currently the most prevalent malware threats according to new data from Check Point, all of which are mostly distributed using spam emails. Email is still one of the most common methods of malware distribution, and even Microsoft’s efforts to prevent the malicious use of macros have not changed that.

Last year, Microsoft disabled macros by default in Internet-delivered documents, and while this was a blow to cybercriminals who have relived on macros for their infection process, they simply changed tactics and used other methods for malware delivery. Macros were easy to abuse, as victims just needed to be tricked into enabling macros in documents and ignoring security warnings. Now that macros are disabled, cybercriminals have had to adopt new tactics for distributing malware via email, such as sending malicious links or using alternative attachments, such as OneNote files. The latter have been used to distribute Emotet, which has helped the malware return to the top of Check Point’s most wanted malware list.

OneNote files have proven popular for malware distribution as they allow scripts to be embedded and masked with overlays. The user is instructed to double-click a button in the OneNote file as they are told that the document is protected, when what they are actually doing is double-clicking an executable file embedded under the overlay, thus executing the script and triggering the downloading of a malicious payload. Microsoft has announced that this security issue is being tackled by May, but until then OneNote will continue to be used for malware delivery.

The top three malware variants share some of the same functionality but offer specialized features. QBot, also known as QakBot, was primarily a banking Trojan used to steal banking credentials but is now capable of stealing other credentials due to its keylogging capabilities. It has been in use since 2008 and is one of the oldest malware families currently in use.

Emotet has long been at the top of the most common malware variants and has survived a recent law enforcement takedown. Emotet started life as a banking Trojan but has evolved over the years and is now primarily used as a distributor of other malicious payloads under the malware-as-a-service model. Like QBot, Emotet is also extensively distributed via email, helped by its self-propagating capabilities, which allow it to hijack message threads and send copies of itself to the victims’ contacts.

FormBook has been used since at least 2016 and is an information stealer that is also marketed under the malware-as-a-service model. FormBook primarily harvests credentials from web browsers, but also logs keystrokes, collects screenshots, and can deliver additional files to infected devices. It is one of the most widely distributed malware due to its capabilities, relatively low cost, and strong evasion techniques.

These three malware variants have had a huge impact globally, with QBot infections detected at 10% of organizations worldwide and Emotet and FormBook each affecting 4% of organizations worldwide. Preventing infections requires a defense in-depth approach involving multiple layers of protection, with one of the most important layers provided by a spam filter.

All three of these malware families are extensively spread via spam email, so blocking the initial attack vector is by far the best defense. SpamTitan incorporates several layers of protection against malicious emails, including emails with malicious attachments such as OneNote files and malicious links. SpamTitan performs a multitude of front-line checks including message headers and reputation checks and has dual anti-virus engines for detecting malware and sandboxing for behavioral analysis of attachments. SpamTitan also scans links and uses machine learning algorithms to identify emails that deviate from the genuine emails typically received by businesses.

While a spam filter and endpoint protection solutions such as antivirus software were once sufficient, the speed at which new malware variants are being released and the evasion methods they use mean additional layers of protection are now required. TitanHQ recommends also deploying a web filter to block Internet-based threats. A web filter such as WebTitan augments the spam filter by blocking malware delivery via the Internet and improves protection against non-email-based threats, such as malicious links in text messages and instant messaging platforms.

Threats will occasionally bypass these protections, so it is important to provide security awareness training to the workforce. By educating the workforce on cyber threats, if one is encountered it can be recognized and avoided. Security awareness training allows businesses to train employees on security best practices and eradicate the risky behaviors that are often exploited by cybercriminals. SafeTitan is a comprehensive training platform covering all aspects of security and includes a phishing simulation platform for testing how employees respond to phishing threats and providing targeted training where it is needed.

For more information on these solutions and improving your security posture in the most cost-effective way, give the TitanHQ team a call today.

New Business Email Compromise Tactics Identified

Business email compromise tactics commonly change, so businesses need to ensure that they provide regular security awareness training to their workforce. Businesses that implement an ongoing security awareness training program can ensure that all employees are made aware of the emerging tactics so that when a threat is received, they will be able to identify it as such and report it to their security team.

BEC attacks typically involve spoofing an individual or company to get an individual to make a fraudulent wire transfer to an attacker-controlled account. The FBI has recently reported that tactics are becoming more sophisticated, and telephone numbers are also being spoofed. When the targeted individual calls to verify the authenticity of the emailed request, they speak with the scammer. It is vital to ensure that employees are told to verify the authenticity of any out-of-band requests for payments, changes to account details, requests for gift cards, and other common scam tactics but to ensure that verified contact information is used, and never the contact information supplied in the email.

Another BEC tactic that is becoming increasingly common attempts to obtain goods under false pretenses, instead of tricking people into making wire transfers. This tactic is often adopted by less advanced threat actors, as they do not have to recruit the money mules to accept the payments. According to the FBI, scammers are impersonating the email domains of U.S. companies and are spoofing emails with the real names of company employees, so if checks are performed, they will be passed.

The scammers trick vendors into believing they are conducting legitimate business transactions and fulfilling purchase orders for distribution to new customers. Scams identified by the FBI include the targeting of vendors of agricultural equipment, construction materials, computer hardware, solar energy products, and more. The goods are distributed and by the time the scam is identified, they have been moved on and cannot be traced or recovered. Since these purchase orders are often for bulk goods, thousands or hundreds of thousands of dollars can be lost.

Businesses often provide new customers with credit repayment terms such as net-30 or net-60, where they are not required to pay for the goods for 30 or 60 days. That means by the time the scam is identified the goods have long since been moved and sold. Businesses naturally conduct credit checks before offering those terms, but the attackers are supplying fake credit references and fraudulent W-9 forms to vendors to get the payment terms to allow them to purchase goods without any upfront payment.

The best way to protect against these scams is to ensure that you have an advanced email security solution in place – Such as SpamTitan – to block the initial contact via email. However, it is also important to provide security awareness training to the workforce.

SafeTitan is a modular training platform that allows businesses to develop custom training courses for different individuals, roles, and departments, and to ensure that the training provided is relevant. The platform includes hundreds of training modules and can be tailored to meet the needs of all organizations. The training content is regularly updated to include the latest tactics that are being used, allowing businesses to keep all members of the workforce 100% up to date on the latest threats.

Administrators can trigger training modules for all members of the workforce when new threats are identified. The modules are easy to fit into busy workflows and take no longer than 10 minutes. Through SafeTitan security awareness training, businesses can develop a security culture and greatly reduce susceptibility to phishing and BEC attacks. Data from the SafeTitan phishing simulation platform shows businesses can reduce susceptibility to email scams by up to 80% over time through email attack simulations.

For more information on SafeTitan Security awareness training and phishing simulations contact TitanHQ today.

BEC is Still A Leading Cause of Losses to Cybercrime and Attacks Continue to Increase

Business email compromise (BEC) may not be the most prevalent form of cybercrime, but it is one of the costliest. Over the last few years, BEC attacks have seen the greatest losses out of any form of cybercrime, and BEC attacks have been increasing. According to the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, losses to BEC attacks increased by 65%, and between June 2016 and July 2019 there were 241,206 complaints about BEC attacks and $43,312,749,946 was lost to the scams. In 2022, there were almost 22,000 victims of BEC attacks and adjusted losses to these scams were more than $2.7 billion.

In a typical BEC scam, a criminal sends an email message to a targeted individual that appears to have come from a known source making a legitimate request. Commonly, a company that the victim regularly deals with sends an invoice with an updated bank account or mailing address. A scam may be conducted where the victim is asked to purchase gift cards and email the serial numbers. Scams often target homebuyers, where the message appears to come from the title company with instructions on how to wire the payment. An executive may be impersonated and the tax information of all employees may be requested. There are many variations of these scams, and they often result in thousands, hundreds of thousands, or even millions of dollars in losses.

BEC scammers often spoof an email account or a website, or they may compromise a legitimate email account through a phishing or spear phishing email. With access to email accounts, a scammer can search the accounts to find out more about the company and gain the information they need to conduct realistic scams. Malware may be sent via email that gives the attacker access to email accounts, which allows them to hijack message threads.

One of the most common types of BEC attacks involves the impersonation of an individual or company and a request to send fraudulent wire payments to attacker-controlled bank accounts. Historically, these scams have involved compromised vendor email accounts and a request to change bank account information for upcoming payments for goods and services. In its latest Internet Crime Report, the FBI said BEC scammers are increasingly targeting investment accounts, and utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or requesting victims send funds directly to cryptocurrency platforms.

In the past, scammers have relied on their spoofing tactics but the scam fails if the targeted individual verifies the legitimacy of the request by phone. However, it is now becoming increasingly common for scammers to spoof legitimate business phone numbers and use these to confirm fraudulent banking details with victims. There have been many cases where the victims report they have called a title company or realtor using a known phone number, only to find out later that the phone number has been spoofed.

Defending against BEC attacks requires a combination of measures. First, since these attacks often start with a phishing email, a spam filtering solution is essential. A spam filter will block the emails that allow credentials to be stolen and email accounts compromised. Spam filters can also detect and block spoofing and are the primary defense against these attacks. TitanHQ has developed SpamTitan Email Security to help businesses defend against BEC attacks, phishing, and other email-based attacks.

Unfortunately, email filtering alone is not sufficient. A spam filter will block the majority of email threats but additional measures need to be implemented. The key to defending against BEC attacks is defense-in-depth. These attacks target human weaknesses, so it is important to train the workforce to be aware of these scams and the changing tactics of BEC scammers. Employees need to be taught the red flags they need to look for in emails and the security best practices that can thwart these scams.

TitanHQ offers the SafeTitan security awareness platform to businesses which can be used to train employees to be more vigilant and tell them what they need to look for. The platform can be used to teach security best practices, such as carefully examining the email address, URL, and spelling used in any correspondence, and the importance of not clicking on anything in an unsolicited email or text message that asks them to update or verify account information.

The increase in spoofing means it is now essential to implement two-factor or multi-factor authentication, to add an extra level of security to protect accounts from unauthorized access. It is also vital to implement policies that require requests to be independently verified using confirmed contact numbers, not those provided via email.

Adopting such a defense-in-depth approach will help you protect against these financially damaging scams. Contact TitanHQ today to find out more about how you can cost-effectively improve email security and train your workforce.