Security Awareness Synopsis – FBI Warnings, Ransomware, and a 100th Version Batchin’ Bot

Multiple FBI Warnings

Over the weekend, the Federal Bureau of Investigation (FBI) issued two separate warnings, one for increasing Ragnar Locker ransomware activity and one for numerous FBI-spoofed domains being registered by unattributed cyber actors. The Ragnar Locker alert includes a FLASH with indicators of compromise and recommended mitigations. The FLASH (MU-000140-MW) can be accessed through the WaterISAC portal, here. The second warning emanates from the FBI’s Internet Crime Complaint Center (IC3) and was issued “to help the public recognize and avoid spoofed FBI-related Internet domains.” The IC3 alert (I-112320-PSA) includes a broad sampling (albeit incomplete) of spoofed domains and should be shared with end-users for better awareness of cyber threat actor tactics. Along with a reminder to verify the spelling of website and email addresses, a review of the spoofed domains provides a valuable glimpse of the types of names actors register to imitate legitimate domains. Visit Bleeping Computer for more on the spoofed FBI domains.

Bleeping Computer’s The Week in Ransomware – November 20, 2020

At this risk of being repetitive, Bleeping Computer’s The Week in Ransomware series is a must review for the numerous highlights and lowlights of this wretched menace. Many of the cybersecurity community’s best-regarded researchers and analysts contribute to dozens of reports on new variants, new developments, and ongoing ransomware activity each week. The latest observations include enduring Egregor and its print bombs, dozens of new ransomware variants – including one that’s already ramping up for tax season by targeting TurboTax tax returns, and a ransomware infrastructure that could face sanctions for being hosted in Iran.

TrickBot Gets Trickier

It seems TrickBot, the botnet commonly implanted via Emotet phishing emails and known to bring Ryuk/Conti or other ransomware along, celebrated its century release (100th version) with some new covert behavior. While the bot is known for evading detection, the group has recently added new functionality that takes advantage of commonly used built-in system tools to hide-in-plain-sight/live-off-the-land. This new functionality employs an obfuscated batch script launcher that uses the built-in Window’s command prompt to launch malicious executables. And that’s not the only new trick it has up its sleeve, the notorious TrickBot group has also implemented LightBot to perform reconnaissance to seek out high-value targets. LightBot phishing emails purport to come from human resources or the legal department about a customer complaint or the termination of the recipient’s employment.