Several Malware Organizations Launch Attacks, and Chrome and Microsoft Release Security Updates.

Luna Moth Extortion

by Artie Kaye

Run by a group known as Silent Ransom, Luna Moth is a phishing campaign targeting legal and retail businesses. The emails sent out from this campaign contain no links, no malicious files, and look very much legitimate. An invoice is attached which has a callback phone number on it. When called, the victim will be coerced to allow a remote connection to their device to help clear up “problems”. The programs used for this are industry-standard tools, adding a layer of credibility to the ploy. When connected they’ll drop malware on the device to give them access. With access, they can exfiltrate data used for ransom demands.

Knowing about the attack is a big part of fighting against it. If you get an invoice for something you never signed up for, be cautious. Look up the business before calling any number listed on the invoice. If you do make a phone call, do not under any circumstances allow them remote access to any of your devices. Staying informed and keeping your employees or coworkers informed about threats like this diminish their ability to cause harm.

---

Emotet Botnet Resurfacing

by Artie Kaye

November marked the return of a major player in the malware world: Emotet. This botnet had infected 6% of organizations worldwide by April 2022. The resurgence has seen an updated arsenal of malicious programs being used, including IcedID. The method for infection is a password-protected zip file or an Excel file sent via email. Due to changes Microsoft has made to their Office security functions, the Excel file now includes instructions to copy it to a trusted location on the hard drive and open it from there. Doing this will execute hidden commands that will infect the system.

This propagates via spam messages sent by the botnet. Do not open attachments from unknown senders. If the file says it has to be moved to a specific folder to be opened, do not trust it. The file may not register with spam or malware filters, so use a zero-trust mindset when it comes to documents from unknown sources.

---

Ducktail Ransomware Active Again

by Artie Kaye

Targeting Facebook advertising account users, this malware is designed to take over accounts, steal ad revenue, and steal money from the targeted company. Previously using LinkedIn as a means of distribution, they have switched to WhatsApp, messaging individuals to entice them to run an infected file. The malicious payload will try to add users to any Facebook business accounts as administrators. The new attacks have the added functionality of harvesting browser data, such as session cookies.

This is a sophisticated attack vector in their methods and adaptations. Reviewing users who have access to Facebook accounts on a regular basis is recommended. It is also suggested to read deeper into this issue if you have a Facebook advertising account.

---

Microsoft Patch

by Artie Kaye

Users experiencing issues with Kerberos authentication after the November 8 Windows patch should check for an out-of-band update. This update is designed to alleviate the problem. If you haven’t installed the patch from November 8, you are advised to install the alternate one instead.

The flaw this pertains to is listed as CVE-2022-37966.

---

Chrome Zero-Day

by Artie Kaye

With their 8th zero-day patch of 2022, Google addresses a heap buffer overflow in the GPU flaw. This bug could be used to write to forbidden sectors or to execute arbitrary code. If using a Chromium-based browser please update as soon as you can. 

The flaw is listed as CVE-2022-4135.

---