As the world of cybersecurity adapts to new forms of protection, so do the threat actors who aim to exploit it. One of the most recent and sophisticated trends in cybercrime involves combining phishing emails with Extended Validation (EV) certificates to distribute ransomware. Here's an in-depth look at this emerging tactic and its broader implications for cybersecurity.
Unpacking the Technique
The cybercriminals behind RedLine and Vidar info-stealers are now also focusing on ransomware attacks. According to Trend Micro researchers, they use phishing campaigns that incorporate EV code signing certificates to authenticate and legitimize their initial payloads.
The sequence starts with phishing emails that appear to be common files like PDFs or JPGs. When a victim opens these executables, they initiate the infection process. Unlike typical phishing attempts, the use of EV certificates allows the malware to bypass standard security protections.
A Multi-Step Attack
An unnamed victim initially received a piece of info-stealer malware signed with EV certificates. Shortly after, they were targeted with ransomware using the same sophisticated delivery technique. This indicates that the threat actors may have a specialized division of labour, focusing on different types of attacks but using the same delivery methods.
Cybersecurity Implications and CSOC Response
In a Cyber Security Operations Center (CSOC), these types of attacks would most likely trigger alarms related to unauthorized access and code execution. To counteract these risks, CSOCs could employ sandboxing techniques to scrutinize the behaviour of incoming files and utilize robust email filtering mechanisms to block SPF, DKIM, and DMARC evasions.
Key Terms Glossary
- Phishing: Deceptive attempts, usually via email, to acquire sensitive information.
- Extended Validation (EV) Certificates: Digital certificates that offer the highest level of assurance by requiring more rigorous identity verification.
- Payload: The component of the malware that performs the malicious action.
- Ransomware: A type of malware that encrypts files and demands payment for their release.
- CSOC: Cyber Security Operations Center, responsible for an organization's cybersecurity.
Summary
Cybercriminals are adopting increasingly sophisticated techniques to distribute ransomware, as seen with the use of phishing emails authenticated with EV certificates. These multi-step, authenticated attacks pose a significant threat to individual users and corporations alike, challenging traditional cybersecurity measures.
Comments