German language speaking countries vulnerable to multiple targeted threats
- Multiple high profile ransomware, banking trojans, and info-stealers have been used in targeted campaigns.
- Some of the identified campaigns focus on credential theft from both organizations and individuals.
Germany and other German-speaking regions such as Austria and Switzerland are vulnerable to a large number of threats like phishing attacks, business email compromise (BEC) attacks, malware attacks, and info-stealer trojans.
“While Germany, Austria, and Switzerland are all subject to a large scale of global campaigns, many regionally targeted threats are also worth highlighting, both for their local significance and the global trends,” Proofpoint researchers said in a report.
Malware Threats: Ransomware, Trojans, and info-stealers
- The Osiris banking trojan was discovered and documented by Proofpoint researchers in late July. Osiris, a new version of the old Kronos banking trojan, uses the Tor network for communications with its command and control (C&C) server infrastructure. However, researchers found that the malware has recently begun focusing on German-speaking victims. The malware is now delivered via macro-enabled Microsoft Word email attachments, which when enabled downloads and installs Osiris.
- Another banking trojan that was spotted on a regular instance by researchers is the Retefe banking trojan. According to Proofpoint’s report, researchers have documented weekly and daily Retefe campaigns in Switzerland, as well as campaigns in Scandinavia and Austria. Unlike other banking trojan’s in the wild, Retefe works by redirecting traffic via its proxy from the compromised user’s PC.
- The Emotet banking trojan, which started its infection vector with German-speaking countries, has also grown into a wide-spread global threat. However, it still appears to target German-speaking victims, according to the researchers.
Researchers also listed some of the subject headers used by attackers in malicious emails. Some email contained links to Nymaim executable files, while others were found using password-protected Microsoft Word documents.
- Abrechnung Nummer 470136585 vom 12.09.2018 (Billing number 470136585 from 12.09.2018)
- Bank Payment Limited & Co. KG unbeglichene Rechnung Buchung ID 952828587 [User Name] (Bank Payment Limited & Co. KG unpaid invoice booking ID 952828587 [User Name])
- Fwd: [User Name] - OnlinePayment GmbH & Co. KG automatische Konto-Lastschrift konnte nicht vorgenommen werden (OnlinePayment GmbH & Co. KG automatic account direct debit could not be made)
- [User Name]- Bank Payment Limited & Co. KG automatische Konto-Lastschrift ([User Name] - Bank Payment Limited & Co. KG automatic account direct debit)
- [User Name] Ihr angegebenes Girokonto ist nicht hinreichend gedeckt ([User Name] Your specified current account is not sufficiently covered)
Campaigns distributing the GandCrab ransomware via email attachments were also a common occurrence. For example, an email with the subject header containing the details of a well-known photographer was sent to a victim, along with his photo and zipped executables. When the malicious attachment was opened, it installed GandCrab.
Proofpoint researchers also detected AZORult campaigns targeting German-speaking victims. Recent reports also suggest that AZORult is spread via the open source Gazorp malware builder, available for free on the dark web.
Business Email Compromise (BEC) and Phishing
Although phishing is known as one of the oldest attack methods, it has remained active in German-speaking regions. Attackers are highly focused on credential theft, using specially-crafted email messages and landing pages of various domains such as Amazon, Microsoft, and PayPal. These kind of attacks help cybercriminals obtain credentials from organizations and individuals, and use them to launch future attacks.
To defend against raising threats in these regions and worldwide, a combination of layered security defenses, strong threat intelligence, and rigorous end-user training are all imperative, the researchers added.