When most people think of malware, they think of binaries that are downloaded to a drive and executed. However, that is only part of the malware world. The other side does not actually download the malicious binary directly to the drive and often injects it directly into memory though the use of scripts. The name fileless is a bit of a misnomer as there are always files to be found in different stages of the attack, it is more to the point that much of the malicious work is doe through injection of code into legitimate processes without the need to write much of it to disk.

Ransomware is a huge shadow over many businesses and individuals’ heads. It has loomed as a significant threat since the first stains hit the internet inside malicious zip files masquerading as “Xerox” documents. Since that time ransomware and the groups behind it have evolved significantly. At the top of the food chain are groups like Hive and Conti who have not only evolved their own tools but utilize strategic approaches to their organizations complete with acquisitions and, in some cases, attempted legitimate business fronts to further their activities.

April must be the month for new malware tools to be released, or at least announced as we have already heard about new forms of attack/infection from the group behind Emotet and now we hear that Conti has replaced BazarLoader with new malware tracked as Bumblebee. The newly disclosed malware is also under active development with multiple new features showing up this month.

Yesterday we told you that the gang behind Emotet was looking to used Excel add-ins as a possible new technique to compromise systems as part of their spamming campaigns. The detected techniques were labeled as potentially being part of research and development efforts on the part of the group TA542 due to changes Microsoft is making in Office (and ones many admins already push). The R&D efforts do not stop there though as multiple security research teams are now saying they have identified another new technique associated with Emotet.

TA542 the wonderful people that brought you Emotet appears to be in the middle of a development and testing cycle on new delivery methods. According to researchers at ProofPoint the creators or the Emotet Botnet are potentially looking to find a new delivery method in response to the, long overdue, default disabling of VBA based Macros by Microsoft in their office products. Although ProofPoint seems to think this is development testing, the activity could also be part of a more targeted campaign.

CISA has issued another warning that SCADA/ICS systems are being targeted for attack. This time they are in the sights of Nation-State groups and with customized tools. The tools are part of follow-on activities after the initial beachhead has been established. These days gaining initial access to a network, even for infrastructure, does not seem to be a difficult task for nation-state groups.

Some needs to let Gordan Freeman know that the Xen aliens are attacking Lambda, time to grab a crowbar and go to work. Ok, so there are no invaders from a border dimension coming and the Lambda in question is really Amazon’s Lambda Serverless function in AWS while the threat is a bit of crypto mining malware that appears to have been specifically written for Lambda in Google’s Go.

It looks like there has been another round of malware identified on the Google Play sore and, you guessed it, the majority is focused on banks and other financial institutions. The combination of apps found totals around 515,000 downloads. 500,000 of these downloads are being attributed to a new trojan dubbed Octo and appears to be distributed via fake apps uploaded to the Google Play store.

For some reason, malware, attacker tools, and even the threat groups themselves tend to be viewed and talked about as static objects (outside of the security and threat analytics world). Malware is just Malware, the same with Ransomware strains. Once they get named, they are that way forever. However, that is the farthest thing from reality. Threat Groups evolve their tactics, toolsets, and they even have DevOps around their malware/ransomware.

The FBI, on March 29th, released a Private Industry Notification with vague details on a potential Phishing campaign targeting election officials in at least nine US states. The information in the advisory gives very broad information without really saying much. There is no information in the notification on which states were targeted and the phishing campaign sounds a lot like ones that are sent out to millions of people every day.