Microsoft Researches Ransomware Attack Targeting App Developers

Beware of 10 Past Ransomware Attacks 1

Stories of ransomware assaults are common in many headlines worldwide. The attacks target both large and small businesses alike. Research suggests that over half of organizations find it difficult to detect if they have enough cybersecurity to prevent them from ransomware attacks.

Some of these organizations do not have the tools needed to protect their data against hackers. As a result, recovering a data breach from a ransomware attack can be challenging. Hackers can carry out a data breach by accessing a computer system network remotely or physically. Accessing the network remotely by evading all the laid down security protocols is the most common way hackers infiltrate ransomware into the system.

Recently, Microsoft conducted an in-depth investigation into hackers who target app developers by infecting office documents with malicious code. According to Microsoft, the said hackers took advantage of recently discovered faults and weaknesses to distribute ransomware specifically targeted at the app developers.

Microsoft went on to say that the hackers used fake documents and took advantage of potentially unsafe and vulnerable MSHTML remote code rendering engine, which also goes by the name Trident Rendering Engine to deploy their attacks against the unaware app developers.

In August of 2021, security researchers deployed by Microsoft identified an actively exploited flaw in windows systems. The previously undiscovered bug, CVE-2021-40444, was mentioned in this week’s patch Tuesday update.

It is unclear how many app developers were targeted most directly by the attacks. However, as part of the aggressive onslaught, the attackers took advantage of the vulnerability and distributed modified malware Cobalt Strike Beacon Loaders to the public. 

Cybercriminals use the commercially and legitimately available Cobalt Strike Beacon vulnerability scanner to identify a variety of security issues on a computer system quickly.

According to Microsoft’s research, the attacks were not in any way the work of hackers sponsored by the state. Instead, they resulted from communication with the technology they believe links to multiple cyber-criminal activities, including hands-on-keyboard financially motivated attackers paid to access internal networks and deploy ransomware.

In some of the attacks, there was a clear indication of social engineering bait used for the deliberate targeting of the app developers. According to Microsoft, “The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted.”

The security research also noted that, at a minimum, one of the organizations previously infiltrated by a wave of malware bearing the same characteristics bore the brunt of the attacks. However, during a subsequent surge of attacks, the lure shifted to a legal threat in a small civil action claims court away from the app developers.

In this particular instance, the attackers used an office document to load ActiveX control, which is another malicious malware by taking advantage of an Internet Explorer rendering-engine weakness.

Microsoft believes that this malicious operation is the activity of a new or “evolving” threat operator. Therefore, in its racking system, the giant software developer has marked as DEV-0365 to represent cobalt strike infrastructure used for the ransomware attacks. 

On the other hand, Microsoft feels that subsequent behavior, such as the delivery of the Conti ransomware, was responsible. According to the company, C&C (Command-and-Control) servers marketed as an offering or aaS to other hackers, could be the source of the attack.

According to Microsoft, “Some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 was also involved in the delivery of BazaLoader and Trickbot payloads — an activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.”

Hostile operators at call centers use the BazaLoader malware to employ psychological manipulation into enticing their call-in targets to download malware on their systems voluntarily. 

One of the reasons the hackers get to their victims so easily without much persuasion is because they do not include any harmful URLs in their phishing emails. With clean and harmless-looking links, the hackers can get past the standard email-filtering restrictions and get what they want.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password