Threat Management, Malware, Network Security, Ransomware

ElTest campaign switches payload from ransomware to RAT

A social engineering scam orchestrated by the ElTest hacking group just had its final payload switched from ransomware to a remote access trojan, indicating a possible change in motive, researchers at Palo Alto Networks have reported.

According to a Friday blog post from Palo Alto's Unit 42 threat research team, the malicious campaign was updated in late August to distribute a downloader that installs the commercially available NetSupportManager RAT. Since January 2017, the ElTest scheme had been infecting victims primarily with ransomware such as Spora and Mole, the report continues.

The campaign, which began in December 2016 involves compromising websites to display a fraudulent message urging Google Chrome browser users to update their font package because the "HoeflerText" font wasn't found. Clicking the message's update button downloads the malware.

This particular scam only targets Chrome users. On the other hand, Internet Explorer users who visit these same compromised sites will instead receive a fake anti-virus alert, along with a phone number for a tech support scam.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

Ransomware
Malvertising leveraged to distribute Cactus ransomware

Malvertising schemes have been used by the Storm-0216 threat operation, also known as UNC2198 and Twisted Spider, to deploy the Danabot malware to achieve initial systems access before proceeding with the distribution of Cactus ransomware since last month, reports The Record, a news site by cybersecurity firm Recorded Future.

AI benefits/risks
Exposed Hugging Face API tokens could compromise major orgs

SecurityWeek reports that more than 700 organizations deploying artificial intelligence tools, including Microsoft, Google, and VMware, could have had their accounts compromised due to the 1,681 valid Hugging Face tokens enabling large language model integration and Hugging Face repository management, which have been exposed on Hugging Face and GiHub.

Related Events

  • Cybercast
    Real-world Insights from a Sophos Threat Analyst: It’s Great You Have a Firewall, But Here’s Why You Shouldn’t Skip Over MDR

    On-Demand Event

  • Cybercast
    Revolutionizing the essentials: Friction-minimizing approaches to overcoming advanced account takeover (ATO)

    On-Demand Event

  • Cybercast
    Evening the Odds Against Overpowered Cyber Adversaries: A Business Impact Analysis

    On-Demand Event

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.