Since the outbreak of COVID-19, we’ve seen a wave of social engineering attacks abusing the sensitive situation in order to create infections all over the world. We’re seeing attackers focusing more on info-stealing malware and less on communications malware. In many cases, we waited to see a second stage, however, we instead bumped into hit-and-runs. Frequently, users are left with few to no IOCs, so they never even realize their details have been snatched.
The stealer can come from any dubious source, and because it can constantly change communication channels to exfiltrate the data, it can evade AV detection. The number of suspicion-arousing actions in these cases is very small, and the attack takes a very short time. The malware author doesn't have to worry about hiding the malware for a long period - it just needs to get through the door undetected, and leave.
Take, for example, the famous COVID-19 map infostealer
virus that weaponized coronavirus map applications in order to steal credentials such as usernames, passwords, credit card numbers and other sensitive information that is stored in users’ browsers. Attackers can use this information for many other operations, for example selling it on the deep web or for gaining access to bank accounts or social media.
In this presentation, we will talk about the different info stealers that we have seen and the different social engineering campaigns that were very smart and creative. We will demonstrate that today’s attackers are aiming to create malware quickly in order to seize opportunities. We will also focus on how attackers are using different living-off-the-land binaries in order to achieve higher privileges that will allow them to extract more information from the victim machine. We will demonstrate some of the techniques by examining the TroyStealer virus