The Morphisec Labs team has tracked an obfuscated VBScript package in campaigns since March 2020. Initially, the malware campaign was focused on targets within Germany, but has since moved on to additional targets--excluding any IP address within Russia or North Korea.

As part of a rapid change in the work environment during the COVID-19 pandemic, Morphisec Labs has been tracking the change in the attack trend landscape. This has included the evolution of adware, PUA, and fraudulent software bundle delivery beyond a consumer problem into a significant attack vector on enterprise employees.

Google, SpaceX, and even NASA, recently banning employee use of Zoom as they shift to work-from-home workforces in response to COVID-19 have shined a spotlight on the widely popular video conferencing tool’s security flaws. While “ZoomBombing” trolls can certainly be embarrassing, those types of breaches are only a harbinger for more sophisticated ransomware, zero-day attacks, and malware that can be carried out targeting Zoom’s current weaknesses.

During the first week of March, Morphisec intercepted and prevented an advanced Lokibot delivery campaign on some of its customers in the financial sector. While Lokibot has been lately reported to be delivered via impersonation of a known game launcher, previously it was also delivered through advanced AutoIt obfuscated Frenchy shellcode.

Guloader is a downloader that has been widely used from December 2019. Several security researchers have identified the downloader in the wild, signifying that it has quickly gained popularity among threat actors. When it first appeared, GuLoader was used to download Parallax RAT, but has been applied to other remote access trojans and info-stealers such as Netwire, FormBook, and Tesla.

Malware authors worldwide have targeted the fear around COVID-19 as a way to further their goals. This isn’t really a new method of enticing people to download and run their malware; threat actors have always used disasters as a way to deliver their payloads. From that perspective, the COVID-19 pandemic is only the latest in a long line of disasters that threat actors--both financially motivated and state-sponsored--leverage to achieve their goals.

Following the increase in Parallax RAT campaigns -- the new RAT on the block, Morphisec Labs decided to release more technical details on some of the latest campaigns that the Morphisec Unified Threat Prevention Platform intercepted and prevented on our customer’s sites.