Remote Work Cybersecurity Report, April 30, 2022

If there were a theme for this week, it would be trojans, malware, and mischief. Evil lurks in unwanted packages and links.

You’ve got malware!

Those who live the digital nomad lifestyle, seeking remote work, means relying on email, paperless documentation, and emerging cryptocurrencies and the NFT market. We lean on our software tools for physical and financial flexibility. The independence we strive to maintain is a weakness for threat actors to exploit.

For example, North Korean Hackers Target Journalists with GOLDBACKDOOR Malware (thehackernews.com). While journalists writing about North Korea may be specific, targeting groups by employment, software, region, or behavior is a recurring element for bad actors.

Be aware of your email. Look at links. Do you trust the attached OneNote link location? Is the DocuSign URL a bit odd? Is there something fishy in the offer? If it doesn’t smell right, don’t bite the hook.

Emotet Botnet and Trojan Targeting Windows Platforms

Phishing, Trojan
Emotet Tests New Delivery Techniques | Proofpoint US

Everyone is at risk to the social engineering tricks threat actors use. One group, referred to as TA542, is associated with the use of Emotet, a botnet and trojan leveraged against Windows devices. TA542 activity diminished after law enforcement seized computing equipment and arrested hackers thought involved with Emotet. At the end of 2021, activity resumed with a modified tactics, techniques, and procedures (TTP).

Digital nomads and those looking for gig-work or side-hustles should be wary of tricks used by threat actors. TA542 shifted its approach with Emotet possibly in response to Microsoft changing the Office settings for VBA macros. I see this as a form of A-B testing. Trying multiple techniques, A vs B, and seeing which is more fruitful. As bad actors explore novel approaches, work from home or remote working professionals, especially those without corporate IT support, will see and can fall victim to new phishing attempts.

“Proofpoint researchers assess that while on the break, TA542 continued development and testing of new attack vectors, specifically OneDrive URLs and XLL files, in preparation for using them on a wider scale. Alternatively, these new TTPs may indicate that TA542 may now be engaged in more selective and limited scale attacks in parallel to the typical mass scale email campaigns.”Proofpoint

Recommendations and References:

Be wary of attachments and links in emails and on websites. Emails with enticing subjects like “Salary”, “Benefit Package”, or other work-related topics leverage our employments desires.

Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default (thehackernews.com)
Emotet Botnet’s Latest Resurgence Spreads to Over 100,000 Computers (thehackernews.com)


Everscale (Ever Surf) Wallet

Critical Bug
Check Point Research detects vulnerability in the Everscale blockchain wallet, preventing cryptocurrency theft – Check Point Research

Digital currencies continue to gain popularity and utility. The development and growth of Non-Fungible Tokens (NFT) alongside cryptocurrency platforms partner well as sources of income and financial flexibility to the digital nomad.

Blockchain transactions are irreversible. Once a transfer is complete, there is no means to dispute, block, or stop payment. If a bad actor compromises your crypto-wallet keys and transfers your digital assets, you will be without means or recourse.

Software is always at risk of exploits and defects. Everscale’s critical defect in its web application, now deprecated, allowed attackers to gain full control of a user’s wallet.

In this case since the browser-based software runs client-side (on the user’s computer), and the browser’s local storage contain the wallet keys, they are programmatically accessible with browser executed scripts.

“This means that a human with physical access to the computer or any application or malware such as an infostealer can obtain this data. In addition, localStorage can be accessed by a browser extension, which can then leak the stored data.”Check Point

While Everscale closed the exploit quickly, it serves as a warning.

Recommendations and References:

Ever Surf — A Blockchain Browser and Also a Wallet | by John Everscale | Apr, 2022 | Everscale
Everscale

“Do not follow suspicious links especially if they received from strangers.
Keep your OS and anti-virus software updated.
Do not download software and browser extensions from unverified sources.”Check Point


Threat Actors with New Bumblebee Malware

Malware, Email Phishing
This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming | Proofpoint US

I lived on the road, working from an RV, for over two years. I favor the paperless freedom companies like DocuSign makes possible. As a digital nomad, emails with links to electronic documents and processes are commonplace. While I still have my trusty HP DeskJet 1112, I loathe being forced to print, sign, scan, then finally email (or worse, fax or stamp and mail) documents.

  • Side note: The HP no longer makes the DeskJet 1112. Amazon’s listing price now is 10-times what I originally paid. I am not trying to hock the product, only link for reference. I would purchase a similar new model if forces to purchase a new printer. Back to malware and how it impacts a remote worker…

Bumblebee exploits the well-known DocuSign name to lure you into downloading a package of evil. It is a tempting bait to swallow for someone hungry for a remote job.

URLs and HTML Attachments Leading to Bumblebee
In March 2022, Proofpoint observed a DocuSign-branded email campaign with two alternate paths designed to lead the recipient to the download of a malicious ISO file. The first path began with the recipient clicking on the “REVIEW THE DOCUMENT” hyperlink in the body of the email. Once clicked, this would link the user to the download of a zipped ISO file, hosted on OneDrive.”Proofpoint

Recommendations and References:

For malware detection and removal, consider using Windows Defender Offline, Microsoft Safety Scanner, or other trusted anti-malware tools.