Cybercriminals are often able to pull off clever and complex scams without necessarily having to spend a lot of money. That’s because many of the tools they use are available on the Dark Web at bargain-basement prices. Aimed at business users, one new cyber-crime campaign called MasterMana Botnet has struck a chord for the way its perpetrators have used sophisticated methods at little cost, according to a report released Wednesday by Prevailion

SEE: SMB security pack: Policies to protect your business (TechRepublic Premium)

Taking off as early as December 2018, MasterMana Botnet seems to be financially motivated, according to Prevailion, as it has indiscriminately targeted business email addresses via phishing attacks with the intention of stealing information associated with cryptocurrency wallets. Apparently still active as of late September 2019, this botnet has been tagged by Prevailion as the work of the Gorgon Group, a well-known group that’s been around for many years and has conducted ongoing malware campaigns.

The sophistication of the botnet can be seen in the winding path it takes to carry out its attack. Unsuspecting victims open an infected file attachment delivered through a phishing email. In an attempt to catch business users, the attached files masquerade as Excel spreadsheets and possibly other Microsoft Office documents with names implying that they’re invoices or product requirements.

The botnet itself tries to avoid detection by using known third-party websites such as Bitly, Blogspot, and Pastebin, rather than domains set up by the perpetrators. Other methods, such as sandboxing, are also used to evade automatic security detection.

Opening the file attachment downloads a .NET dll to load a fileless backdoor, either a variant of Azorult or Revenge Rat. The Azorult trojan was specifically created to steal usernames, passwords, cookies, web history, and cryptocurrency wallets. It can also upload and download files and take screenshots of the victim’s computer, allowing the perpetrators to deploy more payloads such as cryptominers and ransomware.

In one case detected by Prevailion, an attached Excel spreadsheet would prompt the victim to enable a macro, which would then run a VBScript to connect to a Bitly link. The browser would then connect to a web page with code for malicious JavaScript. The attack would carry on through a VBScript that would create scheduled tasks on the infected computer and modify a registry key to get the next payload. Various Pastebin samples would also be downloaded to the machine. Ultimately, the trojan would harvest credentials on the victim’s computer, including email accounts, messaging programs, Web cookies, browser history, and cryptocurrency wallets.

The other prominent factor of MasterMana is the low cost incurred by its perpetrators, showing that cyberattacks can been carried out cheaply. The perpetrators have used free Web email accounts to send their emails and malicious file attachments. The link contained in the attachment resolved to a free Google-hosted Blogspot site, which then redirects to different Pastebin sites. The Revenge Rate trojan could be found online for free through the week of September 15, according to Prevailion, after which time the perpetrators switched to Azorult, which previously sold at certain forums for just $100.

How many people or machines have been affected by MasterMana? Prevailion found that the URL hosting the Revenge Rat sample had been viewed over 3,300 times, suggesting that 3,300 machines were infected. However, the number could be much lower assuming many of those machines had antivirus protection in place.

“This particular campaign highlights the asymmetric nature of these threats,” Prevailion said in its report. “As companies increasingly spend more money on security solutions, threat actors are able to operate on shoestring budgets. In this case, the threat actors struck a perfect balance: sophisticated enough to avoid automated detection through third-party services and obfuscation while remaining below APT-level sophistication to avoid drawing attention to their campaign.”

How can organizations protect themselves against botnet campaigns like MasterMana? In light of the sophistication of the attack, businesses must employ a multi-layered defense.

“We recommend a defense-in-depth strategy with multiple security solutions including properly configured firewalls, email protection, and end-point antivirus solutions,” Prevailion said in its report. “While the infection mechanism relied upon semi-trusted third party sites, the use of commonly available backdoors made this attack easy to stop for updated and properly-configured endpoint solutions.”

Danny Adamitis, Director of Intelligence Analysis for Prevailion, expanded on the advice for organizations.

“There are really two layers to how organizations can/should defend against this,” Adamitis said. “In terms of their own security infrastructure, in order to curtail this particular botnet, we recommend that businesses have an end-point antivirus solution that is properly configured and has up to date signatures. Since the trojan used in this campaign was potentially purchased on the cybercrime forums, it was being flagged as malicious by a high number of AV vendors. Outside of that, businesses really need to ensure they have full visibility into their third party ecosystems, since that is where many of the greatest issues in the threat landscape exist.”


Image: Getty Images/iStockphoto