Attackers recently compromised dozens of US newspaper websites belonging to the same parent company and used the sites to distribute malicious code for downloading ransomware on networks belonging to targeted organizations across multiple sectors.
Several major US organizations that were recently found infected with the malware appear to have been initially compromised when their employees visited one of the news websites, Symantec said.
Among the Symantec customers impacted in the campaign are 11 publicly listed organizations, including eight in the Fortune 500 list. A plurality of the victims are in the manufacturing sector, though organizations from other industries were hit as well, including financial services, healthcare, energy, and transportation. In each case, the attacks were detected and stopped before the ransomware deployed.
Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. "The end goal of these attacks is to cripple the victim's IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion-dollar ransom," the vendor said in its report last week.
Evil Corp. is a well-known threat actor believed responsible for attacks — including those associated with Dridex and Zeus ransomware samples — that have cumulatively cost victims hundreds of millions of dollars in damages. A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large — one of them with a $5 million US reward on his head.
In its initial report (updated this week), Symantec said its researchers had discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites.
According to the vendor, its continuing investigation of the campaign showed dozens of the compromised websites were actually news sites belonging to one parent company. Symantec notified the organization of the issue, and the malicious code has since been removed. The fact that as many as 31 of Symantec's enterprise customers were targeted in the attacks suggests that Evil Corp.'s overall WastedLocker campaign is very broad in scope, Symantec noted.
The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.
The tools being used in the campaign include PowerShell scripts, the PsExec Windows Sysinternals tool, and the Windows Management Instrumentation Command Line Utility (wmic dot exe), which is being used to disable real-time monitoring and scanning of downloaded files. In many of the attacks, the threat actors have attempted to disable Windows Defender and associated services before deploying the ransomware.