Israeli Hospitals Hit With Powerful Information-Stealing Cyber Attack
Phishing login credentials for popular email platforms is perhaps the simplest form of cybercrime. All the hacker needs is some social engineering to redirect users to a fake login form that looks like the real thing. At the other end of the spectrum, we've got sophisticated data-exfiltration campaigns targeted at big organizations that handle tons of sensitive information every day.
Two very different ways of doing bad things to people over the Internet. But can a simple phishing attack aimed at Yahoo! users lead to the compromise of personally identifiable information related to an unknown number of patients of Israeli hospitals? It would appear so.
Trend Micro's researchers have discovered a powerful information-stealing malware in the systems of healthcare organizations in Israel. The malware, which they track as Retadup, is communicating with a couple of domains that used to host Yahoo! phishing pages in the past. While they can't definitively say whether there's a connection between the phishing attack and Retadup, the experts reckon that the domains might have served as Stage 1 of the whole operation. This, it must be said, wouldn't be too surprising. After all, other high-profile attacks, including last year's DNC leak, for example, have started with a humble phish.
While the initial infection vector might turn out to be simple, the Retadup malware certainly isn't. Its authors aren't satisfied with infecting a single computer in a whole hospital which is why they've added a worm component. Unlike the ransomware worms we've seen over the last two months, Retadup doesn't seem to employ any advanced exploits like EternalBlue. Instead, it makes use of the folders that are shared between all endpoints on the network.
What takes place upon loading Retadup is two files with identical names and different extensions are placed in the infected host's root directory (e.g. WinddowsUpdater.exe and WinddowsUpdater.zip). Then, the malware throws some LNK files (Windows shortcuts) into the shared folders. The shortcuts are disguised as links to software updates or Downloads and Games folders. In reality, they launch a command that executes WinddowsUpdater.exe which, in turn, uses the eighteen-year-old AutoIT scripting language to execute WinddowsUpdater.zip. The ZIP isn't an archive. It's the data file that contains the actual payload.
The code is heavily obfuscated and hidden under several layers of encryption. Trend Micro's researchers are still poking through it and are trying to make sense of what it does. They did manage to find out, however, that its operation starts by gathering some information about the machine. Then, Retadup proceeds to steal data from the victim's browser and record keystrokes.
Further information on the malware's functionality will hopefully come out in the coming days, but even if it's limited to what the researchers have uncovered so far, Retadup has the potential to collect quite a lot of sensitive data which, in turn, can be converted into a significant number of bitcoins on the Dark Web.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.