Cyber security researchers have warned of a spike in the creation and popularity of phishing pages using a website creation tool known as Webflow, while threat actors abuse legitimate services such as Microsoft Sway and Cloudflare to their advantage.
The campaigns aim to target sensitive information like login credentials from different cryptocurrency wallets, alongside credentials for other webmail platforms and Microsoft 365, according to a researcher at Netskope Threat Labs. The cyber security company stated that it has tracked a 10-times increase in traffic to phishing pages which had been crafted using Webflow between April & September 2024. These campaigns were used to target more than 120 organisations worldwide, with most of these organisations located in the United States and Asia, with a focus on the financial and technology sectors.
The actors have been seen using Webflow to create standalone phishing pages as well as pages which will redirect users to other phishing sites under their control. Using standalone pages allows attackers to remain under the radar and keep the attacks simple, while the redirects provide the attacker with increased flexibility when attempting to perform more complex actions in their attacks.
Webflow is very attractive to threat actors when compared to other website creators, as it allows users to create custom subdomains without incurring an additional cost. This allows threat actors to create subdomains that mimic legitimate login pages at minimal cost while still looking as legitimate as possible.
Netskope stated that it has also observed cryptocurrency scam webpages created by Webflow which utilise a screenshot of a legitimate crypto-wallet homepage, as this will add an air of legitimacy to the site, and when the user clicks anywhere on the fake site, it will redirect them to the threat actor’s own page to harvest their credentials. The end goal of the crypto-phishing campaign is to steal the victim’s seed phrases, allowing the attackers to hijack control of the cryptocurrency wallets and drain funds.
The Human Risk Management service from NormCyber can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.
References:
Cybercriminals Use Webflow to Deceive Users into Sharing Sensitive Login Credentials (thehackernews.com)
Attackers Target Crypto Wallets Using Codeless Webflow Phishing Pages (netskope.com)
Cyber security researchers have observed an advanced version of the Qilin ransomware in the wild, sporting a whole host of new features including heightened sophistication and tactics to evade detection. The new variant has been observed by cyber security firm Halcyon and nicknamed “Qilin.B”.
The new variant dubbed Qilin.B supports AES-256-CTR encryption for systems that feature AESNI capabilities, while still utilising ChaCha20 for systems that may lack these capabilities. The latest variant is now able to use RSA-4096 with OAEP padding to safeguard the encryption key, which makes file decryption without the attackers private key impossible.
Qilin first came to the attention of the cyber security community in July/August 2022, with initial versions written in Golang before switching to Rust. A report published in May 2023 from Group-IB revealed that the ransomware-as-a-service (RaaS) scheme allows its affiliates to access anywhere between 80% to 85% of each ransom payment after it infiltrated the group and managed to strike a conversation with a Qilin recruiter.
Samples of Qilin.B that have been analysed by Halcyon show that it builds on the older versions of Qilin, implementing better encryption capabilities and improvements to operational tactics. This can be seen in it’s usage of AES-256-CTR and it’s ability to terminate processes associated with security tools, continuously clearing Windows event logs and even going as far as to delete itself from the infected host. It also packs in features to kill processes linked to backup and virtualisation services like Veeam, SQL, and SAP, and delete volume shadow copies, thereby complicating recovery efforts.
According to data shared by Microsoft, 389 U.S. healthcare institutions were hit by ransomware attacks this fiscal year, costing them up to $900,000 per day due to downtime. This statistic highlights just how dangerous ransomware can be to organisations, and how important it is to ensure that the risk of ransomware is mitigated to the highest degree.
References:
New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics (thehackernews.com)
New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion (halcyon.ai)
A New Threat Emerges
A new malware threat, dubbed “WarmCookie,” has emerged, targeting unsuspecting users with malicious links. This insidious malware leverages a sophisticated technique to bypass traditional security measures and infect vulnerable systems.
How WarmCookie Works
WarmCookie operates by delivering malicious links through various channels, including phishing emails, social media messages, and compromised websites. When a user clicks on one of these links, they are redirected to a compromised website that silently installs the malware onto their device.
Once installed, WarmCookie can perform a variety of malicious activities, such as:
Protecting Yourself from WarmCookie
To safeguard yourself from WarmCookie and other similar threats, follow these best practices:
By following these guidelines, you can significantly reduce your risk of falling victim to WarmCookie and other cyber attacks.
References:
New Malware WarmCookie Targets Users with Malicious Links (Infosecurity Magazine)
Threat actors distribute WarmCookie malware via various campaigns (Broadcom Inc)
Threat Spotlight: WarmCookie/BadSpace. (Talos Intelligence)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
