Threat of the week credential phishing

Threat of the Week: sLoad/Ramnit and Flazio Hosted Credential Harvesting

August 03, 2018
Neil Glick

Each week we host a Threat of the Week webinar featuring a high-level look at interesting threats to help security teams navigate the attack landscape. Last week we explored the SecurityXploded Toolkit and phishing of Microsoft Sharepoint. This week, we focus on sLoad/Ramnit and Flazio Hosted Credential Harvesting.

Our first malware campaign is called sLoad/Ramnit. SLoad is a downloader, first observed in May while Ramnit is a banking Trojan that has been circulating in various forms since 2010. This particular attack chain begins with a targeted email which leads victims to a compressed file with a malicious link or attached .lnk file. 

If the link is executed, a PowerShell script will install sLoad, which then leads to the installation of Ramnit. Ramnit continues the attack chain by injecting code into banking sites visited by the victim. These “web injects” allow the threat actor to steal banking credentials as victims interact with the real banking website, modified in their browser by the malware.  The victim is completely unaware that the threat actor is collecting their credentials for future use or to sell on the black market.

Next, we explore a phishing scam called Flazio Hosted Credential Harvesting. With this phishing campaign, threat actors can create and upload their own fake templates. The templates are typically some form of Outlook Web Access (OWA) used to convince victims that the site they are visiting is their email login. 

The templates may look different, but the outcome is the same: stolen credentials.  Once credentials are collected, they are used or sold on the black market.

Learn more about these threats and how to best combat them by listening to the full webinar here.