Executive Summary
In October 2021, Avertium’s Cyber Threat Intelligence Team published a Threat Intelligence Report regarding the healthcare industry and why the industry is constantly at risk for security incidents. The industry is two to three times more likely to be a target for cybercrime than any other industry. One of the ways the industry is currently being attacked is via callback phishing – an attack vector used by Quantum and Ryuk ransomware gangs.
During the second quarter of the year, Agari published a cyber threat intelligence report regarding phishing attacks. The report stated that although phishing volumes have increased by 6% compared to the first quarter of the year, hybrid vishing has seen massive growth at 625%. This indicates that threat actors are moving away from relying solely on traditional phishing to breach networks and are moving toward a hybrid approach.
Threat actors such as Quantum and Ryuk have used callback phishing to impersonate countless companies. Let’s take a look at callback phishing, the threat actors who use the attack vector, and why organizations everywhere need to be on high alert.
Callback phishing is a type of phishing attack that impersonates a business. The attack starts off as a phishing email, typically claiming that the victim needs to renew a subscription or pay a bill for a service that they did not purchase. The email contains a “customer service” phone number with direction to call if the victim has questions and concerns.
What the victim does not know is that the email is a phishing email and once they dial the customer service number, there is a threat actor who picks up. The attacker then attempts to collect confidential information to validate the “transaction”. The information collected is sensitive and primarily includes credit card and bank account information. After the attacker gets the information they need, the call ends, and the victim’s accounts are compromised.
What makes this attack unique is that callback phishing emails can bypass email filters because they don’t include malicious links or attachments with malware. Instead, the phishing attacks are heavily focused on social engineering. This means that because email filters generally won’t catch the phishing attempt, it is up to the user to be able to spot the warning signs.
In June 2022, the Conti ransomware gang shut down their operations. However, this was not the end of Conti, and it was confirmed by Avertium’s technology partner, AdvIntel, that in August 2022 the gang splintered into smaller groups on their own. At least three of those groups (Quantum, Silent Ransom, and Roy/Zeon) have been observed using BazarCall, also known as callback phishing. According to AdvIntel, when Conti dissolved, members of the group decided to distance themselves from the toxic Conti brand. The two largest divisions of Conti created their own collectives – Team Two created the current version of Quantum, while Team One created Roy/Zeon.
The attack vector allowed the original Conti to deploy highly targeted attacks that were difficult to detect due to the social engineering aspect of the attack. In 2021, the Ryuk ransomware gang also used callback phishing in their ransomware operation. Ryuk was later rebranded into Conti; therefore, it makes sense that other groups associated with the threat actor are using callback phishing now.
The Ryuk ransomware gang was known for exploiting two vulnerabilities to increase their permissions on compromised machines:
Ryuk was a veteran ransomware gang that had been in the ransomware business for several years. They were estimated to have collected at least $150 million in ransom payments – one victim paying $34 million to restore their system. Ryuk ransomware has been used by a group called “Wizard Spider”. This group uses several other tools, including a tool called Trickbot. We were unable to find a Ryuk sample; however, Avertium’s Cyber Threat Intelligence team (CTI) was able to find a Trickbot sample.
Image 1: Ryuk - Trickbot Sample
Source: Avertium's Cyber Threat Intelligence Team
If we decompile this binary, we find a few more API calls and functions that might indicate functionality. There are functions for creating a timer and deleting a timer, which can also be used to evade detection or frustrate malware analyst.
Image 2: Ryuk Function Calls
Source: Avertium's Cyber Threat Intelligence Team
As previously stated, Avertium published a Threat Intelligence Report featuring Quantum ransomware and their use of BazarCall, which they were calling Jormungandr (which means Midgard Serpent or World Serpent in Norse Mythology). Quantum’s Jormungandr campaign is a major development that Quantum has been preparing for since June 2022. The phishing campaign is a derivative of BazarCall, and initial access is achieved by utilizing IcedID for reconnaissance tasks, as well as persistence. The DFIR Report published a case summary in April 2022 that showed the threat actors entering a victim’s network when a user endpoint was compromised by an IcedID payload contained within an ISO image, likely delivered via email.
AdvIntel confirmed that Quantum was the main Conti subdivision (Team Two) and was responsible for breaching the Costa Rica government – a feat they accomplished before they “shut down”. If you recall, Costa Rica had to issue a state of emergency as a result of Conti’s attack. When Quantum initially emerged in September 2021, they were actually a rebrand of MountLocker – a group that was responsible for attacking biotech companies.
In order for Quantum’s callback phishing to be a success, they impersonate well-known brands. Those brands included Gobble, Oracle, HelloFresh, Luchechko Mortgage Team, the US Equal Opportunity Employment Commission, and Crowdstrike. When they impersonated these brands, they first sent an email encouraging recipients to call a number for further clarification.
CrowdStrike, a well-known cybersecurity company, was impersonated by Quantum in July 2022 when the attackers sent a professional email targeting the company’s employees. The email stated that a network compromise was identified during their routine audit, and they needed to call a number to discuss the situation and provide additional information. Again, the email didn’t contain any malicious links, making it unlikely to be flagged by anti-phishing security solutions.
The attackers used social engineering to guide the employees into installing remote administration tools (RATs) that allowed the Quantum to take control over their workstations. From there, the threat actors were able to remotely install additional tools that allowed them to move laterally through the network, deploy more ransomware, and steal data. As a result of Quantum’s attack, Crowdstrike had to notify the public and stated that the attack would likely lead to a ransomware attack. At the time, it was the first identified callback campaign that impersonated a cybersecurity company.
Crowdstrike stated in their notice to customers that the company identified a similar callback campaign in March 2022 where threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and to deploy additional malware.
Avertium’s CTI team analyzed a Quantum ransomware sample. The team was only able to find one sample related to Quantum ransomware and the sample contained only the dll. This is one of many factors that make this malware a bit harder to analyze. Without more context regarding the execution of the binary, it becomes much more difficult to replicate the conditions in which this program was designed to execute.
The typical methods of execution did not result in successful encryption of the CTI team’s test machine. This could be due to additional functionality built into the program to fail if it detects it in a virtual environment.
Despite these difficulties, we can still glean some interesting information through static analysis. We can confirm that this is an executable Windows DLL, and was compiled in late November of 2021.
Image 3: Quantum File Type Analysis
Source: Avertium's Cyber Threat Intelligence Team
Image 4: Quantum Executable Header Information
Source: Avertium's Cyber Threat Intelligence Team
We can also see some of the API calls that this program makes, which gives at least some indication of its functionality. For instance, it calls “LoadLibraryA”. This is used to load a specified module into the address space of the calling process and can be used by the malware to avoid detection or for injection into a different process.
Image 5: Quantum API Calls
Source: Avertium's Cyber Threat Intelligence Team
Because traditional anti-phishing software does not detect callback phishing emails, it is important for organizations to train their staff on how to spot one. As stated previously, callback phishing attempts start off as an email and will encourage the target to call a number to speak with a customer service representative about a subscription or bill. Here are a few ways you can help keep your organization safe and secure from callback phishing attempts:
For example, if Avertium’s typical customer service emails always come from this email address “Avertium.Customer.Service.com” and all of a sudden you receive a customer service email from “Avertim_Customer.Service.com” with the Avertium logo and a callback number for customer service, it is likely to be a callback phishing attempt.
Be diligent in verifying telephone numbers before calling, just as you would for traditional phishing emails with suspicious links. Always look up contact numbers from the organization’s official website.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep your organization safe:
Quantum
Quantum
Files
IcedID
Cobalt Strike
Network Detections
BazarBackdoor, Conti, TrickBot
Hashes
10 key facts about callback phishing attacks - CyberTalk 2022
Callback phishing attacks see massive 625% growth since Q1 2021 (bleepingcomputer.com)
Uptick in Callback Phishing Attacks is a Timely Cyber Security Reminder (deandorton.com)
Ransomware gangs move to 'callback' social engineering attacks (bleepingcomputer.com)
Cybereason vs. Quantum Locker Ransomware
An In-Depth Look at Quantum Ransomware (avertium.com)
Hackers impersonate cybersecurity firms in callback phishing attacks (bleepingcomputer.com)
Callback Phishing Campaigns Impersonate CrowdStrike, Other Cybersecurity Companies
Uptick in Callback Phishing Attacks is a Timely Cyber Security Reminder (deandorton.com)
Ryuk ransomware operation updates hacking techniques (bleepingcomputer.com)
Ryuk Ransomware's Increased Activity Targets Large Organizations Using Windows OS (avertium.com)
Ryuk Ransomware Common Activities and IOCs | Proficio Threat Intel
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.