, a shortened URL , which we believe was sentAttack.Phishingthrough a spear-phishing email , was used as a lureAttack.Phishingto infect a hospital from Oregon and Southwest Washington . Once a user clicks on the link , the site redirects to a personal storage site to download a malicious DOCX file , ” Dela Paz wrote . He noted that the document contained the targeted healthcare organization ’ s logo and a signature of a medical practitioner from that organization . Three document icons pertaining to patient information also were present in the file and , when the user double-clicks , a malicious Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware . “ Believed to be a new version of the Stampado ransomware , Philadelphia is an unsophisticated ransomware kit sold for a few hundred dollars to anyone who can afford it . Recently , a video advertisement of Philadelphia surfaced on Youtube , ” he wrote . Dela Paz further wrote in the blog post , “ A few things in the malware captured our interest . Aside from the tailored bait against a specific healthcare organization , the encrypted JavaScript above contained a string “ hospitalspam ” in its directory path . Likewise , the ransomware C2 also contained “ hospital/spam ” in its path . Such wordings would imply that this is not an isolated case ; but that the actor behind the campaign is specifically targeting hospitals using spam ( spear phishing emails ) as a distribution method. ” He also noted that ransomware-as-a-service platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business . And , while this example represents only one healthcare organization that was targeted , the researcher noted that it could signify the beginning of a trend with smaller ransomware operators , using RaaS platforms , aiming for the healthcare sector , “ ultimately leading to even bigger and diversified ransomware attacksAttack.Ransom” against the sector , he wrote .
Two Italian siblings have been arrested on Monday and stand accused of having spied on Italian politicians , state institutions and law enforcement agencies , businesses and businesspeople , law firms , leaders of Italian masonic lodges , and Vatican officials for years . 45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero , both from Rome but currently residing in London , have allegedly used specially crafted malware ( dubbed “ EyePyramid ” ) to compromiseAttack.Databreachthe targets ’ computers and exfiltrateAttack.Databreachall kinds of documents , as well as log keystrokes and stealAttack.Databreachlogin credentials for sensitive accounts . According to court documents ( in Italian ) , the investigation began a few months after a security professional employed by ENAV , an Italian company responsible for the provision of air traffic services ( ATS ) and other air navigation services in Italy , flagged and reported a malicious attachment he received via email . The spear-phishing email was purportedly sentAttack.Phishingby an Italian attorney , but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis . The attachment was found to contain the EyePyramid malware . After the authorities got involved , the investigation revealed that the email was , indeed , sentAttack.Phishingfrom the attorney ’ s email account , but that it was sentAttack.Phishingby someone who had compromised the account and accessed it via TOR .
A new malware program that targets macOS users is capable of spying on encrypted browser traffic to stealAttack.Databreachsensitive information . The new program , dubbed OSX/Dok by researchers from Check Point Software Technologies , was distributed via email phishing campaignsAttack.Phishingto users in Europe . One of the rogue emails was craftedAttack.Phishingto look as if it was sentAttack.Phishingby a Swiss government agency warning recipients about apparent errors in their tax returns . The malware was attached to the email as a file called Dokument.zip . Once installed on a Mac , OSX/Dok displaysAttack.Phishinga fake and persistent notification about a system security update that needs to be installed . Users who agree to install the update will be prompted for their administrator password . Once the malware obtains elevated privileges , it will make the active user a permanent administrator so the OS will never ask for the password again when the malware executes privileged commands in the background . Dok will also modify the system 's network settings to route web traffic through a proxy server controlled by the attackers and located on the Tor anonymity network . In order for this to work , it also installs a Tor client that 's started automatically . The reason why web traffic is routed through a proxy server is to perform a man-in-the-middle ( MitM ) attack and decrypt secure HTTPS connections . This is achieved by installing a rogue root certificate on the system that is then used to decrypt and re-encrypt HTTPS connections when they pass through the proxy . With this method , users will continue to see the SSL visual indicator in their browser when they access HTTPS websites and the browser will not complain about untrusted certificates . The ability to snoop on HTTPS traffic allows attackers to stealAttack.Databreachsensitive information like passwords for email ; social media and online banking accounts ; credit card details entered on shopping websites ; personal and financial information entered into web forms ; and more . With more than half of all web traffic in an average user 's browser now encrypted , it 's not surprising that attackers are resorting to man-in-the-middle techniques to captureAttack.Databreachsensitive data . This and other capabilities make Dok one of the most sophisticated malware programs targeting macOS to date , not counting spy programs created or used by nation states and law enforcement agencies . `` We have been and still are in direct contact with Apple [ employees ] who are very helpful and responsive , '' Yaniv Balmas , Check Point 's malware research team leader , said via email . `` With Apple ’ s cooperation , we believe this specific campaign is now futile and does no longer pose any threat to Mac users . ''