Malware Watch - W/E - 061617
FireEye's Researchers Take a Look at Carbanak's Operations (06/13/2017)
A new report from FireEye focuses on the operational details of the Carbanak backdoor which steals data and contains a plug-in architecture. According to the research, some of Carbanak's operators either have access to the source code directly with knowledge on how to modify it or have a close relationship to the developer(s). Other operators appear to be compiling their own builds of the backdoor independently.
A new report from FireEye focuses on the operational details of the Carbanak backdoor which steals data and contains a plug-in architecture. According to the research, some of Carbanak's operators either have access to the source code directly with knowledge on how to modify it or have a close relationship to the developer(s). Other operators appear to be compiling their own builds of the backdoor independently.
Hovering Mouse Pointer in PowerPoint Unleashes Trojan's Wrath (06/12/2017)
A new method to deliver malware is launched when hovering a mouse's pointer over a malicious hyperlinked picture or text in a PowerPoint slideshow. This method, which has been detailed in a blog post from Trend Micro, is employed by a Trojan downloader (detected as TROJ_POWHOV.A and P2KM_POWHOV.A) and was seen affecting industries in manufacturing, device fabrication, education, logistics, and pyrotechnics in a spam email campaign in Europe.
A new method to deliver malware is launched when hovering a mouse's pointer over a malicious hyperlinked picture or text in a PowerPoint slideshow. This method, which has been detailed in a blog post from Trend Micro, is employed by a Trojan downloader (detected as TROJ_POWHOV.A and P2KM_POWHOV.A) and was seen affecting industries in manufacturing, device fabrication, education, logistics, and pyrotechnics in a spam email campaign in Europe.
Hundreds of "Antivirus" Apps Are Actually Malware (06/15/2017)
RiskIQ has identified hundreds of malicious apps that masquerade as antivirus solutions from well-known vendors including Kaspersky Lab, McAfee, Dr. Web, ESET, and more. The scientists found more than 6,000 apps that claimed to have antivirus capabilities, and of that number, over 700 triggered blacklist detections. Google Play had a large number of blacklisted apps, but is working to remove them.
RiskIQ has identified hundreds of malicious apps that masquerade as antivirus solutions from well-known vendors including Kaspersky Lab, McAfee, Dr. Web, ESET, and more. The scientists found more than 6,000 apps that claimed to have antivirus capabilities, and of that number, over 700 triggered blacklist detections. Google Play had a large number of blacklisted apps, but is working to remove them.
MacSpy Makes Debut as Malware-as-a-Service on Hacker Underground (06/13/2017)
AlienVault has uncovered MacSpy, a malware-as-a-service specifically designed for the OS X platform. There is a free version available on the Dark Web but the creators of MacSpy also are advertising an advanced version that can be purchased using bitcoins. According to AlienVault, MacSpy's creators said they noted that there wasn't a lot of malware available for Mac users so they thought others might be interested in this remote access Trojan.
AlienVault has uncovered MacSpy, a malware-as-a-service specifically designed for the OS X platform. There is a free version available on the Dark Web but the creators of MacSpy also are advertising an advanced version that can be purchased using bitcoins. According to AlienVault, MacSpy's creators said they noted that there wasn't a lot of malware available for Mac users so they thought others might be interested in this remote access Trojan.
MacSpy Ransomware Hides on Macs and Uses Powerful Encryption (06/13/2017)
Fortinet has uncovered MacRansom, a ransomware-as-a-service for Macintosh that uses a Web portal hosted in a Tor network. If a miscreant is interested in the malware, he or she must contact MacRansom's creator directly as it is not available through the portal. MacRansom is invisible to Mac users until the malware executes, uses 128-bit industrial strength encryption, and once it installs, it leaves no trace that is associated with the victim so that it can easily spread to someone else's system if he or she plugs in an external drive.
Fortinet has uncovered MacRansom, a ransomware-as-a-service for Macintosh that uses a Web portal hosted in a Tor network. If a miscreant is interested in the malware, he or she must contact MacRansom's creator directly as it is not available through the portal. MacRansom is invisible to Mac users until the malware executes, uses 128-bit industrial strength encryption, and once it installs, it leaves no trace that is associated with the victim so that it can easily spread to someone else's system if he or she plugs in an external drive.
Researchers Unlock Jaff Ransomware Files with Decryption Tool (06/15/2017)
A weakness discovered in the Jaff ransomware has led Kaspersky Lab researchers to create a decryptor to unlock the malware. The decrypter tool has been added to the RakhniDecryptor and is freely available to the public.
A weakness discovered in the Jaff ransomware has led Kaspersky Lab researchers to create a decryptor to unlock the malware. The decrypter tool has been added to the RakhniDecryptor and is freely available to the public.
US-CERT Warns of Debilitating CrashOverride Malware That Affects ICS (06/13/2017)
The US-CERT is aware of public reports from ESET and Dragos outlining a powerful and highly capable industrial controls systems (ICS) attack platform that was most likely used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride (called Industroyer by ESET) malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the vendors' analysis, and develop a better understanding of the risk this new malware poses to the US critical infrastructure. ESET's researchers say that certain components of the malware have been designed to target specific products including Siemens' SIPROTECT devices.
The US-CERT is aware of public reports from ESET and Dragos outlining a powerful and highly capable industrial controls systems (ICS) attack platform that was most likely used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride (called Industroyer by ESET) malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the vendors' analysis, and develop a better understanding of the risk this new malware poses to the US critical infrastructure. ESET's researchers say that certain components of the malware have been designed to target specific products including Siemens' SIPROTECT devices.
Weak Passwords Compromise Large Number of IP Cameras Via IoT Botnets (06/12/2017)
The Persirai Internet of Things botnet that targets more than 1,000 IP cameras has infected over 64% of such devices tracked by Shodan and researched by Trend Micro. Once Persirai, which was first identified in May, attacks an IP camera, it will then take control of that device and attack other cameras by exploiting three known vulnerabilities. However, three other malware families (DvrHelper, Mirai, and TheMoon) are also attacking IP cameras, and Trend Micro's researchers say that these events could be reduced if users opted to change the default passwords in the devices' interfaces.
The Persirai Internet of Things botnet that targets more than 1,000 IP cameras has infected over 64% of such devices tracked by Shodan and researched by Trend Micro. Once Persirai, which was first identified in May, attacks an IP camera, it will then take control of that device and attack other cameras by exploiting three known vulnerabilities. However, three other malware families (DvrHelper, Mirai, and TheMoon) are also attacking IP cameras, and Trend Micro's researchers say that these events could be reduced if users opted to change the default passwords in the devices' interfaces.
Xavier Android Trojan Is a Data-Stealing Ad Library App (06/13/2017)
A malicious Android ad library known as Xavier steals and dumps user information without victims knowing it, Trend Micro's scientists say. Over 800 apps embedded the ad library's SDK that have been downloaded millions of times from Google Play. Most of the download attempts have been made from countries in Southeast Asia, most notably Vietnam.
A malicious Android ad library known as Xavier steals and dumps user information without victims knowing it, Trend Micro's scientists say. Over 800 apps embedded the ad library's SDK that have been downloaded millions of times from Google Play. Most of the download attempts have been made from countries in Southeast Asia, most notably Vietnam.