Malware Watch - W/E - 072117
ELF_SHELLBIND Exploit Hits Patched Samba Vulnerability to Infect IoT Devices (07/18/2017)
Trend Micro has detected a new exploit called ELF_SHELLBIND.A that is targeting a patched Samba vulnerability. This bug takes aim at Internet of Things devices as well as the MIPS, ARM, and PowerPC architectures. ELF_SHELLBIND.A is exploiting the same vulnerability that SambaCry did previously. The Samba bug was patched in May.
Trend Micro has detected a new exploit called ELF_SHELLBIND.A that is targeting a patched Samba vulnerability. This bug takes aim at Internet of Things devices as well as the MIPS, ARM, and PowerPC architectures. ELF_SHELLBIND.A is exploiting the same vulnerability that SambaCry did previously. The Samba bug was patched in May.
GhostCtrl Malware Takes Control of Android Devices to Spy on Victims (07/18/2017)
The information-stealing RETADUP worm that affected Israeli hospitals was followed by an Android malware that could take control of the device and is more dangerous, the research team at Trend Micro has warned. The new malware, dubbed "GhostCtrl" because it can stealthily control many of the infected device's functionalities, actually has three versions and is a variant of the commercially sold, multiplatform OmniRAT malware. GhostCtrl can silently record audio, video, and more once it infects a device.
The information-stealing RETADUP worm that affected Israeli hospitals was followed by an Android malware that could take control of the device and is more dangerous, the research team at Trend Micro has warned. The new malware, dubbed "GhostCtrl" because it can stealthily control many of the infected device's functionalities, actually has three versions and is a variant of the commercially sold, multiplatform OmniRAT malware. GhostCtrl can silently record audio, video, and more once it infects a device.
OSX/Dok Malware Adds Sophisticated Technique to Lure in Victims (07/17/2017)
The OSX/Dok malware is taking aim at victims' banking credentials by masquerading as major bank sites, according to research conducted by Check Point Software. Attackers are purchasing dozens of Apple certificates to sign on the application bundle and bypass GateKeeper. Apple is constantly revoking the compromised certificates as Check Point reports of the ones it has identified; however, new ones appear on a daily basis. The OSX/Dok malware is distributed via a phishing campaign that specifically targets macOS users and utilizes man-in-the-middle attacks.
The OSX/Dok malware is taking aim at victims' banking credentials by masquerading as major bank sites, according to research conducted by Check Point Software. Attackers are purchasing dozens of Apple certificates to sign on the application bundle and bypass GateKeeper. Apple is constantly revoking the compromised certificates as Check Point reports of the ones it has identified; however, new ones appear on a daily basis. The OSX/Dok malware is distributed via a phishing campaign that specifically targets macOS users and utilizes man-in-the-middle attacks.
Ovidiy Stealer Siphons Credentials While AV Solutions Consider It Harmless (07/17/2017)
Proofpoint threat researchers analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in Russian-speaking regions. It is under constant development, with several updated versions appearing since the original samples were observed in June 2017. The growing number of samples demonstrate that criminals are actively adopting this malware. Ovidiy Stealer is priced at 450-750 Rubles ($7-13 USD) for one build, a price that includes a precompiled executable that is also "crypted" to thwart analysis and detection. Some antivirus (AV) solutions are detecting Ovidiy Stealer with generic and heuristic signatures only. It is possible that an AV solution will detect the behavior of Ovidiy Stealer but label it in logs with a generic description and analysts monitoring alerts may see the event but not recognize its significance. Instead, Ovidiy Stealer could be active in an organization's network, throwing alerts but not identified specifically.
Proofpoint threat researchers analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in Russian-speaking regions. It is under constant development, with several updated versions appearing since the original samples were observed in June 2017. The growing number of samples demonstrate that criminals are actively adopting this malware. Ovidiy Stealer is priced at 450-750 Rubles ($7-13 USD) for one build, a price that includes a precompiled executable that is also "crypted" to thwart analysis and detection. Some antivirus (AV) solutions are detecting Ovidiy Stealer with generic and heuristic signatures only. It is possible that an AV solution will detect the behavior of Ovidiy Stealer but label it in logs with a generic description and analysts monitoring alerts may see the event but not recognize its significance. Instead, Ovidiy Stealer could be active in an organization's network, throwing alerts but not identified specifically.
ProMediads Malvertising, Sundown-Pirate EK Combo Drop PoS Malware (07/19/2017)
A new exploit kit (EK) called Sundown-Pirate has been found within a malicious advertising campaign dubbed "ProMediads" that has previously employed both the Rig and Sundown EKs. The researchers at Trend Micro discovered that on June 25, ProMediads booted Rig and started using Sundown-Pirate, which dops other malware as its payload. On July 12, Sundown-Pirate began using the point-of-sale (PoS) malware LockPOS. Sundown-Pirate uses three Internet Explorer exploits and one Flash exploit to infect. All of these vulnerabilities have been previously patched.
A new exploit kit (EK) called Sundown-Pirate has been found within a malicious advertising campaign dubbed "ProMediads" that has previously employed both the Rig and Sundown EKs. The researchers at Trend Micro discovered that on June 25, ProMediads booted Rig and started using Sundown-Pirate, which dops other malware as its payload. On July 12, Sundown-Pirate began using the point-of-sale (PoS) malware LockPOS. Sundown-Pirate uses three Internet Explorer exploits and one Flash exploit to infect. All of these vulnerabilities have been previously patched.
RoughTed Malware Impacted 28% of Organizations in June (07/17/2017)
Check Point Software's latest Global Threat Impact Index revealed that 28% of organizations globally were affected by the RoughTed malvertising campaign during June. RoughTed is used to deliver links to malicious Web sites and payloads such as scams, adware, exploit kits, and ransomware. Second-placed Fireball, which impacted 20% of organizations in May, declined sharply affecting only 5% of businesses in June, while the Slammer worm was the third most common variant, impacting 4% of organizations.
Check Point Software's latest Global Threat Impact Index revealed that 28% of organizations globally were affected by the RoughTed malvertising campaign during June. RoughTed is used to deliver links to malicious Web sites and payloads such as scams, adware, exploit kits, and ransomware. Second-placed Fireball, which impacted 20% of organizations in May, declined sharply affecting only 5% of businesses in June, while the Slammer worm was the third most common variant, impacting 4% of organizations.
Scientists Analyze the Inner Workings of NukeBot's Nefarious Tendencies (07/19/2017)
The Kaspersky Lab research team has taken a look at the NukeBot banking Trojan, which typically is used to make Web injections into pages to swipe user data. The scientists detected some samples of NukeBot that didn't have this capability and instead were designed to steal mail client and browser passwords. The source code for NukeBot was published earlier in 2017 by its creator.
The Kaspersky Lab research team has taken a look at the NukeBot banking Trojan, which typically is used to make Web injections into pages to swipe user data. The scientists detected some samples of NukeBot that didn't have this capability and instead were designed to steal mail client and browser passwords. The source code for NukeBot was published earlier in 2017 by its creator.
Spam Campaigns Double Up on Infection Delivering NemucodeAES, Kovter Malware (07/18/2017)
Spam campaigns are delivering a double-dose of infection with the NemucodAES ransomware and Kovter malware packaged together in .zip attachments, according to information from the SANS Internet Storm Center. The campaigns look as though they are messages emanating from the United Parcel Service, and "Together, these two pieces of malware could deliver a nasty punch," researcher Brad Duncan warned.
Spam campaigns are delivering a double-dose of infection with the NemucodAES ransomware and Kovter malware packaged together in .zip attachments, according to information from the SANS Internet Storm Center. The campaigns look as though they are messages emanating from the United Parcel Service, and "Together, these two pieces of malware could deliver a nasty punch," researcher Brad Duncan warned.