Malware Watch - W/E - 072817
Android Trojan Disguised as Typical Programs Slurps Bank Data (07/24/2017)
Doctor Web security researchers have examined a multipurpose banking Trojan named Android.BankBot.211.origin. The malicious program uses the Accessibility Service to control mobile devices and steal confidential bank customer information. When the Trojan was first observed, it was attacking only residents of Turkey. However, its list of objectives soon expanded, and now it threatens users in dozens of countries. Android.BankBot.211.origin is distributed under the guise of benign programs.
Doctor Web security researchers have examined a multipurpose banking Trojan named Android.BankBot.211.origin. The malicious program uses the Accessibility Service to control mobile devices and steal confidential bank customer information. When the Trojan was first observed, it was attacking only residents of Turkey. However, its list of objectives soon expanded, and now it threatens users in dozens of countries. Android.BankBot.211.origin is distributed under the guise of benign programs.
Google Spots Spying Apps and Gives Them the Boot (07/27/2017)
Google has kicked a family of spyware called Lipizzan out of the Play Store after the malware was found hidden in 20 apps. Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. It is connected to Equus Technologies, a cyber arms company in Israel.
Google has kicked a family of spyware called Lipizzan out of the Play Store after the malware was found hidden in 20 apps. Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. It is connected to Equus Technologies, a cyber arms company in Israel.
Highly Customizable Philadelphia RaaS Sells Cheap (07/25/2017)
Sophos researcher Dorka Palotay has published details about Philadelphia, a ransomware-as-a-service (RaaS) that can be purchased for about $400 USD. The Rainmakers Lab, the entity behind Philadelphia, sells the RaaS on the Dark Web but also offers an intro video on YouTube explaining how the kit works and how it can be customized with various features.
Sophos researcher Dorka Palotay has published details about Philadelphia, a ransomware-as-a-service (RaaS) that can be purchased for about $400 USD. The Rainmakers Lab, the entity behind Philadelphia, sells the RaaS on the Dark Web but also offers an intro video on YouTube explaining how the kit works and how it can be customized with various features.
ICS-CERT Warns of CRASHOVERRIDE Malware Targeting ICS (07/26/2017)
ICS-CERT has posted an alert regarding CRASHOVERRIDE (also known as Industroyer), a family of malware publicly identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial-of-service to Siemens SIPROTEC devices. ICS-CERT is in the process of analyzing samples of the CRASHOVERRIDE malware family, including an additional component for credential harvesting that is presumed to be related. As part of this analysis, ICS-CERT has developed a YARA signature to detect components, as well as potential variants of the malicious files ICS-CERT possesses. Dragos, ESET, and US-CERT have released open source technical reports for the CRASHOVERRIDE malware family.
ICS-CERT has posted an alert regarding CRASHOVERRIDE (also known as Industroyer), a family of malware publicly identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial-of-service to Siemens SIPROTEC devices. ICS-CERT is in the process of analyzing samples of the CRASHOVERRIDE malware family, including an additional component for credential harvesting that is presumed to be related. As part of this analysis, ICS-CERT has developed a YARA signature to detect components, as well as potential variants of the malicious files ICS-CERT possesses. Dragos, ESET, and US-CERT have released open source technical reports for the CRASHOVERRIDE malware family.
Malware Found in Every App in Turkish Android Store (07/26/2017)
ESET researchers have discovered that CepKutusu.com, a Turkish alternative Android app store, was spreading malware under the guise of all offered Android apps. When users browsed the Turkish alternative app store CepKutusu.com and proceeded to download an app, the "Download now" button led to banking malware instead of the desired app. What made this campaign so intriguing to the researchers was that a seven-day period went by after the download before the malware was served up to the victim's device.
ESET researchers have discovered that CepKutusu.com, a Turkish alternative Android app store, was spreading malware under the guise of all offered Android apps. When users browsed the Turkish alternative app store CepKutusu.com and proceeded to download an app, the "Download now" button led to banking malware instead of the desired app. What made this campaign so intriguing to the researchers was that a seven-day period went by after the download before the malware was served up to the victim's device.
NBA Championship Hashtag Gets Hijacked to Push Phishing, Spam (07/26/2017)
The researchers at Proofpoint observed people hijacking the hashtag #NBAFinals2017 related to the NBA championship in an effort to spread gambling and spam links. Fake accounts were also used to hijack the popular hashtag.
The researchers at Proofpoint observed people hijacking the hashtag #NBAFinals2017 related to the NBA championship in an effort to spread gambling and spam links. Fake accounts were also used to hijack the popular hashtag.
Phishing Campaign Spreads Credential-Stealing HawkEye Malware (07/26/2017)
A phishing campaign that emerged in June distributed the HawkEye malware, which is known for stealing credentials. FireEye spotted this campaign, which did not appear to be specifically targeting any specific group of industries or region. The phishing messages in the campaign contained a malicious DOCX document.
A phishing campaign that emerged in June distributed the HawkEye malware, which is known for stealing credentials. FireEye spotted this campaign, which did not appear to be specifically targeting any specific group of industries or region. The phishing messages in the campaign contained a malicious DOCX document.
SambaCry Creators Take Aim at Windows Systems with CowerSnail Backdoor (07/25/2017)
Kaspersky Lab researchers have uncovered a malicious program for Windows that was created by the same threat group responsible for the SambaCry family of Linux Trojans. A common command and control server was the link that connected both malware programs. Kaspersky detects this Windows threat as Backdoor.Win32.CowerSnail and noted that it was written using Qt.
Kaspersky Lab researchers have uncovered a malicious program for Windows that was created by the same threat group responsible for the SambaCry family of Linux Trojans. A common command and control server was the link that connected both malware programs. Kaspersky detects this Windows threat as Backdoor.Win32.CowerSnail and noted that it was written using Qt.
Sneaky Spam Campaign Hides Malicious JavaScript File (07/24/2017)
Check Point Software's threat intelligence has picked up a spam campaign that was slipping by undetected by many antivirus solutions. The new campaign is related to "BlankSlate" and sends out messages that contain a blank body in the email while the malware is hidden inside a zipped file. The attachment contains a download and executes a JavaScript file which is heavily obfuscated and includes a mass amount of text ripped off of Wikipedia articles about different countries and cities.
Check Point Software's threat intelligence has picked up a spam campaign that was slipping by undetected by many antivirus solutions. The new campaign is related to "BlankSlate" and sends out messages that contain a blank body in the email while the malware is hidden inside a zipped file. The attachment contains a download and executes a JavaScript file which is heavily obfuscated and includes a mass amount of text ripped off of Wikipedia articles about different countries and cities.
Stealthy Mac Malware Flies Under-the-Radar and Avoids Detection (07/26/2017)
A sneaky malware that gives hackers Webcam and keyboard control over devices has been infecting Macs for at least five years and perhaps as long as a decade, security researcher Patrick Wardle has told Ars Technica. The malware, known as FruitFly, is a variant of a malicious file that was first noticed in January after infecting devices for two years. Wardle observed the new FruitFly variant which has hit a large number of Mac-based systems yet remained mostly undetected by antivirus
A sneaky malware that gives hackers Webcam and keyboard control over devices has been infecting Macs for at least five years and perhaps as long as a decade, security researcher Patrick Wardle has told Ars Technica. The malware, known as FruitFly, is a variant of a malicious file that was first noticed in January after infecting devices for two years. Wardle observed the new FruitFly variant which has hit a large number of Mac-based systems yet remained mostly undetected by antivirus