Malware Watch - W/E - 122217
GnatSpy Malware Discovered with Potential Ties to Known Threat Entity (12/18/2017)
Trend Micro researchers have uncovered a new mobile malware family called GnatSpy, which the vendor believes has close ties to a threat group known asTwo-tailed Scorpion/APT-C-23 and a mobile component that it uses called VAMP. Some of the command and control domains from VAMP were reused in GnatSpy variants, leading the research team to point to a connection to APT-C-23.
Trend Micro researchers have uncovered a new mobile malware family called GnatSpy, which the vendor believes has close ties to a threat group known asTwo-tailed Scorpion/APT-C-23 and a mobile component that it uses called VAMP. Some of the command and control domains from VAMP were reused in GnatSpy variants, leading the research team to point to a connection to APT-C-23.
Malicious AnubisSpy Android Apps Connected to Sphinx Cyber Espionage Group (12/19/2017)
Several malicious apps on Google Play were riddled with cyber espionage capabilities that targeted Arabic-speaking users or Middle Eastern countries. Trend Micro calls the apps "AnubisSpy" and the malware's payload "watchdog." AnubisSpy is linked to the Sphinx cyber espionage entity due to shared file structures and the same command and control (C&C) server. AnubisSpy can steal messages and data, record audio and take screenshots, spy on the victim through installed apps, and encrypt data and send it to its C&C. Google has removed these apps from its Play store.
Several malicious apps on Google Play were riddled with cyber espionage capabilities that targeted Arabic-speaking users or Middle Eastern countries. Trend Micro calls the apps "AnubisSpy" and the malware's payload "watchdog." AnubisSpy is linked to the Sphinx cyber espionage entity due to shared file structures and the same command and control (C&C) server. AnubisSpy can steal messages and data, record audio and take screenshots, spy on the victim through installed apps, and encrypt data and send it to its C&C. Google has removed these apps from its Play store.
Malicious CHM Files Deliver Banking Trojan (12/20/2017)
A spam campaign is sending out malicious Compiled HTML (CHM) help file attachments in emails targeted at Brazilian institutions. CHM are container files which, when uncompressed, consist of a collection of HTML objects. They are used to deliver a banking Trojan in a multi-stage infection method. This information comes from the scientists at Trustwave.
A spam campaign is sending out malicious Compiled HTML (CHM) help file attachments in emails targeted at Brazilian institutions. CHM are container files which, when uncompressed, consist of a collection of HTML objects. They are used to deliver a banking Trojan in a multi-stage infection method. This information comes from the scientists at Trustwave.
Malware Exploded to 57.6 Million Brand New Samples in Q3 (12/18/2017)
The McAfee Labs Threat Report: December 2017, which examines the growth and trends of new malware, ransomware, and other threats in Q3, saw malware reach an all-time high of 57.6 million new samples, equating to four new samples per second. One of the key developments in the ransomware space was the emergence of Lukitus, a new version of Locky. The ransomware was distributed by more than 23 million spam emails within the first 24 hours of the attack.
The McAfee Labs Threat Report: December 2017, which examines the growth and trends of new malware, ransomware, and other threats in Q3, saw malware reach an all-time high of 57.6 million new samples, equating to four new samples per second. One of the key developments in the ransomware space was the emergence of Lukitus, a new version of Locky. The ransomware was distributed by more than 23 million spam emails within the first 24 hours of the attack.
Spear Phishing Campaigns Distributing Travle Backdoor (12/19/2017)
Analysis of the Travle backdoor by Kaspersky Lab has determined that the malware is being used in spear phishing attacks against Russian-speaking targets. Travle is believed to be connected to other backdoors including Enfal, NetTraveler, and Microcin and appears to be from Chinese-speaking entities. Palo Alto Networks has referred to Travle by the name PYLOT.
Analysis of the Travle backdoor by Kaspersky Lab has determined that the malware is being used in spear phishing attacks against Russian-speaking targets. Travle is believed to be connected to other backdoors including Enfal, NetTraveler, and Microcin and appears to be from Chinese-speaking entities. Palo Alto Networks has referred to Travle by the name PYLOT.
TelegramRAT Uses Cloud to Sneak Past Security Software (12/20/2017)
Netskope has uncovered TelegramRAT, a cloud application native remote access Trojan (RAT). TelegramRAT uses the Telegram Messenger app for its command and control, and a cloud platform for its payload host. The cloud-native approach enables the malware to evade traditional security scanners.
Netskope has uncovered TelegramRAT, a cloud application native remote access Trojan (RAT). TelegramRAT uses the Telegram Messenger app for its command and control, and a cloud platform for its payload host. The cloud-native approach enables the malware to evade traditional security scanners.
Trend Micro Takes a Look at Prilex and Cutler Maker ATM Malware (12/18/2017)
Two new ATM malware families - Prilex and Cutler Maker - have been analyzed by Trend Micro. Prilex, which was first identified by Kaspersky Lab in October, hooks certain dynamic-link libraries (DLLs), replacing them with its own application screens on top of others, eventually leading to a very leveled attack. Prilex steals financial information from the infected ATM's users. Cutler Maker is programmed to empty the machine and is available on the cybercriminal underground.
Two new ATM malware families - Prilex and Cutler Maker - have been analyzed by Trend Micro. Prilex, which was first identified by Kaspersky Lab in October, hooks certain dynamic-link libraries (DLLs), replacing them with its own application screens on top of others, eventually leading to a very leveled attack. Prilex steals financial information from the infected ATM's users. Cutler Maker is programmed to empty the machine and is available on the cybercriminal underground.
UK, Canadian Non-Banking Companies Hit by Zeus Panda Trojan (12/18/2017)
Campaigns containing the Zeus Panda banking Trojan began taking aim at non-financial targets in November using injects designed to capitalize on holiday shopping and activities. This information comes from Proofpoint, which has seen Zeus Panda targeting businesses in the UK and Canada.
Campaigns containing the Zeus Panda banking Trojan began taking aim at non-financial targets in November using injects designed to capitalize on holiday shopping and activities. This information comes from Proofpoint, which has seen Zeus Panda targeting businesses in the UK and Canada.
Warning Issued Regarding HatMan/TRITON Attacks on Critical Infrastructure Components (12/19/2017)
The ICS-CERT has issued an advisory regarding the HatMan malware that affects Triconex controllers by modifying in-memory firmware to add additional programming. This malware has also been called TRITON by the researchers at FireEye. HatMan consists of two pieces: a PC-based component to communicate with the safety controller and a malicious binary component that is downloaded to the controller. Safety controllers are used in a large number of environments, and the capacity to disable, inhibit, or modify the ability of a process to fail safely can potentially result in physical consequences.
The ICS-CERT has issued an advisory regarding the HatMan malware that affects Triconex controllers by modifying in-memory firmware to add additional programming. This malware has also been called TRITON by the researchers at FireEye. HatMan consists of two pieces: a PC-based component to communicate with the safety controller and a malicious binary component that is downloaded to the controller. Safety controllers are used in a large number of environments, and the capacity to disable, inhibit, or modify the ability of a process to fail safely can potentially result in physical consequences.