Malware Watch - W/E - -071318
Cryptocurrency Miners Take Top Spots in Check Point's Most Wanted Malware List (07/06/2018)
Check Point Software has released its list of the most wanted malware for June. The top three malware families for the month were Coinhive, Cryptoloot, and Dorkbot - the first two are cryptocurrency mining malware, while Dorkbot is a banking Trojan. Triada, Lokibot, and The Truth Spy were the top three mobile malware families identified by Check Point as hitting victims during the month of June.
Check Point Software has released its list of the most wanted malware for June. The top three malware families for the month were Coinhive, Cryptoloot, and Dorkbot - the first two are cryptocurrency mining malware, while Dorkbot is a banking Trojan. Triada, Lokibot, and The Truth Spy were the top three mobile malware families identified by Check Point as hitting victims during the month of June.
GandCrab: New Updates, Same Old Nastiness from this Ransomware (07/11/2018)
The GandCrab ransomware is in version 4 and has switched from using RSA-2048 to the Salsa20 stream cipher to encrypt data. The ransomware has also stopped connecting to its command and control server before encrypting files, which, according to Fortinet, means it can encrypt users who are not connected to the Internet. Analysis shows the malware's executable and download links are being frequently updated and encrypted files are appended with the .KRAB extension.
The GandCrab ransomware is in version 4 and has switched from using RSA-2048 to the Salsa20 stream cipher to encrypt data. The ransomware has also stopped connecting to its command and control server before encrypting files, which, according to Fortinet, means it can encrypt users who are not connected to the Internet. Analysis shows the malware's executable and download links are being frequently updated and encrypted files are appended with the .KRAB extension.
Kaspersky Lab Reports on APT Trends in Q2 (07/10/2018)
In its Q2 2018 APT Trends Summary Report, Kaspersky Lab identified cyber espionage tactics being conducted by Lazarus/BlueNoroff in both Turkey and Latin America. New APT (advanced persistence threat) activity from Olympic Destroyer during the quarter was also observed and points to a possible connection to the Sofacy threat group.
In its Q2 2018 APT Trends Summary Report, Kaspersky Lab identified cyber espionage tactics being conducted by Lazarus/BlueNoroff in both Turkey and Latin America. New APT (advanced persistence threat) activity from Olympic Destroyer during the quarter was also observed and points to a possible connection to the Sofacy threat group.
Malicious Macro Exploits Desktop Shortcuts to Deliver Payloads (07/06/2018)
Trend Micro has spotted a malicious macro that searches for specific shortcut files in the user's system, which it replaces with one that points to its downloaded malware. That malware executes when the user clicks on the modified desktop shortcut. After the malware executes, it recovers the original shortcut file to open the correct application again. The malware then assembles its payloads by downloading common tools available online like various Windows tools, WinRAR, and Ammyy Admin to gather information and send back via SMTP.
Trend Micro has spotted a malicious macro that searches for specific shortcut files in the user's system, which it replaces with one that points to its downloaded malware. That malware executes when the user clicks on the modified desktop shortcut. After the malware executes, it recovers the original shortcut file to open the correct application again. The malware then assembles its payloads by downloading common tools available online like various Windows tools, WinRAR, and Ammyy Admin to gather information and send back via SMTP.
Malware Uses Stolen Digital Certificates in Two Related Campaigns (07/10/2018)
ESET has discovered a malware campaign misusing stolen digital certificates. The campaign is using a digitally signed certificate from D-Link, which was stolen and has since been revoked. Two different malware families were misusing the stolen certificate - the Plead malware, a remotely controlled backdoor, and a related password stealer component. The Plead backdoor is used by the BlackTech cyber espionage entity. ESET researchers have also identified malware samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology. That certificate was also revoked but BlackTech is continuing to use it to sign its malicious tools.
ESET has discovered a malware campaign misusing stolen digital certificates. The campaign is using a digitally signed certificate from D-Link, which was stolen and has since been revoked. Two different malware families were misusing the stolen certificate - the Plead malware, a remotely controlled backdoor, and a related password stealer component. The Plead backdoor is used by the BlackTech cyber espionage entity. ESET researchers have also identified malware samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology. That certificate was also revoked but BlackTech is continuing to use it to sign its malicious tools.
Rakhni Malware Makes Decision to Mine or to Crypt (07/06/2018)
The criminals behind the Trojan-Ransom.Win32.Rakhni family have added new functions, including cryptocurrency mining to their malicious capabilities. According to Kaspersky Lab, the Russian Federation is the main target of this Trojan, followed by Kazakhstan and Ukraine. Spam campaigns are delivering the Trojan. The downloader is an executable file written in Delphi and it installs a root certificate that's stored in its resources. All downloaded malicious executables are signed with this certificate. The malware decides whether to download a cryptor or a miner onto the infected system depending upon if the folder %AppData%\Bitcoin is present. If the folder exists, the downloader decides to download the cryptor. If the folder doesn't exist and the machine has more than two logical processors, the miner will be downloaded.
The criminals behind the Trojan-Ransom.Win32.Rakhni family have added new functions, including cryptocurrency mining to their malicious capabilities. According to Kaspersky Lab, the Russian Federation is the main target of this Trojan, followed by Kazakhstan and Ukraine. Spam campaigns are delivering the Trojan. The downloader is an executable file written in Delphi and it installs a root certificate that's stored in its resources. All downloaded malicious executables are signed with this certificate. The malware decides whether to download a cryptor or a miner onto the infected system depending upon if the folder %AppData%\Bitcoin is present. If the folder exists, the downloader decides to download the cryptor. If the folder doesn't exist and the machine has more than two logical processors, the miner will be downloaded.
RIG Exploit Kit Delivers Monero Mining Payload Via PROPagate Injection Technique (07/06/2018)
FireEye has observed the RIG exploit kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner. The attack chain starts when the user visits a compromised Web site that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the cryptocurrency miner.
FireEye has observed the RIG exploit kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner. The attack chain starts when the user visits a compromised Web site that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the cryptocurrency miner.
Smoke Loader Malware Adds Sophisticated Tricks and Trickbot to Its Repertoire (07/06/2018)
A new version of the Smoke Loader malware, tracked by Cisco's Talos group, is now using the PROPagate injection technique to inject code and is making attempts to steal credentials from multiple applications. Smoke Loader is delivered via tainted Word documents and the use of social engineering methods. If the document is opened, it launches a macro and downloads the second stage, which is the Trickbot malware
A new version of the Smoke Loader malware, tracked by Cisco's Talos group, is now using the PROPagate injection technique to inject code and is making attempts to steal credentials from multiple applications. Smoke Loader is delivered via tainted Word documents and the use of social engineering methods. If the document is opened, it launches a macro and downloads the second stage, which is the Trickbot malware
Threat Group Is Back to Spy on, Attack Mid-East Targets (07/10/2018)
A previously known advanced threat entity that was first discovered by Cisco's Talos researchers has resurfaced to conduct spying missions on institutions in the Middle East, Check Point Software has said. The attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive containing two files: a Word document and a malicious executable. Claiming to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is installed in the background. According to Check Point, some of the malware's modules have been named after characters and/or actors in the Big Bang TV show, including Penny, Koothrappali, and Parsons_Sheldon.
A previously known advanced threat entity that was first discovered by Cisco's Talos researchers has resurfaced to conduct spying missions on institutions in the Middle East, Check Point Software has said. The attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive containing two files: a Word document and a malicious executable. Claiming to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is installed in the background. According to Check Point, some of the malware's modules have been named after characters and/or actors in the Big Bang TV show, including Penny, Koothrappali, and Parsons_Sheldon.