Malware Watch - W/E - 072018
Blackgear Cyberspy Campaign Exploits Social Media, Blogging Services (07/17/2018)
Blackgear, a cyber espionage campaign that dates back to 2008 (based on the Protux backdoor used by its operators), has had its tools fine-tuned to effectively target victims. The campaign, according to research from Trend Micro, is abusing blogging, micro-blogging, and social media services to hide its command and control configuration. Blackgear is using a new version of Protux and the Marade downloader, both of which have been found encrypted on blog and social media posts.
Blackgear, a cyber espionage campaign that dates back to 2008 (based on the Protux backdoor used by its operators), has had its tools fine-tuned to effectively target victims. The campaign, according to research from Trend Micro, is abusing blogging, micro-blogging, and social media services to hide its command and control configuration. Blackgear is using a new version of Protux and the Marade downloader, both of which have been found encrypted on blog and social media posts.
DanaBot Trojan Hides Inside Fake Invoices from Phishing Scam (07/17/2018)
Trustwave observed phishing emails targeting Australian customers with fake invoices from the software company MYOB, which contained FTP links pointing to compromised FTP servers. The FTP links were pointing to a zipped archive. This zipped archive contained a JavaScript that on execution downloads the DanaBot malware. DanaBot is a multi-component banking Trojan written in Delphi.
Trustwave observed phishing emails targeting Australian customers with fake invoices from the software company MYOB, which contained FTP links pointing to compromised FTP servers. The FTP links were pointing to a zipped archive. This zipped archive contained a JavaScript that on execution downloads the DanaBot malware. DanaBot is a multi-component banking Trojan written in Delphi.
Emotet's Evolution: From Banking Trojan to Threat Delivery Service (07/17/2018)
Mealybug, the threat actor that has been active since 2014 and uses the customized Emotet Trojan, has changed the malware's infrastructure to act as a global packing and delivery service for other threat actors. Emotet typically has been used to attack European banking customers but Symantec noticed that Mealybug is offering an "end-to-end" service to deliver threats, obfuscate them, and provide a spreader module that allows the threats to self-propagate.
Mealybug, the threat actor that has been active since 2014 and uses the customized Emotet Trojan, has changed the malware's infrastructure to act as a global packing and delivery service for other threat actors. Emotet typically has been used to attack European banking customers but Symantec noticed that Mealybug is offering an "end-to-end" service to deliver threats, obfuscate them, and provide a spreader module that allows the threats to self-propagate.
Hawkeye Keylogger Is Reborn in High-Volume Campaign (07/17/2018)
Microsoft's researchers have seen a resurgence of the Hawkeye keylogger, an information stealer that is being sold as a malware-as-a-service. In April, Hawkeye Keylogger - Reborn v8 made its debut and on April 30, Microsoft detected a high-volume campaign that distributed the latest variants of the keylogger. The campaign mostly targeted the software and technology sector.
Microsoft's researchers have seen a resurgence of the Hawkeye keylogger, an information stealer that is being sold as a malware-as-a-service. In April, Hawkeye Keylogger - Reborn v8 made its debut and on April 30, Microsoft detected a high-volume campaign that distributed the latest variants of the keylogger. The campaign mostly targeted the software and technology sector.
Symantec Warns PowerShell Threats Increasing Exponentially (07/17/2018)
Symantec analyzed PowerShell threats and found that attacks had increased 661% between the second half of 2017 and the first half of 2018. The number of computers where PowerShell commands were executed doubled from 734,262 in Q1 2018 to 1,451,449 in Q2 2018. In May 2018, PowerShell scripts was observed being executed on an average of 480,000 computers per day.
Symantec analyzed PowerShell threats and found that attacks had increased 661% between the second half of 2017 and the first half of 2018. The number of computers where PowerShell commands were executed doubled from 734,262 in Q1 2018 to 1,451,449 in Q2 2018. In May 2018, PowerShell scripts was observed being executed on an average of 480,000 computers per day.
Unsuspecting Soccer Fans Targeted by Malware, Phishing (07/16/2018)
McAfee has spotted malicious apps and phishing emails created specifically to target soccer supporters. Fans using the "Golden Cup" app are unaware that criminals have laced it with spyware. The threat campaign, called Android/FoulGoal.A, silently transfers information to cybercriminals, including victims' phone numbers, installed apps, device model and manufacturer, available internal storage capacity, and more.
McAfee has spotted malicious apps and phishing emails created specifically to target soccer supporters. Fans using the "Golden Cup" app are unaware that criminals have laced it with spyware. The threat campaign, called Android/FoulGoal.A, silently transfers information to cybercriminals, including victims' phone numbers, installed apps, device model and manufacturer, available internal storage capacity, and more.