Malware Watch - W/E - 080318
AZORult Downloader, Data Stealer Now Spread Via Exploit Kits (07/31/2018)
The information stealer and downloader called AZORult is being dropped by exploit kits. It's also been seen in email campaigns as both a primary and secondary payload. Since it was first discovered in 2016, AZORult has received enhancements to improve its functionality. Proofpoint's researchers shared information it gleaned while analyzing this threat in a blog post.
The information stealer and downloader called AZORult is being dropped by exploit kits. It's also been seen in email campaigns as both a primary and secondary payload. Since it was first discovered in 2016, AZORult has received enhancements to improve its functionality. Proofpoint's researchers shared information it gleaned while analyzing this threat in a blog post.
CactusTorch Fileless Threat Abuses .NET (07/30/2018)
McAfee examined the CactusTorch fileless malware which uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. The .NET assembly embedded in the CactusTorch script runs several steps to execute the malicious shellcode.
McAfee examined the CactusTorch fileless malware which uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. The .NET assembly embedded in the CactusTorch script runs several steps to execute the malicious shellcode.
Parasite HTTP RAT Makes Its Debut with Anti-Detection Methods (07/30/2018)
A new remote access Trojan (RAT) is available for sale on the dark underground and it offers various techniques to avoid being detected. Proofpoint spotted Parasite HTTP, which is modular so that new capabilities can be added and incorporates sandbox detection, anti-bugging, anti-emulation, and other protective measures. The RAT came to prominence after it was used in a small email campaign on July 16.
A new remote access Trojan (RAT) is available for sale on the dark underground and it offers various techniques to avoid being detected. Proofpoint spotted Parasite HTTP, which is modular so that new capabilities can be added and incorporates sandbox detection, anti-bugging, anti-emulation, and other protective measures. The RAT came to prominence after it was used in a small email campaign on July 16.
PowerGhost Malware Uses EternalBlue Exploit for Nefarious Purposes (07/30/2018)
Kaspersky Lab has uncovered PowerGhost, a mining malware that is using fileless techniques to establish the illegal miner within the victim system. PowerGhost is an obfuscated PowerShell script that contains core code and add-on modules. It tries to spread across the local network using the leaked National Security Agency (NSA) EternalBlue exploit.
Kaspersky Lab has uncovered PowerGhost, a mining malware that is using fileless techniques to establish the illegal miner within the victim system. PowerGhost is an obfuscated PowerShell script that contains core code and add-on modules. It tries to spread across the local network using the leaked National Security Agency (NSA) EternalBlue exploit.
Sophos Discovers New Details about the SamSam Ransomware (07/31/2018)
Sophos has analyzed the SamSam ransomware and learned that it is deployed to computers on the victim's network via RDP (Remote Desktop Protocol) by using software like nlbrute to successfully guess weak passwords. The operators of SamSam have also netted about $6 million USD in profits. Previous research identified healthcare, government, and education as the most likely sectors affected by the ransomware but Sophos, with the help of Neutrino, found that a larger number of victims are from the private sector. Victims in that sector have been reluctant to come forward, Sophos noted.
Sophos has analyzed the SamSam ransomware and learned that it is deployed to computers on the victim's network via RDP (Remote Desktop Protocol) by using software like nlbrute to successfully guess weak passwords. The operators of SamSam have also netted about $6 million USD in profits. Previous research identified healthcare, government, and education as the most likely sectors affected by the ransomware but Sophos, with the help of Neutrino, found that a larger number of victims are from the private sector. Victims in that sector have been reluctant to come forward, Sophos noted.
Underminer Exploit Kit Unleashes Bootkit and Cryptocurrency Mining Malware (07/30/2018)
Researchers at Trend Micro have discovered the Underminer exploit kit that delivers a bootkit that infects the system's boot sectors and a cryptocurrency miner named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kit and its payload challenging to analyze.
Researchers at Trend Micro have discovered the Underminer exploit kit that delivers a bootkit that infects the system's boot sectors and a cryptocurrency miner named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kit and its payload challenging to analyze.