Malware Watch - W/E - 081718
KeyPass Ransomware Variant Gives Attackers "Manual Control" of Encryption Process (08/13/2018)
Kaspersky Lab has identified a new variant of the KeyPass ransomware, which is propagated by means of fake installers that download the ransomware module. The Trojan sample is written in C++ and compiled in Microsoft Visual Studio. KeyPass can give the attacker manual control, enabling him or her to customize the encryption process by changing parameters including the encryption key, the name on the ransom note, and the text on the ransom note.
Kaspersky Lab has identified a new variant of the KeyPass ransomware, which is propagated by means of fake installers that download the ransomware module. The Trojan sample is written in C++ and compiled in Microsoft Visual Studio. KeyPass can give the attacker manual control, enabling him or her to customize the encryption process by changing parameters including the encryption key, the name on the ransom note, and the text on the ransom note.
Malicious Android App Attributed to APT-C-23 Threat Group (08/14/2018)
A malicious app called Zee Player appeared on Google Play and was spotted by Symantec. The app is a GnatSpy variant that steals device information and tricks the user into installing other types of malware. Zee Player is malware from the APT-C-23 threat group which is known for targeting entities in the Middle East, most often Palestinian political rivals.
A malicious app called Zee Player appeared on Google Play and was spotted by Symantec. The app is a GnatSpy variant that steals device information and tricks the user into installing other types of malware. Zee Player is malware from the APT-C-23 threat group which is known for targeting entities in the Middle East, most often Palestinian political rivals.
New North Korean Malware Variant KEYMARBLE Discovered by US Feds (08/13/2018)
Working with US government partners, the Department of Homeland Security (DHS) and the FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. This application is a malicious 32-bit Windows executable file. When executed, it de-obfuscates its application programming interfaces and using port 443, attempts to connect to hard-coded IP addresses. Further details have been made public in a malware analysis report.
Working with US government partners, the Department of Homeland Security (DHS) and the FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. This application is a malicious 32-bit Windows executable file. When executed, it de-obfuscates its application programming interfaces and using port 443, attempts to connect to hard-coded IP addresses. Further details have been made public in a malware analysis report.
North Korean Malware Code Reuse Connected to New Threats (08/13/2018)
McAfee's Christiaan Beek, along with researcher Jay Rosenberg at Intezer, have analyzed the reuse of malware code attributed to North Korea's government and the campaigns that they are used in. While assessing thousands of code sample using Intezer's code similarity detection engine, the researchers noted "a significant amount of code similarities between almost every one of the attacks associated with North Korea." Additionally, the two scientists found code similarities in binaries that had never been seen before, which means that some attacks and malware have never been attributed to North Korea.
McAfee's Christiaan Beek, along with researcher Jay Rosenberg at Intezer, have analyzed the reuse of malware code attributed to North Korea's government and the campaigns that they are used in. While assessing thousands of code sample using Intezer's code similarity detection engine, the researchers noted "a significant amount of code similarities between almost every one of the attacks associated with North Korea." Additionally, the two scientists found code similarities in binaries that had never been seen before, which means that some attacks and malware have never been attributed to North Korea.
Office 365 Uses SharePoint to Serve Up Phishing Attacks (08/15/2018)
Researchers at Avanan say that a phishing attack targeting Office 365 customers is using SharePoint files to host phishing links. These malicious links enable attackers to harvest credentials for Office 365. "The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint, " Avanan's Reece Guida said. She advised users to be alert to emails containing the words URGENT or ACTION REQUIRED in the subject line.
Researchers at Avanan say that a phishing attack targeting Office 365 customers is using SharePoint files to host phishing links. These malicious links enable attackers to harvest credentials for Office 365. "The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint, " Avanan's Reece Guida said. She advised users to be alert to emails containing the words URGENT or ACTION REQUIRED in the subject line.
Princess Evolution Emerges as a Ransomware-as-a-Service (08/14/2018)
Trend Micro has observed a malvertising campaign via the Rig exploit kit delivering a cryptocurrency mining malware and the GandCrab ransomware. On August 1, Rig began dropping a new version of the Princess Locker ransomware called Princess Evolution. While analyzing ads in the dark underground, the researchers discovered that Princess Evolution is being touted as a ransomware-as-a-service for purchase. The malvertising campaign is pushing Coinhive and the campaign has been hosted on a free Web hosting service and used domain name system canonical name (DNS CNAME) to map the advertisement domain on a malicious Web page on the service.
Trend Micro has observed a malvertising campaign via the Rig exploit kit delivering a cryptocurrency mining malware and the GandCrab ransomware. On August 1, Rig began dropping a new version of the Princess Locker ransomware called Princess Evolution. While analyzing ads in the dark underground, the researchers discovered that Princess Evolution is being touted as a ransomware-as-a-service for purchase. The malvertising campaign is pushing Coinhive and the campaign has been hosted on a free Web hosting service and used domain name system canonical name (DNS CNAME) to map the advertisement domain on a malicious Web page on the service.