Malware Watch - W/E - 083118
Abused IQY Files Exploited by Spam Campaign to Serve Up Malware (08/28/2018)
Trend Micro spotted increased abuse of the Internet query file IQY and expects that the simple structure of IQY files are being exploited to evade structure-based detection methods. The Cutwail botnet has been distributing spam mails abusing IQY files and targeting users in Japan through infections with the Bebloh or Ursnif malware.
Trend Micro spotted increased abuse of the Internet query file IQY and expects that the simple structure of IQY files are being exploited to evade structure-based detection methods. The Cutwail botnet has been distributing spam mails abusing IQY files and targeting users in Japan through infections with the Bebloh or Ursnif malware.
AdvisorsBot Downloader Has Fingerprint Capabilities (08/27/2018)
Campaigns using the AdvisorsBot downloader as a first-stage payload are loading a fingerprinting module to further infect targets of interest with other types of malware. According to research conducted by Proofpoint, AdvisorsBot is in use by a threat entity called TA555 and is under active development. The malware was first seen in May and has been continually evolving.
Campaigns using the AdvisorsBot downloader as a first-stage payload are loading a fingerprinting module to further infect targets of interest with other types of malware. According to research conducted by Proofpoint, AdvisorsBot is in use by a threat entity called TA555 and is under active development. The malware was first seen in May and has been continually evolving.
Asacub Banking Trojan Is Back to Take Aim at Russian Banking Customers (08/28/2018)
Kaspersky Lab researchers analyzed a new variant of the Asacub mobile banking Trojan, which is designed to steal money from Android users connected to the mobile banking service of one of Russia's largest banks. Asacub is propagated via phishing SMS messages containing a link and an offer to view a photo or MMS. Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService. After receiving the rights, it sets itself as the default SMS app and disappears from the device screen. If the user ignores or rejects the request, the window reopens every few seconds.
Kaspersky Lab researchers analyzed a new variant of the Asacub mobile banking Trojan, which is designed to steal money from Android users connected to the mobile banking service of one of Russia's largest banks. Asacub is propagated via phishing SMS messages containing a link and an offer to view a photo or MMS. Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService. After receiving the rights, it sets itself as the default SMS app and disappears from the device screen. If the user ignores or rejects the request, the window reopens every few seconds.
BusyGasper" Malware Logs Keystrokes, Spies on Victims (08/29/2018)
Kaspersky Lab has identified "BusyGasper," an Android malware sample that listens in on devices, can bypass the Doze battery saver, log keystrokes, and exfiltrate data from messaging apps. BusyGasper has a multicomponent structure and can download a payload or updates from its command and control server, which is an FTP server belonging to the free Russian web hosting service Ucoz.
Kaspersky Lab has identified "BusyGasper," an Android malware sample that listens in on devices, can bypass the Doze battery saver, log keystrokes, and exfiltrate data from messaging apps. BusyGasper has a multicomponent structure and can download a payload or updates from its command and control server, which is an FTP server belonging to the free Russian web hosting service Ucoz.
CEIDPageLock Browser Hijacker Distributed by RIG Exploit Kit (08/30/2018)
The RIG Exploit Kit is pushing out a rootkit called CEIDPageLock, a sophisticated browser hijacker. Although CEIDPageLock was known prior to this research conducted by Check Point Software, the malware has new functionality, including a capability that monitors user browsing and dynamically replaces the content of several popular Chinese Web sites with fake home pages, whenever the user tries to visit them. Based on the information obtained by Check Point, CEIDPageLock particularly targets Chinese victims.
The RIG Exploit Kit is pushing out a rootkit called CEIDPageLock, a sophisticated browser hijacker. Although CEIDPageLock was known prior to this research conducted by Check Point Software, the malware has new functionality, including a capability that monitors user browsing and dynamically replaces the content of several popular Chinese Web sites with fake home pages, whenever the user tries to visit them. Based on the information obtained by Check Point, CEIDPageLock particularly targets Chinese victims.
Kaspersky Lab Reports on Botnet Activity for First Half of the Year (08/29/2018)
Multifunctional malware, which is not designed for a specific purpose but can handle a multitude of tasks, became widespread in the first half of 2018. This information comes from Kaspersky Lab's analysis of over 150 malware families and their modifications circulating through 60,000 botnets. The vendor identified njRAT, an easily modified backdoor, as the most widespread remote access Trojan (RAT) downloaded by bots during the period between January and June 2018.
Multifunctional malware, which is not designed for a specific purpose but can handle a multitude of tasks, became widespread in the first half of 2018. This information comes from Kaspersky Lab's analysis of over 150 malware families and their modifications circulating through 60,000 botnets. The vendor identified njRAT, an easily modified backdoor, as the most widespread remote access Trojan (RAT) downloaded by bots during the period between January and June 2018.
Loki Bot Malware Found in New Spam Campaign (08/29/2018)
The Loki Bot malware has been spotted in a malicious campaign targeting corporate mailboxes. Loki Bot steals passwords and sends them to its malware owners. Kaspersky Lab's team uncovered this campaign.
The Loki Bot malware has been spotted in a malicious campaign targeting corporate mailboxes. Loki Bot steals passwords and sends them to its malware owners. Kaspersky Lab's team uncovered this campaign.
Mirai Variants Emerge with the Ability to Infect Multiple Platforms (08/28/2018)
New Linux Mirai variants have been seen by the researchers at Symantec after a remote server hosting multiple malware samples was identified. The variants are robust and compatible with multiple architectures and devices, meaning that routers, IP cameras, and Android devices can be vulnerable. In a blog post, Dinesh Venkatesan said, "As with many Mirai infections, it starts by firing a shell script on a vulnerable device. That shell script sequentially tries downloading and executing individual executables one by one until a binary compliant with the current architecture is found."
New Linux Mirai variants have been seen by the researchers at Symantec after a remote server hosting multiple malware samples was identified. The variants are robust and compatible with multiple architectures and devices, meaning that routers, IP cameras, and Android devices can be vulnerable. In a blog post, Dinesh Venkatesan said, "As with many Mirai infections, it starts by firing a shell script on a vulnerable device. That shell script sequentially tries downloading and executing individual executables one by one until a binary compliant with the current architecture is found."
RansomWarrior Can Be Decrypted, Thanks to Check Point Tool (08/30/2018)
Check Point Software's team of security researchers has released a decryption tool for the RansomWarrior ransomware. The encryption used by the ransomware is a stream cipher utilizing a key randomly chosen from a list of 1,000 hard-coded keys in RansomWarrior's binary code. Check Point was able to extract the keys and since the key's index is saved locally on the victim's computer, provide the correct keys to the ransomware itself in order to unlock the files.
Check Point Software's team of security researchers has released a decryption tool for the RansomWarrior ransomware. The encryption used by the ransomware is a stream cipher utilizing a key randomly chosen from a list of 1,000 hard-coded keys in RansomWarrior's binary code. Check Point was able to extract the keys and since the key's index is saved locally on the victim's computer, provide the correct keys to the ransomware itself in order to unlock the files.
Urpage Threat Entity Connected to Other Threat Groups (08/29/2018)
Trend Micro's researchers have studied "Urpage," a new threat actor that shares similarities with the Confucius and Patchwork threat entities. Urpage is targeting InPage, a word processor for Urdu and Arabic languages and uses various malicious techniques, including backdoors, iOS malware, downloaders, and more.
Trend Micro's researchers have studied "Urpage," a new threat actor that shares similarities with the Confucius and Patchwork threat entities. Urpage is targeting InPage, a word processor for Urdu and Arabic languages and uses various malicious techniques, including backdoors, iOS malware, downloaders, and more.