Malware Watch - W/E - 092818
Adwind RAT Lurking in Spam Campaign Takes Aim at Linux, Windows, OS X (09/24/2018)
Cisco's Talos researchers, along with fellow scientists at cybersecurity firm ReversingLabs, say that a recently uncovered spam campaign is spreading the Adwind 3.0 remote access tool and targeting Linux, Windows, and Mac OS X. This campaign appears to be a version of the Dynamic Data Exchange code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs detailed the malware and campaign in its own post.
Cisco's Talos researchers, along with fellow scientists at cybersecurity firm ReversingLabs, say that a recently uncovered spam campaign is spreading the Adwind 3.0 remote access tool and targeting Linux, Windows, and Mac OS X. This campaign appears to be a version of the Dynamic Data Exchange code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs detailed the malware and campaign in its own post.
Banking Trojan Stole Credentials, Found Hiding on Google Play (09/26/2018)
Security researcher Lukas Stefanko warned that a banking Trojan found on Google Play had the capability to steal victims' banking credentials, bypass SMS two-factor authentication, and targeted German, Polish, and Czech banks. The Trojan impersonated QRecorder, an app that records phone calls, and had been installed over 10,000 times.
Security researcher Lukas Stefanko warned that a banking Trojan found on Google Play had the capability to steal victims' banking credentials, bypass SMS two-factor authentication, and targeted German, Polish, and Czech banks. The Trojan impersonated QRecorder, an app that records phone calls, and had been installed over 10,000 times.
Cryptojacking, JavaScript Malware Increased Their Threat Reach in Q2 (09/25/2018)
As detailed in the McAfee Labs Threats Report for September, coin mining malware was up 86% in the second quarter of 2018 with more than 2.5 million new samples. Ransomware accounted for 990,000 new samples for this period. After decreasing significantly during the last three quarters, JavaScript malware increased by 204% in Q2, with more than seven million new samples.
As detailed in the McAfee Labs Threats Report for September, coin mining malware was up 86% in the second quarter of 2018 with more than 2.5 million new samples. Ransomware accounted for 990,000 new samples for this period. After decreasing significantly during the last three quarters, JavaScript malware increased by 204% in Q2, with more than seven million new samples.
Despite Warning, Some Crypto Mining Apps Remain on Google Play (09/25/2018)
Sophos found 25 apps on Google Play that appeared to be games, utilities, and educational apps but were actually cryptocurrency miners. These apps had been downloaded and installed more than 120,000 times. Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero. Sophos notified Google, and while some of the apps were removed from Play, many of them remain available for download.
Sophos found 25 apps on Google Play that appeared to be games, utilities, and educational apps but were actually cryptocurrency miners. These apps had been downloaded and installed more than 120,000 times. Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero. Sophos notified Google, and while some of the apps were removed from Play, many of them remain available for download.
Legitimate RATs Found Bundled in Industrial Control System Software (09/24/2018)
Nearly 32% of industrial control system (ICS) computers running Kaspersky Lab software have legitimate remote administration tools (RATs) installed on them. Research from Kaspersky found that almost 19% of RATs come bundled with ICS software by default - meaning that system administrators are not aware that these malicious files are on their networks.
Nearly 32% of industrial control system (ICS) computers running Kaspersky Lab software have legitimate remote administration tools (RATs) installed on them. Research from Kaspersky found that almost 19% of RATs come bundled with ICS software by default - meaning that system administrators are not aware that these malicious files are on their networks.
Sednit/Sofacy Threat Group Distributes LoJax UEFI Rootkit (09/27/2018)
A malicious campaign used by the Sednit (also known as Sofacy, Fancy Bear, and APT28) advanced persistent threat group is deploying a Unified Extensible Firmware Interface (UEFI) rootkit on the victim's system. This malware is called LoJax and has been used to target several organizations in the Balkans and Central and Eastern Europe. ESET published its research regarding LoJax.
A malicious campaign used by the Sednit (also known as Sofacy, Fancy Bear, and APT28) advanced persistent threat group is deploying a Unified Extensible Firmware Interface (UEFI) rootkit on the victim's system. This malware is called LoJax and has been used to target several organizations in the Balkans and Central and Eastern Europe. ESET published its research regarding LoJax.
Sophisticated Capabilities Identified in VPNFilter Malware (09/26/2018)
Cisco's Talos researchers published further details regarding VPNFilter, a multi-stage, modular framework that has infected hundreds of thousands of network devices. Seven more third-stage VPNFilter modules have given the malware improved functionality - including the ability to exploit endpoint devices from footholds on compromised network devices, data filtering, and multiple encrypted tunneling capabilities to mask command and control and data exfiltration traffic. Talos began sharing its research information on VPNFilter in May.
Cisco's Talos researchers published further details regarding VPNFilter, a multi-stage, modular framework that has infected hundreds of thousands of network devices. Seven more third-stage VPNFilter modules have given the malware improved functionality - including the ability to exploit endpoint devices from footholds on compromised network devices, data filtering, and multiple encrypted tunneling capabilities to mask command and control and data exfiltration traffic. Talos began sharing its research information on VPNFilter in May.
Symantec Warns that Formjacking Attacks Are on the Rise (09/25/2018)
Symantec has seen an increase in formjacking attacks, which have included the Magecart entity targeting such companies as British Airways, Feedify, and Newegg. Formjacking describes the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of ecommerce sites. Symantec has blocked almost a quarter of a million instances of attempted formjacking since mid-August.
Symantec has seen an increase in formjacking attacks, which have included the Magecart entity targeting such companies as British Airways, Feedify, and Newegg. Formjacking describes the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of ecommerce sites. Symantec has blocked almost a quarter of a million instances of attempted formjacking since mid-August.
USBs/Removable Media Help Spread Crypto Miners, Other Exploits (09/25/2018)
Kaspersky Lab reported that USB devices and removable media are being used to infect systems with cryptocurrency miners. Trojan.Win64.Miner.all is the most popular bitcoin miner spread via USB devices and is growing by around one-sixth year-on-year. Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016. Stuxnet, the 2010 exploit that targeted Iran's nuclear systems, remains one of the top 10 malicious exploits spread via removable media.
Kaspersky Lab reported that USB devices and removable media are being used to infect systems with cryptocurrency miners. Trojan.Win64.Miner.all is the most popular bitcoin miner spread via USB devices and is growing by around one-sixth year-on-year. Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016. Stuxnet, the 2010 exploit that targeted Iran's nuclear systems, remains one of the top 10 malicious exploits spread via removable media.
Viro Botnet Also Has Ransomware Functionality to Inflict Damage (09/24/2018)
The Viro botnet, which combines ransomware and botnet capabilities, has been infecting victims in the US, and according to Trend Micro, once the malware invades a machine, it becomes part of a spam email botnet that distributes the ransomware to more victims. Viro botnet is not associated with any known ransomware families.
The Viro botnet, which combines ransomware and botnet capabilities, has been infecting victims in the US, and according to Trend Micro, once the malware invades a machine, it becomes part of a spam email botnet that distributes the ransomware to more victims. Viro botnet is not associated with any known ransomware families.