Malware Watch - W/E - 11/30/18
BLADABINDI/njRAT Backdoor Affects Removable Media (11/27/2018)
Trend Micro spotted a worm, which has been detected as a variant of BLADABINDI (also known as njRAT), that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor. It's not known how this malicious file ends up on a system but it may enter through removable drives. BLADABINDI uses AutoIt (the FileInstall command) to compile the payload and the main script into a single executable, which can make the backdoor difficult to detect.
Trend Micro spotted a worm, which has been detected as a variant of BLADABINDI (also known as njRAT), that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor. It's not known how this malicious file ends up on a system but it may enter through removable drives. BLADABINDI uses AutoIt (the FileInstall command) to compile the payload and the main script into a single executable, which can make the backdoor difficult to detect.
Cryptocurrency Attacks Shot Up in 2018 and Show No Signs of Stopping (11/28/2018)
Cryptomining attacks soared 83% from 2017 and over five million people were attacked with cryptocurrency mining malware in the first three quarters of 2018, compared to 2.7 million people over the same period in 2017. This information comes from a new Kaspersky Lab report, which also noted that the share of miners detected out of the overall number of threats detected grew from 5% in 2017 to 8% in 2018.
Cryptomining attacks soared 83% from 2017 and over five million people were attacked with cryptocurrency mining malware in the first three quarters of 2018, compared to 2.7 million people over the same period in 2017. This information comes from a new Kaspersky Lab report, which also noted that the share of miners detected out of the overall number of threats detected grew from 5% in 2017 to 8% in 2018.
Injected Script Mined Cryptocurrency from Make-a-Wish Foundation Web Site (11/20/2018)
The Make-a-Wish Foundation's Web site was compromised and was used to serve up a cryptojacking script so that criminals could steal Monero funds given by donors to help sick children. The CoinIMP script (check.js), a cryptojacking malware, was injected into the charity's site and was loaded from the drupalupdates.tk domain, which is part of a campaign that has been exploiting the Drupalgeddon 2 bug in the wild since May. The injected script has since been removed from the Make-a-Wish site. Trustwave published details regarding the compromise of the charity's site.
The Make-a-Wish Foundation's Web site was compromised and was used to serve up a cryptojacking script so that criminals could steal Monero funds given by donors to help sick children. The CoinIMP script (check.js), a cryptojacking malware, was injected into the charity's site and was loaded from the drupalupdates.tk domain, which is part of a campaign that has been exploiting the Drupalgeddon 2 bug in the wild since May. The injected script has since been removed from the Make-a-Wish site. Trustwave published details regarding the compromise of the charity's site.
Lazarus Group Mounts Heists on Financial Institutions (11/20/2018)
The Lazarus threat entity has been hitting ATMs in Africa and Asia to steal funds from and Trend Micro has also spotted the group planting a backdoor on several machines of financial institutions in Latin America. The backdoor malware was installed in September and has multiple capabilities, including deleting files, utilizing a proxy, and running in passive mode.
The Lazarus threat entity has been hitting ATMs in Africa and Asia to steal funds from and Trend Micro has also spotted the group planting a backdoor on several machines of financial institutions in Latin America. The backdoor malware was installed in September and has multiple capabilities, including deleting files, utilizing a proxy, and running in passive mode.
Node.js Module "flatmap-stream" Considered Malicious (11/27/2018)
Version 0.1.1 of the flatmap-stream module for Node.js is considered malicious, according to an advisory released by the NPM Project. The advisory warns, "This package runs an encrypted payload that we currently do not have further information on. If you happen to find this package in your environment you should respond as if the system was compromised."
Version 0.1.1 of the flatmap-stream module for Node.js is considered malicious, according to an advisory released by the NPM Project. The advisory warns, "This package runs an encrypted payload that we currently do not have further information on. If you happen to find this package in your environment you should respond as if the system was compromised."
Outlaw Group Exploits Microsoft RDP for Malicious Purposes (11/20/2018)
Trend Micro has issued follow-up analysis to its observance of the Outlaw advanced persistent threat group that uses an Internet Relay Chat bot. The new details cover a host part of the botnet operated by the group, which was found attempting to run a script on Trend Micro's Internet of Things honeypot. The attacking bot used a tool called "haiduc" to search the Internet for systems to attack, which it does by taking advantage of a common command injection vulnerability. The script used in the first version of Outlaw's bot has two functionalities: the miner and Haiduc-based dropper. The second variant of the code, distributed by the bot, was mainly designed to brute force and further exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel in order to escalate the privileges.
Trend Micro has issued follow-up analysis to its observance of the Outlaw advanced persistent threat group that uses an Internet Relay Chat bot. The new details cover a host part of the botnet operated by the group, which was found attempting to run a script on Trend Micro's Internet of Things honeypot. The attacking bot used a tool called "haiduc" to search the Internet for systems to attack, which it does by taking advantage of a common command injection vulnerability. The script used in the first version of Outlaw's bot has two functionalities: the miner and Haiduc-based dropper. The second variant of the code, distributed by the bot, was mainly designed to brute force and further exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel in order to escalate the privileges.
POS Feature in TrickBot Adds a New Layer of Stealth (11/27/2018)
The TrickBot Trojan has a new point-of-sale (POS) malware feature that scans for indicators if an infected computer is connected to a network that supports POS services and machines. Trend Micro's scientists have been assessing this feature, called psfin32. They stated in a blog post, "We're currently investigating how the malware authors could leverage this information, given that they have successfully infiltrated the network with POS-related services installed but stop short of getting specific data such as credit card, ATM, or other banking-related information. It's possible that the cyber actors are gathering information at this stage in preparation for future intrusions."
The TrickBot Trojan has a new point-of-sale (POS) malware feature that scans for indicators if an infected computer is connected to a network that supports POS services and machines. Trend Micro's scientists have been assessing this feature, called psfin32. They stated in a blog post, "We're currently investigating how the malware authors could leverage this information, given that they have successfully infiltrated the network with POS-related services installed but stop short of getting specific data such as credit card, ATM, or other banking-related information. It's possible that the cyber actors are gathering information at this stage in preparation for future intrusions."
Rotexy Banking Trojan Evolves from Spyware to Include Ransomware Capabilities (11/27/2018)
A mobile Trojan from the Rotexy banking family launched more than 70,000 attacks in the three month period from August until late October. Kaspersky Lab tracked the movement of the malware, which attacked primarily in Russia, and found that Rotexy evolved from spyware first spotted in 2014 and has transformed to encompass ransomware features as well as that of a banking Trojan.
A mobile Trojan from the Rotexy banking family launched more than 70,000 attacks in the three month period from August until late October. Kaspersky Lab tracked the movement of the malware, which attacked primarily in Russia, and found that Rotexy evolved from spyware first spotted in 2014 and has transformed to encompass ransomware features as well as that of a banking Trojan.
Sofacy/APT28 Entity Debuts Cannon Trojan in Global Attack Campaign (11/20/2018)
The Sofacy (also known as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium) threat group has been using weaponized documents to load macro-laced remote templates in a campaign targeting several government entities around the globe. Analysis by Palo Alto Networks revealed a consistent first-stage payload of the Zebrocy Trojan. Additional collection of related documents showed a second first-stage payload called "Cannon" that has not been previously seen. Cannon uses an email-based command and control communication channel. It is written in C# and functions primarily as a downloader.
The Sofacy (also known as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium) threat group has been using weaponized documents to load macro-laced remote templates in a campaign targeting several government entities around the globe. Analysis by Palo Alto Networks revealed a consistent first-stage payload of the Zebrocy Trojan. Additional collection of related documents showed a second first-stage payload called "Cannon" that has not been previously seen. Cannon uses an email-based command and control communication channel. It is written in C# and functions primarily as a downloader.
Trend Micro Says Same Threat Actor Is Behind XLoader and FakeSpy (11/27/2018)
Research from Trend Micro shows a correlation between the XLoader and FakeSpy malware families and the vendor has pointed out that they appear to be operated by the same threat actor. XLoader has been disguised as a legitimate app of a major Japanese home delivery service and typically FakeSpy variants masquerade this way to steal user data. Upon further analysis, the researchers noticed that XLoader and FakeSpy both use the same ecosystem to deploy malware. So far, 126 domains used to deploy malware are being shared by both variants. The Yanbian Gang, a Chinese cybercriminal group infamous for stealing money from account holders of South Korean banks, is believed to be behind both XLoader and FakeSpy.
Research from Trend Micro shows a correlation between the XLoader and FakeSpy malware families and the vendor has pointed out that they appear to be operated by the same threat actor. XLoader has been disguised as a legitimate app of a major Japanese home delivery service and typically FakeSpy variants masquerade this way to steal user data. Upon further analysis, the researchers noticed that XLoader and FakeSpy both use the same ecosystem to deploy malware. So far, 126 domains used to deploy malware are being shared by both variants. The Yanbian Gang, a Chinese cybercriminal group infamous for stealing money from account holders of South Korean banks, is believed to be behind both XLoader and FakeSpy.