Malware Watch - W/E - 12/14/18
Blackmail Campaigns Shovel Out AZORult Info Stealer, GandCrab Ransomware (12/10/2018)
Proofpoint observed a sextortion campaign that included URLs linking to the AZORult stealer that ultimately led to infection with the GandCrab ransomware. This campaign involved thousands of messages sent to a variety of targets primarily in the United States. A sample email follows the typical formula for these types of attacks but also includes an URL that purportedly takes recipients to a presentation showing them video of the compromising activities captured on their device. However, it actually leads to the AZORult stealer malware and eventually installs the GandCrab ransomware. Sextortion scams involve threat actors who send blackmail messages claiming to have compromising information about the recipient and threaten to expose a range of observed illicit activities.
Proofpoint observed a sextortion campaign that included URLs linking to the AZORult stealer that ultimately led to infection with the GandCrab ransomware. This campaign involved thousands of messages sent to a variety of targets primarily in the United States. A sample email follows the typical formula for these types of attacks but also includes an URL that purportedly takes recipients to a presentation showing them video of the compromising activities captured on their device. However, it actually leads to the AZORult stealer malware and eventually installs the GandCrab ransomware. Sextortion scams involve threat actors who send blackmail messages claiming to have compromising information about the recipient and threaten to expose a range of observed illicit activities.
Cobalt Group's ThreadKit Malware Receives a Stealthy Makeover (12/12/2018)
Researchers at Fidelis Cybersecurity have discovered a new version of ThreadKit, a malware used by the Cobalt Group. ThreadKit has been observed being delivered via a phishing email that contains a RFT Microsoft Office attachment with an evolved version of the exploit builder kit first uncovered in October 2017. The latest ThreadKit variant uses a macro delivery framework and stealth capabilities to hide from detection.
Researchers at Fidelis Cybersecurity have discovered a new version of ThreadKit, a malware used by the Cobalt Group. ThreadKit has been observed being delivered via a phishing email that contains a RFT Microsoft Office attachment with an evolved version of the exploit builder kit first uncovered in October 2017. The latest ThreadKit variant uses a macro delivery framework and stealth capabilities to hide from detection.
DanaBot Is Back Sporting Vicious Spam Features as It Partners with GootKit (12/10/2018)
The DanaBot operators have added new features to the banking Trojan to include email address harvesting and spam-sending capabilities, the research team at ESET has warned. The new capabilities have enabled DanaBot to expand its malicious campaign in Europe. In addition to the new features, the thieves behind DanaBot are cooperating with the criminals involved with the GootKit Trojan to distribute that malware.
The DanaBot operators have added new features to the banking Trojan to include email address harvesting and spam-sending capabilities, the research team at ESET has warned. The new capabilities have enabled DanaBot to expand its malicious campaign in Europe. In addition to the new features, the thieves behind DanaBot are cooperating with the criminals involved with the GootKit Trojan to distribute that malware.
Malicious App Siphons PayPal Funds, Bypasses 2FA (12/11/2018)
A banking Trojan with remote control features misuses Android Accessibility services to target users of the PayPal app, ESET's researchers have determined. The malware pretends to be a battery optimization tool and is distributed via third-party app stores. It requires the activation of a malicious Accessibility service and if the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user's clicks to send money to the attacker's PayPal address. The malware can bypass two-factor authentication.
A banking Trojan with remote control features misuses Android Accessibility services to target users of the PayPal app, ESET's researchers have determined. The malware pretends to be a battery optimization tool and is distributed via third-party app stores. It requires the activation of a malicious Accessibility service and if the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens the PayPal app and logs in, the malicious accessibility service (if previously enabled by the user) steps in and mimics the user's clicks to send money to the attacker's PayPal address. The malware can bypass two-factor authentication.
New Version of Shamoon Malware May Be Prepping for Cyber Attacks (12/13/2018)
ThreatPost has reported that a new variant of the Shamoon data-wiping malware was uploaded to VirusTotal on December 10 and researchers suspect that attacks could be looming. Shamoon was first observed in 2012 infecting files on oil and gas computers in Saudi Arabia and overwriting the master boot record, rendering the systems useless. Four years later, Shamoon2 was seen destroying systems in Saudi Arabia again. The trigger date on the new Shamoon variant is December 7, 2017, but it is not known why it has not been spotted in any campaigns.
ThreatPost has reported that a new variant of the Shamoon data-wiping malware was uploaded to VirusTotal on December 10 and researchers suspect that attacks could be looming. Shamoon was first observed in 2012 infecting files on oil and gas computers in Saudi Arabia and overwriting the master boot record, rendering the systems useless. Four years later, Shamoon2 was seen destroying systems in Saudi Arabia again. The trigger date on the new Shamoon variant is December 7, 2017, but it is not known why it has not been spotted in any campaigns.
Operation Sharpshooter Targets Defense, Nuclear Industries (12/12/2018)
A global threat campaign, identified by McAfee as "Operation Sharpshooter," is responsible for targeting nuclear, defense, energy, and financial companies. This campaign leverages an in-memory implant to download and retrieve a second-stage implant dubbed "Rising Sun" for further exploitation. The Rising Sun implant uses source code from the Lazarus Group's 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. According to McAfee, even though Operation Sharpshooter has connections to Lazarus, these attacks cannot fully be attributed to Lazarus and instead may indicate a different threat group. The campaign masquerades as legitimate industry job recruitment activity and gathers information to monitor for potential exploitation. The Rising Sun implant appeared in 87 organizations across the globe, mostly in the US, between October and November. McAfee also published a blog post with additional information.
A global threat campaign, identified by McAfee as "Operation Sharpshooter," is responsible for targeting nuclear, defense, energy, and financial companies. This campaign leverages an in-memory implant to download and retrieve a second-stage implant dubbed "Rising Sun" for further exploitation. The Rising Sun implant uses source code from the Lazarus Group's 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. According to McAfee, even though Operation Sharpshooter has connections to Lazarus, these attacks cannot fully be attributed to Lazarus and instead may indicate a different threat group. The campaign masquerades as legitimate industry job recruitment activity and gathers information to monitor for potential exploitation. The Rising Sun implant appeared in 87 organizations across the globe, mostly in the US, between October and November. McAfee also published a blog post with additional information.
Old Bugs Exploited to Mine Cryptocurrency on Elasticsearch (12/12/2018)
The Elasticsearch Java-based search engine was attacked by a cryptocurrency miner that took advantage of known vulnerabilities. These bugs have all been previously patched but Trend Micro noted that the vulnerable versions are no longer supported by Elasticsearch.
The Elasticsearch Java-based search engine was attacked by a cryptocurrency miner that took advantage of known vulnerabilities. These bugs have all been previously patched but Trend Micro noted that the vulnerable versions are no longer supported by Elasticsearch.
SOHO Routers Victimized by Novidade EK (12/12/2018)
A new exploit kit called Novidade is targeting home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery, enabling attacks on a victim's mobile device or desktop through Web applications in which they're authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted Web site traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server. Trend Micro's research team discovered Novidade and published details about this threat.
A new exploit kit called Novidade is targeting home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery, enabling attacks on a victim's mobile device or desktop through Web applications in which they're authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted Web site traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server. Trend Micro's research team discovered Novidade and published details about this threat.
Spammy Messages Were Widely Used in 2018 to Victimize (12/11/2018)
Research from F-Secure points to spam as the most common method for cybercriminals to spread malware in 2018, accounting for nine out of every 10 infection attempts throughout the year. Roughly 69% of spam campaigns attempted to trick users into visiting malicious URLs and download a malware-laden file or commit another action that results in an infection. Malicious attachments were used in the remaining 31% of campaigns.
Research from F-Secure points to spam as the most common method for cybercriminals to spread malware in 2018, accounting for nine out of every 10 infection attempts throughout the year. Roughly 69% of spam campaigns attempted to trick users into visiting malicious URLs and download a malware-laden file or commit another action that results in an infection. Malicious attachments were used in the remaining 31% of campaigns.
Threat Analysis Finds Cybercriminals Gave Thanks for Emotet in November (12/10/2018)
The Check Point Software Global Threat Index for November 2018 noted that Thanksgiving was fodder for cyber thieves as they spread the Emotet botnet in several holiday-themed campaigns. Some of these involved sending malware-laced messages in the guise of Thanksgiving ecards. The top three most wanted malware families for the month were Coinhive, Cryptloot, and Andromeda while Triada, Hiddad, and Lokibot topped the list for the most wanted mobile malware.
The Check Point Software Global Threat Index for November 2018 noted that Thanksgiving was fodder for cyber thieves as they spread the Emotet botnet in several holiday-themed campaigns. Some of these involved sending malware-laced messages in the guise of Thanksgiving ecards. The top three most wanted malware families for the month were Coinhive, Cryptloot, and Andromeda while Triada, Hiddad, and Lokibot topped the list for the most wanted mobile malware.