Malware Watch - W/E - 12/21/18
Companies Should Be Aware of Quasar RAT (12/18/2018)
Advanced persistent threat actors are using Quasar, a legitimate open-source remote administration tool (RAT) to facilitate network exploitation and the US-CERT has posted an analysis report to provide information. Quasar is a RAT for Windows operating systems and is written in the C# programming language.
Advanced persistent threat actors are using Quasar, a legitimate open-source remote administration tool (RAT) to facilitate network exploitation and the US-CERT has posted an analysis report to provide information. Quasar is a RAT for Windows operating systems and is written in the C# programming language.
Fake Wallpaper Apps Delivered Click Ad Scheme (12/19/2018)
Trend Micro detected 15 wallpaper apps in Google Play committing click ad fraud. The apps were collectively downloaded from Play more than 222,200 times and Italy, Taiwan, the United States, Germany, and Indonesia had the most infections recorded. Google has since removed all of the apps.
Trend Micro detected 15 wallpaper apps in Google Play committing click ad fraud. The apps were collectively downloaded from Play more than 222,200 times and Italy, Taiwan, the United States, Germany, and Indonesia had the most infections recorded. Google has since removed all of the apps.
Four Vicious Malware Families Share Common Link: A Similar Loader (12/18/2018)
The scientists at Trend Micro think they have found a connection between the Emotet, Ursnif, Dridex, and BitPaymer malware families. According to the research, each family has a similar loader. In fact, the four payload decryption procedures were identical in data structures' overview on the way they decrypted the actual portable executable (PE) payloads. Additionally, the internal data structure of the four malware families were the same. Trend Micro says it is possible that the four malware families' gangs are in contact with the weapon providers for PE loaders.
The scientists at Trend Micro think they have found a connection between the Emotet, Ursnif, Dridex, and BitPaymer malware families. According to the research, each family has a similar loader. In fact, the four payload decryption procedures were identical in data structures' overview on the way they decrypted the actual portable executable (PE) payloads. Additionally, the internal data structure of the four malware families were the same. Trend Micro says it is possible that the four malware families' gangs are in contact with the weapon providers for PE loaders.
Malicious Memes Found Communicating with Malware (12/17/2018)
Cybercriminals are concealing malware in memes as a method to infect machines yet remain undetected. Trend Micro observed two malicious memes on a Twitter account in October. The memes contain an embedded command that is parsed by the malware after it's downloaded from the malicious Twitter account onto the victim's machine, acting as a command and control service for the already- placed malware. Researcher Muhammad Bohio said, "This new threat is notable because the malware's commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled."
Cybercriminals are concealing malware in memes as a method to infect machines yet remain undetected. Trend Micro observed two malicious memes on a Twitter account in October. The memes contain an embedded command that is parsed by the malware after it's downloaded from the malicious Twitter account onto the victim's machine, acting as a command and control service for the already- placed malware. Researcher Muhammad Bohio said, "This new threat is notable because the malware's commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled."
McAfee Shares Details of Latest Shamoon Variant (12/17/2018)
McAfee researchers have analyzed the newest Shamoon malware variant and determined that the wiper may be in a beta phase due to various vulnerabilities that have been identified. The wiping component has been designed to target all files on the system by overwriting files with garbage data; overwriting with a file used in previous Shamoon versions; and encrypting the files and master boot record. According to the research team, the new variant's functionality indicates modular development that enables the wiper to be used by malware droppers other than Shamoon.
McAfee researchers have analyzed the newest Shamoon malware variant and determined that the wiper may be in a beta phase due to various vulnerabilities that have been identified. The wiping component has been designed to target all files on the system by overwriting files with garbage data; overwriting with a file used in previous Shamoon versions; and encrypting the files and master boot record. According to the research team, the new variant's functionality indicates modular development that enables the wiper to be used by malware droppers other than Shamoon.
Ryuk Ransomware Debuts with Used Code and Tactics (12/18/2018)
Sophos researchers say that a new ransomware known as Ryuk appears to have code used by the Hermes ransomware along with a few other similar features. Ryuk gains access to victim machines via weak Remote Desktop Protocol passwords; escalates privileges until it becomes an administrator; uses that privilege to overcome antivirus software; spreads widely before encrypting victim files; leaves notes demanding ransom payments; and waits for victims to make email contact. Ryuk also writes the string HERMES into the encrypted files, so that it can identify which files it has already encrypted.
Sophos researchers say that a new ransomware known as Ryuk appears to have code used by the Hermes ransomware along with a few other similar features. Ryuk gains access to victim machines via weak Remote Desktop Protocol passwords; escalates privileges until it becomes an administrator; uses that privilege to overcome antivirus software; spreads widely before encrypting victim files; leaves notes demanding ransom payments; and waits for victims to make email contact. Ryuk also writes the string HERMES into the encrypted files, so that it can identify which files it has already encrypted.
Sofacy's Zebrocy Trojan Emerges as a Go Language Variant (12/18/2018)
The Russian-linked threat group Sofacy (also known as Sednit, Fancy Bear, and APT28) is continuing to carry out attacks with its malicious Zebrocy tool, which is now available in the Go language. Palo Alto Networks observed the new Zebrocy variant and said it's possible that this version was created to make the malware more difficult to detect. However, Zebrocy is available in multiple programming languages. Two attacks have used the Go version of Zebrocy, including one that delivered a spear phishing email with an LNK shortcut attachment.
The Russian-linked threat group Sofacy (also known as Sednit, Fancy Bear, and APT28) is continuing to carry out attacks with its malicious Zebrocy tool, which is now available in the Go language. Palo Alto Networks observed the new Zebrocy variant and said it's possible that this version was created to make the malware more difficult to detect. However, Zebrocy is available in multiple programming languages. Two attacks have used the Go version of Zebrocy, including one that delivered a spear phishing email with an LNK shortcut attachment.
Sophisticated Features Make LCG Kit A Fearsome Malware (12/17/2018)
While tracking the LCG Kit, a weaponized document builder service, Proofpoint observed it using a known Microsoft Equation Editor exploit in various forms. The LCG Kit authors have integrated a VB Script exploit, which has been used in limited email campaigns, and in late November added the ability to use Microsoft Word macros instead of exploits to load the shellcode responsible for installing malware payloads. The LCG Kit has code that is highly obfuscated using polymorphic shellcode and a Linear Congruential Generator (LCG) -- an algorithm to generate a sequence of pseudorandom numbers -- to encrypt the final stage of the code, including the payload locations. Proofpoint's team suspects that this malware may be selling on the dark underground since it has become widespread in a number of email campaigns.
While tracking the LCG Kit, a weaponized document builder service, Proofpoint observed it using a known Microsoft Equation Editor exploit in various forms. The LCG Kit authors have integrated a VB Script exploit, which has been used in limited email campaigns, and in late November added the ability to use Microsoft Word macros instead of exploits to load the shellcode responsible for installing malware payloads. The LCG Kit has code that is highly obfuscated using polymorphic shellcode and a Linear Congruential Generator (LCG) -- an algorithm to generate a sequence of pseudorandom numbers -- to encrypt the final stage of the code, including the payload locations. Proofpoint's team suspects that this malware may be selling on the dark underground since it has become widespread in a number of email campaigns.
Trend Micro Assesses Old Implant from Shadow Brokers Dump (12/17/2018)
Trend Micro analyzed Tildeb, an implant that was in the Shadow Brokers' dumped trove of hacking tools from 2017 but received virtually no attention at that time. Tildeb is a standalone implant that targets Windows NT 4.0 and Microsoft Exchange Server, has a timestamp of October 3, 2000, can take command-line arguments, and has specific behaviors and routines for terminating and deleting itself to stay hidden. It is possible that Tildeb could be related to an unknown exploitation framework or some other tool that works in conjunction with it, but it isn't known how it ends up on a system.
Trend Micro analyzed Tildeb, an implant that was in the Shadow Brokers' dumped trove of hacking tools from 2017 but received virtually no attention at that time. Tildeb is a standalone implant that targets Windows NT 4.0 and Microsoft Exchange Server, has a timestamp of October 3, 2000, can take command-line arguments, and has specific behaviors and routines for terminating and deleting itself to stay hidden. It is possible that Tildeb could be related to an unknown exploitation framework or some other tool that works in conjunction with it, but it isn't known how it ends up on a system.
WordPress Sites Tainted by SEO Injection Malware (12/19/2018)
Sucuri warned of SEO spam injections affecting WordPress sites. Two unrelated sites were found hosting SEO spam with conditional redirects to sketchy looking external domains. The malware samples have the ability to add hidden links for indexing by search engines and intercept particular requests to the site and redirected site visitors to spam content.
Sucuri warned of SEO spam injections affecting WordPress sites. Two unrelated sites were found hosting SEO spam with conditional redirects to sketchy looking external domains. The malware samples have the ability to add hidden links for indexing by search engines and intercept particular requests to the site and redirected site visitors to spam content.