Malware Watch - W/E - 12/6/18
CARROTBAT Uses Malicious Files to Take Aim at Southeast Asia (12/05/2018)
Palo Alto Networks uncovered a campaign leveraging a customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various information witnessed within this dropper, the scientists have dubbed this malware family "CARROTBAT." There have been 29 unique CARROTBAT samples identified containing a total of 12 confirmed unique decoy documents.
Palo Alto Networks uncovered a campaign leveraging a customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events. Based on various information witnessed within this dropper, the scientists have dubbed this malware family "CARROTBAT." There have been 29 unique CARROTBAT samples identified containing a total of 12 confirmed unique decoy documents.
Double Dipping: Magecart Steals from Customers, Site Administrators in VisionDirect Breach (12/05/2018)
A data breach that hit VisionDirect, a UK-based online optical retailer, is the work of the Magecart threat entity and RiskIQ researchers say that this group has added enhancements to its malware. The November VisionDirect breach swiped customer data using a digital skimmer but the Magecart group included a new feature that enabled it to also steal credentials from site administrators.
A data breach that hit VisionDirect, a UK-based online optical retailer, is the work of the Magecart threat entity and RiskIQ researchers say that this group has added enhancements to its malware. The November VisionDirect breach swiped customer data using a digital skimmer but the Magecart group included a new feature that enabled it to also steal credentials from site administrators.
Fake Fitness Apps Steal Money from Apple Users (12/05/2018)
Multiple apps posing as fitness-tracking tools were caught misusing Apple's Touch ID feature to steal money from iOS users. The payment mechanism used by the apps is activated while victims are scanning their fingerprints, seemingly for fitness-tracking purposes. The fake apps, Fitness Balance and Calories Tracker, claimed to help users maintain their fitness goals, but also requested fingerprint scans, which led to a pop-up showing a payment demand. ESET researchers, who analyzed the malware, said, "This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to an Apple account, the transaction is considered verified and money is wired to the operator behind these scams."
Multiple apps posing as fitness-tracking tools were caught misusing Apple's Touch ID feature to steal money from iOS users. The payment mechanism used by the apps is activated while victims are scanning their fingerprints, seemingly for fitness-tracking purposes. The fake apps, Fitness Balance and Calories Tracker, claimed to help users maintain their fitness goals, but also requested fingerprint scans, which led to a pop-up showing a payment demand. ESET researchers, who analyzed the malware, said, "This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to an Apple account, the transaction is considered verified and money is wired to the operator behind these scams."
Feds Issue Alert, Mitigation Methods for SamSam Ransomware (12/03/2018)
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center and the FBI issued an alert to inform computer network defenders about SamSam ransomware. SamSam targets multiple industries, including critical infrastructure, and has victimized entities predominately in the US, but also in other countries. The alert shares analysis of vulnerabilities that cyber actors exploit to deploy this ransomware and provides recommendations for prevention and mitigation.
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center and the FBI issued an alert to inform computer network defenders about SamSam ransomware. SamSam targets multiple industries, including critical infrastructure, and has victimized entities predominately in the US, but also in other countries. The alert shares analysis of vulnerabilities that cyber actors exploit to deploy this ransomware and provides recommendations for prevention and mitigation.
Formjacking Method Steals Payment Card Data from Shopping Sites (12/05/2018)
Symantec provided insight into a new campaign that uses formjacking, a technique that utilizes malicious JavaScript code to steal credit card details and other information from payment forms on the checkout Web pages of ecommerce sites. The researchers noticed popular shopping sites from different countries redirecting to a site in Paris - a site that collected payment card data and posted it to a typesquatted domain of a legitimate Google Analytics domain. Thus, customers in other countries were all becoming infected at once from the Paris-based site.
Symantec provided insight into a new campaign that uses formjacking, a technique that utilizes malicious JavaScript code to steal credit card details and other information from payment forms on the checkout Web pages of ecommerce sites. The researchers noticed popular shopping sites from different countries redirecting to a site in Paris - a site that collected payment card data and posted it to a typesquatted domain of a legitimate Google Analytics domain. Thus, customers in other countries were all becoming infected at once from the Paris-based site.
Newly Discovered OpenSSH-Based Malware Has Backdoor Capabilities (12/05/2018)
ESET researchers discovered a set of undocumented Linux malware families based on OpenSSH. Of those 21 families, 18 of them feature a credential-stealing feature while 17 have a backdoor mode.
ESET researchers discovered a set of undocumented Linux malware families based on OpenSSH. Of those 21 families, 18 of them feature a credential-stealing feature while 17 have a backdoor mode.
Number of Backdoors Increased 44% in the Past Year (12/04/2018)
The number of backdoors detected by Kaspersky Lab technologies in 2018 rose 44%, according to the company's latest report. The report also found that the overall volume of ransomware increased by 43% and 30% of computers encountered at least one online malicious threat in 2018. Detections of backdoors rose from 2,272,341 in 2017 to 3,263,681 in 2018; ransomware was up from 2,198,130 detections in 2017 to 3,133,513 in 2018.
The number of backdoors detected by Kaspersky Lab technologies in 2018 rose 44%, according to the company's latest report. The report also found that the overall volume of ransomware increased by 43% and 30% of computers encountered at least one online malicious threat in 2018. Detections of backdoors rose from 2,272,341 in 2017 to 3,263,681 in 2018; ransomware was up from 2,198,130 detections in 2017 to 3,133,513 in 2018.
Pay-Per-Install Developer Stealthily Hits Victims with Installers (12/04/2018)
A pay-per-install developer called WakeNet AB is responsible for spreading prevalent adware such as Adware-Wajam and Linkury. McAfee has determined that this developer has been active for nearly two decades and is using deceptive techniques to convince users to execute its installers. WakeNet AB's FileCapital tools are responsible for installing some of the most prevalent potentially unwanted program families. McAfee issued a report with additional information about this threat.
A pay-per-install developer called WakeNet AB is responsible for spreading prevalent adware such as Adware-Wajam and Linkury. McAfee has determined that this developer has been active for nearly two decades and is using deceptive techniques to convince users to execute its installers. WakeNet AB's FileCapital tools are responsible for installing some of the most prevalent potentially unwanted program families. McAfee issued a report with additional information about this threat.
Turkish Organizations Threatened by New MuddyWaters Campaign (12/05/2018)
Research from Trend Micro shows the MuddyWaters campaign using new documents to target Turkish entities. The files drop a new backdoor written in PowerShell and the command and control communication and data exfiltration is done by using the API of a cloud file hosting provider. In this campaign, Turkish government organizations related to the finance and energy sectors were targeted.
Research from Trend Micro shows the MuddyWaters campaign using new documents to target Turkish entities. The files drop a new backdoor written in PowerShell and the command and control communication and data exfiltration is done by using the API of a cloud file hosting provider. In this campaign, Turkish government organizations related to the finance and energy sectors were targeted.