Malware Watch - W/E - 01/11/19
Fake Fonts Used in Phishing Scam Targeting Major Bank (01/08/2019)
Proofpoint researchers observed a phishing kit with encoding utilized in a credential harvesting scheme impersonating a major retail bank. The technique appears to be unique due to its use of Web fonts to implement the encoding. By developing a phishing template that uses a custom Web font to deliver a substitution cypher, among other techniques, the criminals render well-crafted phishing pages.
Proofpoint researchers observed a phishing kit with encoding utilized in a credential harvesting scheme impersonating a major retail bank. The technique appears to be unique due to its use of Web fonts to implement the encoding. By developing a phishing template that uses a custom Web font to deliver a substitution cypher, among other techniques, the criminals render well-crafted phishing pages.
Mobile Spyware Found Hidden in Google Play Apps (01/03/2019)
A spyware masquerading as a legitimate apps was discovered on Google Play by researchers at Trend Micro. Some of the malicious apps had been downloaded over 100,000 times. All six of the apps have been removed by Google. The malware, MobSTSPY, is capable of stealing information including user location, SMS conversations, call logs, and clipboard items
A spyware masquerading as a legitimate apps was discovered on Google Play by researchers at Trend Micro. Some of the malicious apps had been downloaded over 100,000 times. All six of the apps have been removed by Google. The malware, MobSTSPY, is capable of stealing information including user location, SMS conversations, call logs, and clipboard items
New Vidar Malware Pushes Out Vicious GandCrab Payload (01/09/2019)
A malicious advertising campaign is using the Vidar malware to steal information from browser histories and cryptocurrency wallets and capture instant messages and the GandCrab ransomware as the final payload. According to Malwarebytes, a malvertising chain leads to the Fallout exploit kit and Vidar, which was first described by a third-party researcher in December. It then serves up GandCrab as part of Vidar's loader feature.
A malicious advertising campaign is using the Vidar malware to steal information from browser histories and cryptocurrency wallets and capture instant messages and the GandCrab ransomware as the final payload. According to Malwarebytes, a malvertising chain leads to the Fallout exploit kit and Vidar, which was first described by a third-party researcher in December. It then serves up GandCrab as part of Vidar's loader feature.
NRSMiner Utilizes EternalBlue Exploit to Launch Attacks (01/03/2019)
A new version of the NRSMiner cryptominer, which uses the EternalBlue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia, the research team at F-Secure has reported. In addition to downloading a cryptocurrency miner onto an infected machine, NRSMiner can download updated modules and delete the files and services installed by its own previous versions. EternalBlue is one of the exploits that was stolen from the National Security Agency (NSA) by the Shadow Brokers and dumped publicly online.
A new version of the NRSMiner cryptominer, which uses the EternalBlue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia, the research team at F-Secure has reported. In addition to downloading a cryptocurrency miner onto an infected machine, NRSMiner can download updated modules and delete the files and services installed by its own previous versions. EternalBlue is one of the exploits that was stolen from the National Security Agency (NSA) by the Shadow Brokers and dumped publicly online.
Ryuk's December Attacks Possibly Connected to Cybercrime Gang (01/10/2019)
McAfee's team of researchers investigated the outbreak of the Ryuk ransomware that targeted newspaper printing services in late December. According to the group's assessment, the Ryuk attacks can likely be attributed to a cybercrime operation developed from a tool kit offered by a Russian-speaking actor.
McAfee's team of researchers investigated the outbreak of the Ryuk ransomware that targeted newspaper printing services in late December. According to the group's assessment, the Ryuk attacks can likely be attributed to a cybercrime operation developed from a tool kit offered by a Russian-speaking actor.
Sednit/Fancy Bear/APT28 Spotted Using UEFI Rootkit (12/28/2018)
An ESET researcher discovered that the Sednit (also known as Sofacy, Fancy Bear, and APT28) threat group is using a rootkit that attacks the Windows Unified Extensible Firmware Interface (UEFI). In a Threatpost article, ESET's Fr‚d‚ric Vachon said, "UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level." The rootkit, LoJax, is a weaponized version of Absolute Software's LoJack laptop recovery software. LoJack enables computer users to access their stolen systems without alerting thieves so that they may physically retrieve their lifted laptops. However, LoJax takes advantage of bugs in the legitimate LoJack software. One vulnerability in particular "allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software," Vachon said. That byte contains Sednit's command and control domains for delivering a malicious payload. Vachon has warned that once a UEFI rootkit is loaded onto a machine, it's nearly impossible to remove. to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software
An ESET researcher discovered that the Sednit (also known as Sofacy, Fancy Bear, and APT28) threat group is using a rootkit that attacks the Windows Unified Extensible Firmware Interface (UEFI). In a Threatpost article, ESET's Fr‚d‚ric Vachon said, "UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level." The rootkit, LoJax, is a weaponized version of Absolute Software's LoJack laptop recovery software. LoJack enables computer users to access their stolen systems without alerting thieves so that they may physically retrieve their lifted laptops. However, LoJax takes advantage of bugs in the legitimate LoJack software. One vulnerability in particular "allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software," Vachon said. That byte contains Sednit's command and control domains for delivering a malicious payload. Vachon has warned that once a UEFI rootkit is loaded onto a machine, it's nearly impossible to remove. to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software
TA505 Threat Group Introduces Two New Types of Malware to Hit Banking, Retail Sectors (01/10/2019)
The security team at Proofpoint has observed the threat actor TA505 using two types of malware: SevHelper, a backdoor, and a downloader dubbed FlawedGrace. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader, which then pushes out FlawedGrace, a full-featured remote access Trojan. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families.
The security team at Proofpoint has observed the threat actor TA505 using two types of malware: SevHelper, a backdoor, and a downloader dubbed FlawedGrace. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader, which then pushes out FlawedGrace, a full-featured remote access Trojan. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families.
Trend Micro Finds Adware Masquerading as Legitimate Apps in Google Play (01/08/2019)
An active adware family has been spotted by Trend Micro's security team disguised as 85 game, TV, and remote control simulator apps on Google Play. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device's screen unlocking functionality, and running in the mobile device's background. The apps had been downloaded nine million times in total. Google has since removed them from Play.
An active adware family has been spotted by Trend Micro's security team disguised as 85 game, TV, and remote control simulator apps on Google Play. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device's screen unlocking functionality, and running in the mobile device's background. The apps had been downloaded nine million times in total. Google has since removed them from Play.
Trend Micro Identifies a New Mirai Variant Called Miori (12/26/2018)
A Mirai malware variant called "Miori" is being spread via a remote code execution vulnerability in the PHP framework ThinkPHP, Trend Micro has revealed. Upon execution, Miori will start Telnet to brute force other IP addresses and it listens in on port 42352 (TCP/UDP) for instructions from its command and control server.
A Mirai malware variant called "Miori" is being spread via a remote code execution vulnerability in the PHP framework ThinkPHP, Trend Micro has revealed. Upon execution, Miori will start Telnet to brute force other IP addresses and it listens in on port 42352 (TCP/UDP) for instructions from its command and control server.