Malware Watch - W/E - 1/18/19
Campaign Begins with Credential Theft, Ends with Business Operations Disruption (01/14/2019)
FireEye has tracked a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations. In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments. This activity enabled an attacker to perform reconnaissance within the victim network and identify critical systems to maximize disruption to business operations These operations have reportedly netted about $3.7 million USD in bitcoin.
FireEye has tracked a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations. In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments. This activity enabled an attacker to perform reconnaissance within the victim network and identify critical systems to maximize disruption to business operations These operations have reportedly netted about $3.7 million USD in bitcoin.
Coinhive: 13 Months and Counting as Check Point's Most Wanted Malware (01/14/2019)
SmokeLoader entered Check Point Software's top 10 list of most wanted malware for December, taking the ninth spot. Coinhive stayed atop of the list for the 13th consecutive month, followed by XMRig and Jsecoin. Meanwhile, Triada, Guerilla, and Lotoor took the top three spots, respectively, in Check Point's most wanted mobile malware list.
SmokeLoader entered Check Point Software's top 10 list of most wanted malware for December, taking the ninth spot. Coinhive stayed atop of the list for the 13th consecutive month, followed by XMRig and Jsecoin. Meanwhile, Triada, Guerilla, and Lotoor took the top three spots, respectively, in Check Point's most wanted mobile malware list.
Cryptomining Malware Used by Rocke Group Uninstalls Cloud Security Products (01/17/2019)
While analyzing the Rocke threat group, Palo Alto Networks observed the entity using new coin mining code that uninstalls five different cloud security protection and monitoring products from compromised Linux servers. The attacks first gained full administrative control over the hosts and then abused the full administrative control to uninstall these products just as a legitimate administrator would. The Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion with the ultimate goal to mine for Monero. Researchers Xingyu Jin and Claud Xiao said in a post, "To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products."
While analyzing the Rocke threat group, Palo Alto Networks observed the entity using new coin mining code that uninstalls five different cloud security protection and monitoring products from compromised Linux servers. The attacks first gained full administrative control over the hosts and then abused the full administrative control to uninstall these products just as a legitimate administrator would. The Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion with the ultimate goal to mine for Monero. Researchers Xingyu Jin and Claud Xiao said in a post, "To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products."
Malicious Android Apps Laced with Anubis Pulled from Google Play (01/17/2019)
Two apps on Google Play were secretly distributing banking malware but have since been removed. Trend Micro spotted the apps, named Currency Converter and BatterySaverMobi, and found that both dropped a malicious payload called Anubis. The malware has a built-in keylogger, takes screenshots, and siphons victim credentials. Anubis can also behave as ransomware.
Two apps on Google Play were secretly distributing banking malware but have since been removed. Trend Micro spotted the apps, named Currency Converter and BatterySaverMobi, and found that both dropped a malicious payload called Anubis. The malware has a built-in keylogger, takes screenshots, and siphons victim credentials. Anubis can also behave as ransomware.
New Features Added to the Zebrocy Go Malware (01/14/2019)
Kaspersky Lab has posted additional information regarding its research into the Zebrocy Go downloader, malware used by the Sofacy threat entity. A new Go component downloads and executes a Zebrocy component as well as enumerating and collecting system data for upload to its command and control server.
Kaspersky Lab has posted additional information regarding its research into the Zebrocy Go downloader, malware used by the Sofacy threat entity. A new Go component downloads and executes a Zebrocy component as well as enumerating and collecting system data for upload to its command and control server.
Online Skimming Campaign Compromised Ad Library, Is the Work of Magecart (01/16/2019)
Malicious skimming code was found on 277 ecommerce sites providing ticketing, touring, and flight booking services along with self-hosted shopping cart Web sites from prominent cosmetic, healthcare, and apparel brands. Research into the skimming code was not directly injected into ecommerce sites, but to a third-party JavaScript library by Adverline, a French online advertising company. Trend Micro has attributed these attacks to Magecart, a threat group that has conducted cyber assaults on similar organizations. Adverline has remedied this incident.
Malicious skimming code was found on 277 ecommerce sites providing ticketing, touring, and flight booking services along with self-hosted shopping cart Web sites from prominent cosmetic, healthcare, and apparel brands. Research into the skimming code was not directly injected into ecommerce sites, but to a third-party JavaScript library by Adverline, a French online advertising company. Trend Micro has attributed these attacks to Magecart, a threat group that has conducted cyber assaults on similar organizations. Adverline has remedied this incident.