Malware Watch - W/E - 7/26/19
BrushaLoader Malware Gets Around to Infect and Dump Sophisticated Payloads (07/24/2019)
The BrushaLoader, which is employed by threat actors to profile infected PCs and load robust payloads onto devices, has been spotted by Proofpoint in several campaigns in 2019. In these campaigns, BrushaLoader has used different payloads - the Ursnif Trojan for Italian targets, the Gootkit malware to hit individuals in Canada, and the Nymaim tool against Polish targets. It's also been identified in use by the TA544 threat actor.
The BrushaLoader, which is employed by threat actors to profile infected PCs and load robust payloads onto devices, has been spotted by Proofpoint in several campaigns in 2019. In these campaigns, BrushaLoader has used different payloads - the Ursnif Trojan for Italian targets, the Gootkit malware to hit individuals in Canada, and the Nymaim tool against Polish targets. It's also been identified in use by the TA544 threat actor.
Canadian Government Posts Fileless Malware Advisory (07/22/2019)
The Canadian Center for Cyber Security warned of an ongoing fileless malware campaign affecting Windows that is gaining traction. Astaroth, an info-stealing malware known for swiping sensitive information like credentials, keystrokes, and other data, resides solely in memory and is more difficult to detect than traditional malware. The initial infection usually involves tricking the user into opening an infected file or visiting a malicious Web site. The next stage of the attack varies but often includes attempting to create entries in the device's registry for persistency or attempting to load commonly used processes such as PowerShell or Windows Management Instrumentation. Afterwards, the infected machine may attempt to propagate on other connected devices, attempt to download additional malware on the infected device, and attempt to download and execute scripts.
The Canadian Center for Cyber Security warned of an ongoing fileless malware campaign affecting Windows that is gaining traction. Astaroth, an info-stealing malware known for swiping sensitive information like credentials, keystrokes, and other data, resides solely in memory and is more difficult to detect than traditional malware. The initial infection usually involves tricking the user into opening an infected file or visiting a malicious Web site. The next stage of the attack varies but often includes attempting to create entries in the device's registry for persistency or attempting to load commonly used processes such as PowerShell or Windows Management Instrumentation. Afterwards, the infected machine may attempt to propagate on other connected devices, attempt to download additional malware on the infected device, and attempt to download and execute scripts.
More Threat Actors Adding Targeted Ransomware to Malicious Arsenal (07/24/2019)
Symantec has found that the number of organizations being attacked by targeted ransomware has grown rapidly since the beginning of 2018. After a period where SamSam and then Ryuk were the only major ransomware groups, Symantec noted that beginning in 2019, such activity began to multiply as more threat actors embraced targeted ransomware. Among these groups are GoGalocker (also known as LockerGoga), MegaCortex, RobbinHood, Crysis, and the now defunct GandCrab.
Symantec has found that the number of organizations being attacked by targeted ransomware has grown rapidly since the beginning of 2018. After a period where SamSam and then Ryuk were the only major ransomware groups, Symantec noted that beginning in 2019, such activity began to multiply as more threat actors embraced targeted ransomware. Among these groups are GoGalocker (also known as LockerGoga), MegaCortex, RobbinHood, Crysis, and the now defunct GandCrab.
Old Open-Source Tool Used in Backdoor/Cryptomining Scheme (07/24/2019)
A Trend Micro honeypot detected a threat that propagates by scanning for open ports and brute-forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based Internet Relay Chat backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open-source tool used to fake the name of a process. The attacker has been observed issuing commands to the vulnerable machine that will download and install the Shellbot backdoor and the miner. The malware has been attempting to infect systems in Japan, Myanmar, Brazil, Denmark, China, and Turkey since March.
A Trend Micro honeypot detected a threat that propagates by scanning for open ports and brute-forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based Internet Relay Chat backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open-source tool used to fake the name of a process. The attacker has been observed issuing commands to the vulnerable machine that will download and install the Shellbot backdoor and the miner. The malware has been attempting to infect systems in Japan, Myanmar, Brazil, Denmark, China, and Turkey since March.
Password-Stealing Malware on the Upswing in 2019 (07/24/2019)
According to Kaspersky data, the number of consumers targeted by password stealers increased from less than 600,000 people in the first half of 2018 to over 940,000 during the same period in 2019. Since the beginning of 2019, Kaspersky has detected high levels of activity by password stealers in Europe and Asia. Most frequently, the malware has targeted users in Russia, India, Brazil, Germany, and the United States. One of the most widely spread password stealers was multifunctional Azorult, detected on the computers of more than 25% of all users who encountered this type of malware in the observed period.
According to Kaspersky data, the number of consumers targeted by password stealers increased from less than 600,000 people in the first half of 2018 to over 940,000 during the same period in 2019. Since the beginning of 2019, Kaspersky has detected high levels of activity by password stealers in Europe and Asia. Most frequently, the malware has targeted users in Russia, India, Brazil, Germany, and the United States. One of the most widely spread password stealers was multifunctional Azorult, detected on the computers of more than 25% of all users who encountered this type of malware in the observed period.
Russian Firm Sanctioned by US Feds Linked to Monokle Cyberspy Tool (07/24/2019)
Lookout has discovered Monokle, a sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, which was sanctioned by the US government in connection to interference in the 2016 US presidential elections. Monokle, which was first spotted in 2018, possesses remote access Trojan functionality, uses advanced data exfiltration techniques, and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle attacks. It is widely suspected that Monokle's activities are highly targeted as it appears in a very limited set of applications.
Lookout has discovered Monokle, a sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, which was sanctioned by the US government in connection to interference in the 2016 US presidential elections. Monokle, which was first spotted in 2018, possesses remote access Trojan functionality, uses advanced data exfiltration techniques, and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle attacks. It is widely suspected that Monokle's activities are highly targeted as it appears in a very limited set of applications.