Malware Watch - W/E - 8/2/19
Android Malware Makes Its Rounds Spreading to Victims' Contacts (07/30/2019)
An Android ransomware, dubbed "Filecoder.C" by ESET, has been seen in distribution in forums, including Reddit. Using victims' contact lists, it spreads further via SMS with malicious links. ESET's researchers say that the ransomware uses an RSA-1024 public key, which makes it nearly impossible to create a decryptor.
An Android ransomware, dubbed "Filecoder.C" by ESET, has been seen in distribution in forums, including Reddit. Using victims' contact lists, it spreads further via SMS with malicious links. ESET's researchers say that the ransomware uses an RSA-1024 public key, which makes it nearly impossible to create a decryptor.
Cyber Attackers Abuse Mshta Tool for Code Execution Purposes (07/30/2019)
Cybercriminals are using mshta.exe, a signed, native Microsoft binary that exists on Windows and can execute code in various ways, as a mechanism to launch attacks, the researchers at McAfee say. Mshta enables the proxy of code execution but also can be used to bypass application whitelisting defenses and browser security settings. Due to the flexibility of mshta, attackers don't need to create their own custom malware tools, the researchers warned.
Cybercriminals are using mshta.exe, a signed, native Microsoft binary that exists on Windows and can execute code in various ways, as a mechanism to launch attacks, the researchers at McAfee say. Mshta enables the proxy of code execution but also can be used to bypass application whitelisting defenses and browser security settings. Due to the flexibility of mshta, attackers don't need to create their own custom malware tools, the researchers warned.
Sneaky Mirai Using C&Cs Connected to Tor Network (07/31/2019)
A new Mirai sample has been detected by Trend Micro and like earlier versions, the malware is allowing cybercriminals to access Internet of Things devices via exposed ports and default credentials. The key difference with this sample the vendor explained is that the cybercriminals placed the malware's command and control (C&C) server in the Tor network for anonymity purposes. The new Mirai sample contained 30 hard-coded IP addresses whereas typical variants have one to four C&C servers.
A new Mirai sample has been detected by Trend Micro and like earlier versions, the malware is allowing cybercriminals to access Internet of Things devices via exposed ports and default credentials. The key difference with this sample the vendor explained is that the cybercriminals placed the malware's command and control (C&C) server in the Tor network for anonymity purposes. The new Mirai sample contained 30 hard-coded IP addresses whereas typical variants have one to four C&C servers.
SystemBC Malware Abuses SOCKS5, Used as Payload in Exploit Kits (08/01/2019)
A newly discovered malware called SystemBC uses SOCKS5 proxies to mask network traffic to and from command and control infrastructure using secure HTTP connections. The malware has appeared in banking Trojans, including Danabot, and has also been distributed in the RIG and Fallout exploit kits. Proofpoint published a blog post with more details about SystemBC.
A newly discovered malware called SystemBC uses SOCKS5 proxies to mask network traffic to and from command and control infrastructure using secure HTTP connections. The malware has appeared in banking Trojans, including Danabot, and has also been distributed in the RIG and Fallout exploit kits. Proofpoint published a blog post with more details about SystemBC.
Think MyDoom Worm Is Gone for Good? Think Again (07/30/2019)
The MyDoom computer worm that was first detected in 2004 continues to wreak havoc thanks to its appearance in 1.1% of emails containing malicious attachments. Most of the MyDoom emails originate from IP addresses in China and messages are sent to recipients in various industries, including high tech, wholesale, retail, and healthcare. Palo Alto Networks has published its analysis of MyDoom.
The MyDoom computer worm that was first detected in 2004 continues to wreak havoc thanks to its appearance in 1.1% of emails containing malicious attachments. Most of the MyDoom emails originate from IP addresses in China and messages are sent to recipients in various industries, including high tech, wholesale, retail, and healthcare. Palo Alto Networks has published its analysis of MyDoom.