Malware Watch - W/E - 8/9/19
Android Spyware Is Payload in Latest MoqHao/Roaming Mantis Campaign (08/07/2019)
A new type of Android malware is blamed for attacking Korean and Japanese users through the MoqHao phishing campaign (also known as Roaming Mantis). The spyware has very different payloads from the existing MoqHao samples. McAfeefound evidence of a connection between the distribution method used for the existing campaign and this new spyware. All the spyware masquerades as security applications targeting users in Japan and Korea. McAfee discovered a phishing page related to a DNS hijacking attack, designed to trick the user into installing the new spyware, distributed on the Google Play store.
A new type of Android malware is blamed for attacking Korean and Japanese users through the MoqHao phishing campaign (also known as Roaming Mantis). The spyware has very different payloads from the existing MoqHao samples. McAfeefound evidence of a connection between the distribution method used for the existing campaign and this new spyware. All the spyware masquerades as security applications targeting users in Japan and Korea. McAfee discovered a phishing page related to a DNS hijacking attack, designed to trick the user into installing the new spyware, distributed on the Google Play store.
Baldr Malware Sneaks onto Systems to Pilfer Credentials, Cryptocurrency Wallets (08/06/2019)
Baldr, a password-stealing malware, has been analyzed by Sophos and found to use nine obfuscation layers to thwart static code analysis. It creates a profile of the infected system to snag such details as CPU model, operating system, language, and installed programs. Baldr then moves on to steal credentials, credit card information, cookies, and more from Web browsers that the victim uses. It can also plunder cryptocurrency wallets, steal info from instant messaging clients and VPNs, and take screenshots of the compromised system.
Baldr, a password-stealing malware, has been analyzed by Sophos and found to use nine obfuscation layers to thwart static code analysis. It creates a profile of the infected system to snag such details as CPU model, operating system, language, and installed programs. Baldr then moves on to steal credentials, credit card information, cookies, and more from Web browsers that the victim uses. It can also plunder cryptocurrency wallets, steal info from instant messaging clients and VPNs, and take screenshots of the compromised system.
Clop Ransomware Signed Digitally, Uses Email as Communication Method (08/06/2019)
Clop, a ransomware first discovered in February, has been analyzed by the security team at McAfee, which determined that the malware is signed with a certificate to sneak past antivirus packages. Victims must use email to communicate with Clop attackers instead of via a command and control server. Additionally, the latest variants of Clop require victims to state their company name and site in the email communications. The researchers are unclear why this is but it may be a method to track victims.
Clop, a ransomware first discovered in February, has been analyzed by the security team at McAfee, which determined that the malware is signed with a certificate to sneak past antivirus packages. Victims must use email to communicate with Clop attackers instead of via a command and control server. Additionally, the latest variants of Clop require victims to state their company name and site in the email communications. The researchers are unclear why this is but it may be a method to track victims.
LokiBot Malware Adds Malicious Methods to Its Dangerous Arsenal (08/06/2019)
Updates to LokiBot have enabled it to stay hidden on infected systems thanks to a new persistence mechanism and the use of steganography to hide its code. The latest LokiBot variant was spotted by Trend Micro after a customer received an email that was flagged as a threat. The email contained an Excel worksheet that would then execute a malicious macro. The email was most likely sent from a compromised machine or a botnet.
Updates to LokiBot have enabled it to stay hidden on infected systems thanks to a new persistence mechanism and the use of steganography to hide its code. The latest LokiBot variant was spotted by Trend Micro after a customer received an email that was flagged as a threat. The email contained an Excel worksheet that would then execute a malicious macro. The email was most likely sent from a compromised machine or a botnet.
Lord Exploit Kit Takes Aim at Flash, Distributes Ransomware (08/06/2019)
The Lord exploit kit (EK) has been analyzed by Malwarebytes, which noted that the EK was part of a malicious advertising chain distributed by the PopCash ad network and used a compromised site to redirect to a landing page. Lord abuses vulnerable versions of Flash Player and exploits the ngrok service to craft custom hostnames. Initially, the EK used the njRAT malware as its payload but then switched to the ERIS ransomware.
The Lord exploit kit (EK) has been analyzed by Malwarebytes, which noted that the EK was part of a malicious advertising chain distributed by the PopCash ad network and used a compromised site to redirect to a landing page. Lord abuses vulnerable versions of Flash Player and exploits the ngrok service to craft custom hostnames. Initially, the EK used the njRAT malware as its payload but then switched to the ERIS ransomware.
New MegaCortex Variant Self-Executes and Slips Past Security Products (08/06/2019)
Accenture's iDefense engineers have identified and analyzed a version of the MegaCortex ransomware, which demands two to 600 bitcoins ($20,000 USD to $5.8 million). This redesigned malware can self-execute and its password is hard-coded as the binary. The authors also incorporated anti-analysis features within the main malware module and the functionality to stop and kill a wide range of security products and services.
Accenture's iDefense engineers have identified and analyzed a version of the MegaCortex ransomware, which demands two to 600 bitcoins ($20,000 USD to $5.8 million). This redesigned malware can self-execute and its password is hard-coded as the binary. The authors also incorporated anti-analysis features within the main malware module and the functionality to stop and kill a wide range of security products and services.
Spam Campaign Drops Trickbot Using Hidden JS File (08/06/2019)
A variant of the Trickbot banking Trojan, detected by Trend Micro, has been distributed in spam campaigns that use a heavily obfuscated JavaScript file to download the malware. Trickbot checks for the number of running processes in the affected machine; if it detects that it's in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment. It also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. The campaign has had its highest impact in the US but it has also been distributed to China, Canada, and India.
A variant of the Trickbot banking Trojan, detected by Trend Micro, has been distributed in spam campaigns that use a heavily obfuscated JavaScript file to download the malware. Trickbot checks for the number of running processes in the affected machine; if it detects that it's in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment. It also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. The campaign has had its highest impact in the US but it has also been distributed to China, Canada, and India.