Malware Watch - W/E - 9/13/19
Check Point Assesses Buckeye's Cyber Espionage Tool (09/09/2019)
Check Point Software analyzed the Bemstour exploit tool, which is used by the Chinese threat group Buckeye (aka APT3). Bemstour makes use of a variant of a single Equation group exploit - EternalRomance. Buckeye developed its own implementation and attempted to use the exploit in a way that allowed it to target more Windows versions, similar to what was done in a parallel Equation group exploit called EternalSynergy. Buckeye combined two different exploits to expand support to newer operating systems and Check Point has dubbed that group of tools "UPSynergy."
Check Point Software analyzed the Bemstour exploit tool, which is used by the Chinese threat group Buckeye (aka APT3). Bemstour makes use of a variant of a single Equation group exploit - EternalRomance. Buckeye developed its own implementation and attempted to use the exploit in a way that allowed it to target more Windows versions, similar to what was done in a parallel Equation group exploit called EternalSynergy. Buckeye combined two different exploits to expand support to newer operating systems and Check Point has dubbed that group of tools "UPSynergy."
CYBERCOM Adds New Malware Samples to VirusTotal (09/09/2019)
US Cyber Command (CYBERCOM) released 11 malware samples to the VirusTotal repository. All of the samples appear to be from the North Korean threat entity known as Lazarus. It is recommended that computer users and administrators review the samples and take precautionary measures to protect against such malware.
US Cyber Command (CYBERCOM) released 11 malware samples to the VirusTotal repository. All of the samples appear to be from the North Korean threat entity known as Lazarus. It is recommended that computer users and administrators review the samples and take precautionary measures to protect against such malware.
Echobot Takes Aim at IoT Devices as Emotet Reemerges from Its Slumber (09/11/2019)
Check Point Software is warning organizations of a new variant of the Mirai Internet of Things (IoT) botnet, Echobot, which has launched widespread attacks against a range of IoT devices. First seen in May 2019, Echobot has exploited over 50 different vulnerabilities, causing a sharp rise in the `command injection over HTTP' vulnerability which has impacted 34% of organizations globally. During the month of August, Emotet botnet's offensive infrastructure becoming active again after previously shutting down its services. Emotet was the biggest botnet operating in the first half of 2019.
Check Point Software is warning organizations of a new variant of the Mirai Internet of Things (IoT) botnet, Echobot, which has launched widespread attacks against a range of IoT devices. First seen in May 2019, Echobot has exploited over 50 different vulnerabilities, causing a sharp rise in the `command injection over HTTP' vulnerability which has impacted 34% of organizations globally. During the month of August, Emotet botnet's offensive infrastructure becoming active again after previously shutting down its services. Emotet was the biggest botnet operating in the first half of 2019.
Feds Warn of New North Korean Malware Variants ELECTRICFISH, BADCALL (09/10/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have identified two malware variants - referred to as ELECTRICFISH and BADCALL - used by the North Korean government. Both files are malicious Windows 32-bit executables that functions as command-line utilities. Its primary purpose is to tunnel traffic between two IP addresses. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the threat actor to bypass the compromised system's required authentication to reach outside of the network.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have identified two malware variants - referred to as ELECTRICFISH and BADCALL - used by the North Korean government. Both files are malicious Windows 32-bit executables that functions as command-line utilities. Its primary purpose is to tunnel traffic between two IP addresses. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the threat actor to bypass the compromised system's required authentication to reach outside of the network.
New Capabilities Help PsiXBot Malware Stay Under the Antivirus Radar (09/09/2019)
Proofpoint warned of changes made to the PsiXBot malware, including the use of DNS over HTTPS to retrieve the IP address for the command and control domains. This enables the malware to avoid detection. The malware, now in version 1.2, has also added a porn module called "chouhero" that is likely used for blackmail purposes. PsiXBot is in active development, according to Proofpoint.
Proofpoint warned of changes made to the PsiXBot malware, including the use of DNS over HTTPS to retrieve the IP address for the command and control domains. This enables the malware to avoid detection. The malware, now in version 1.2, has also added a porn module called "chouhero" that is likely used for blackmail purposes. PsiXBot is in active development, according to Proofpoint.
Previously Unknown Backdoor Employed by StealthFalcon Threat Entity (09/09/2019)
ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists, and dissidents in the Middle East. Stealth Falcon, which has been active since 2012 and has been investigated previously by both Reuters and Citizen Lab, is currently using a previously unreported binary backdoor called Win32/StealthFalcon. The backdoor gives the attackers remote control of compromised systems. In its communication with the command and control server, Win32/StealthFalcon uses the standard Windows component Background Intelligent Transfer Service (BITS), which was designed to transfer large amounts of data without consuming a lot of network bandwidth. Data is sent with throttled throughput so as not to affect the bandwidth needs of other applications. BITS is often used by updaters, messengers, and other applications designed to operate in the background. The attackers are using BITS since tasks are more likely to be permitted by host-based firewalls.
ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists, and dissidents in the Middle East. Stealth Falcon, which has been active since 2012 and has been investigated previously by both Reuters and Citizen Lab, is currently using a previously unreported binary backdoor called Win32/StealthFalcon. The backdoor gives the attackers remote control of compromised systems. In its communication with the command and control server, Win32/StealthFalcon uses the standard Windows component Background Intelligent Transfer Service (BITS), which was designed to transfer large amounts of data without consuming a lot of network bandwidth. Data is sent with throttled throughput so as not to affect the bandwidth needs of other applications. BITS is often used by updaters, messengers, and other applications designed to operate in the background. The attackers are using BITS since tasks are more likely to be permitted by host-based firewalls.
Purple Fox Fileless Malware Dropped by RIG EK, Exploits PowerShell (09/09/2019)
The RIG exploit kit is delivering Purple Fox, a fileless downloader, but the malware has also been fine-tuned with new capabilities, the researchers at Trend Micro say. Purple Fox abuses publicly available code and exploits PowerShell to maintain the fileless infection. It also has the ability to retrieve and execute cryptocurrency miners and deliver other types of malware.
The RIG exploit kit is delivering Purple Fox, a fileless downloader, but the malware has also been fine-tuned with new capabilities, the researchers at Trend Micro say. Purple Fox abuses publicly available code and exploits PowerShell to maintain the fileless infection. It also has the ability to retrieve and execute cryptocurrency miners and deliver other types of malware.
Semiconductor Company Targeted by LokiBot-Laced Spam Campaign (09/10/2019)
Fortinet's security team identified a malicious spam campaign with the LokiBot information stealing malware in tow. The August 21 campaign targeted a large US manufacturing company and began when a spam message arrived from what appeared to be an infected trusted sender and asked for a quote from the victim's sales department. However, the message was tainted with LokiBot and Fortinet noticed other tell-tale signs of a scam including misspelled words in the message, language that appeared to be written by someone who was not a native English speaker, and the attachment was named "Dora Explorer Games." The unnamed victim is a semiconductor company.
Fortinet's security team identified a malicious spam campaign with the LokiBot information stealing malware in tow. The August 21 campaign targeted a large US manufacturing company and began when a spam message arrived from what appeared to be an infected trusted sender and asked for a quote from the victim's sales department. However, the message was tainted with LokiBot and Fortinet noticed other tell-tale signs of a scam including misspelled words in the message, language that appeared to be written by someone who was not a native English speaker, and the attachment was named "Dora Explorer Games." The unnamed victim is a semiconductor company.
White Paper Offers Key Insights into Malware, Avoidance Methods (09/11/2019)
The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released a Security Event Primer on malware. This white paper delivers information on general malware operations, event types, requirements, recommendations, and references.
The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released a Security Event Primer on malware. This white paper delivers information on general malware operations, event types, requirements, recommendations, and references.