Malware Watch - W/E - 9/20/19
Emotet Botnet Reemerges to Send Spam Messages and Steal Personal Info (09/17/2019)
Cisco's Talos threat intelligence group has noticed increased Emotet botnet activity as of September 16. The botnet has resumed sending socially engineered spam messages and the malware steals the contents of victims' inboxes along with email credentials. Those credentials are then used to transmit attack messages. Malwarebytes also warned of resumed Emotet activity, noting that the phishing emails in English, German, Polish, and Italian were making their rounds. Also, the messages used spear phishing to as subject lines contained personalized wording.
Cisco's Talos threat intelligence group has noticed increased Emotet botnet activity as of September 16. The botnet has resumed sending socially engineered spam messages and the malware steals the contents of victims' inboxes along with email credentials. Those credentials are then used to transmit attack messages. Malwarebytes also warned of resumed Emotet activity, noting that the phishing emails in English, German, Polish, and Italian were making their rounds. Also, the messages used spear phishing to as subject lines contained personalized wording.
Fileless GhostMiner Kills Off Other Cryptominers as It Weaponizes WMI Objects (09/19/2019)
GhostMiner, a fileless cryptocurrency malware, is weaponizing Windows management instrumentation objects for fileless persistence, payload mechanisms, and antivirus evasion capabilities. This variant was also observed to modify infected host files that are heavily used by threat groups Mykings, PowerGhost, PCASTLE and BULEHERO, among others. Trend Micro first observed GhostMiner on August 2.
GhostMiner, a fileless cryptocurrency malware, is weaponizing Windows management instrumentation objects for fileless persistence, payload mechanisms, and antivirus evasion capabilities. This variant was also observed to modify infected host files that are heavily used by threat groups Mykings, PowerGhost, PCASTLE and BULEHERO, among others. Trend Micro first observed GhostMiner on August 2.
InnfiRAT Steals Personal Info and Screenshots Open Windows (09/17/2019)
A new remote access Trojan (RAT) called InnfiRAT is capable of accessing and stealing cryptocurrency wallet information, browser cookies, and session data. InnfiRAT also has a screenshot functionality to swipe information from open windows and checks for programs running on the system. Zscaler, the vendor that discovered this malware, has published details to inform the public.
A new remote access Trojan (RAT) called InnfiRAT is capable of accessing and stealing cryptocurrency wallet information, browser cookies, and session data. InnfiRAT also has a screenshot functionality to swipe information from open windows and checks for programs running on the system. Zscaler, the vendor that discovered this malware, has published details to inform the public.
Nearly 2 1/2 Years Later, WannaCry Still Infiltrating Unpatched Systems (09/18/2019)
Research by Sophos reveals that, despite the availability of security patches and antivirus protection against the WannaCry ransomware, more than 12,000 unique variants exist in the wild. These newer variants can spread more effectively, and stay hidden for longer, than the original WannaCry. Sophos' Endpoint Security reported more than five million attempted attacks against unpatched computers were blocked in the last quarter of 2018. In addition, more than 97% of unpatched computers under attack were running Windows 7. WannaCry first emerged in May 2017 and caused widespread system damage around the world.
Research by Sophos reveals that, despite the availability of security patches and antivirus protection against the WannaCry ransomware, more than 12,000 unique variants exist in the wild. These newer variants can spread more effectively, and stay hidden for longer, than the original WannaCry. Sophos' Endpoint Security reported more than five million attempted attacks against unpatched computers were blocked in the last quarter of 2018. In addition, more than 97% of unpatched computers under attack were running Windows 7. WannaCry first emerged in May 2017 and caused widespread system damage around the world.
Skidmap Malware's Rootkit Capabilities Deliver Cryptominer in Stealth (09/16/2019)
A Linux malware dubbed "Skidmap" loads malicious kernel modules to keep its cryptocurrency mining operations under the radar. According to Trend Micro's analysis, the kernel-mode rootkits are difficult to detect and attackers can use them to gain access to the affected system. In addition, these rootkits can overwrite and modify portions of the kernel, making them challenging to remove.
A Linux malware dubbed "Skidmap" loads malicious kernel modules to keep its cryptocurrency mining operations under the radar. According to Trend Micro's analysis, the kernel-mode rootkits are difficult to detect and attackers can use them to gain access to the affected system. In addition, these rootkits can overwrite and modify portions of the kernel, making them challenging to remove.
Smominru Botnet Attacks Various Services Using EternalBlue Exploit (09/19/2019)
Guardicore has been tracking the Smominru botnet and its different variants - Hexmen and Mykings - since 2017. The attack compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet, and more. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network. Guardicore has illustrated the attack campaign and its attack infrastructure and also published a script to detect Smominru's residues on infected machines.
Guardicore has been tracking the Smominru botnet and its different variants - Hexmen and Mykings - since 2017. The attack compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet, and more. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network. Guardicore has illustrated the attack campaign and its attack infrastructure and also published a script to detect Smominru's residues on infected machines.
Tax Refund Emails Part of Phishing Campaign with Amadey Botnet in Tow (09/19/2019)
A wave of attacks targeting US taxpayers delivers the Amadey botnet via phishing emails. The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. Cofense assessed this campaign, which uses a highly obfuscated, encrypted VBScript to avoid detection.
A wave of attacks targeting US taxpayers delivers the Amadey botnet via phishing emails. The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. Cofense assessed this campaign, which uses a highly obfuscated, encrypted VBScript to avoid detection.