Malware Watch - W/E - 10/18/19
APTs Added New Tools to Dangerous Arsenals in Q3 (10/16/2019)
According to Kaspersky, advanced persistent threat (APT) activity in the third quarter of 2019 has indicated that threat actors are further diversifying their techniques to evade detection. During this period, Turla introduced a new NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its command-and-control servers. Turla has also wrapped its highly used JavaScript KopiLuwak malware in a new dropper called Topinambour. Further information about APT activities is available from Kaspersky's report.
According to Kaspersky, advanced persistent threat (APT) activity in the third quarter of 2019 has indicated that threat actors are further diversifying their techniques to evade detection. During this period, Turla introduced a new NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its command-and-control servers. Turla has also wrapped its highly used JavaScript KopiLuwak malware in a new dropper called Topinambour. Further information about APT activities is available from Kaspersky's report.
Blackremote RAT Affordably Priced in Dark Underground but Chock Full of Features (10/15/2019)
Palo Alto Networks discovered a new, undocumented remote access Trojan (RAT) in September, which had almost 50 samples observed in more than 2,200 attack sessions within the first month it was sold. A Swedish actor is selling the Blackremote RAT at $438 USD for a one-year license, $117 for a 93-day license, or $49 for a 31-day license. The RAT features a remote Webcam, a remote file manager, keystroke capture, file transfers, and more.
Palo Alto Networks discovered a new, undocumented remote access Trojan (RAT) in September, which had almost 50 samples observed in more than 2,200 attack sessions within the first month it was sold. A Swedish actor is selling the Blackremote RAT at $438 USD for a one-year license, $117 for a 93-day license, or $49 for a 31-day license. The RAT features a remote Webcam, a remote file manager, keystroke capture, file transfers, and more.
Chinese Group Uses LOWKEY Backdoor to Spy on Various Sectors (10/15/2019)
A new backdoor called LOWKEY is being used by the Chinese threat group APT41 in highly targeted attacks and supports commands for a reverse shell, uploading and downloading files, listing and killing processes, and file management. FireEye has identified two LOWKEY variants: the first is a TCP variant that listens on port 53 while the second is an HTTP variant that listens on TCP port 80. The HTTP variant intercepts URL requests matching the UrlPrefix http://+:80/requested.html and will match any host name. APT41 is known for spying on companies in the gaming, healthcare, high-tech, higher education, telecommunications, and travel services.
A new backdoor called LOWKEY is being used by the Chinese threat group APT41 in highly targeted attacks and supports commands for a reverse shell, uploading and downloading files, listing and killing processes, and file management. FireEye has identified two LOWKEY variants: the first is a TCP variant that listens on port 53 while the second is an HTTP variant that listens on TCP port 80. The HTTP variant intercepts URL requests matching the UrlPrefix http://+:80/requested.html and will match any host name. APT41 is known for spying on companies in the gaming, healthcare, high-tech, higher education, telecommunications, and travel services.
Cryptominer, Metasploit Code Found Hiding in WAV Files (10/16/2019)
BlackBerry Cylance discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file's audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static. Some of the WAV files contained the XMRig Monero CPU miner. Others included Metasploit code used to establish a reverse shell. Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network.
BlackBerry Cylance discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file's audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static. Some of the WAV files contained the XMRig Monero CPU miner. Others included Metasploit code used to establish a reverse shell. Both payloads were discovered in the same environment, suggesting a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network.
Emotet's Vacation Is Over as Spam Campaigns Start Redistributing the Malware (10/14/2019)
The Emotet botnet has reemerged to send new spam campaigns after taking a hiatus during the summer months, according to Check Point Software's Global Threat Index for September. Some of the Emotet spam campaigns featured emails which contained a link to download a malicious Word file, and some contained the malicious document itself. During the month of September, the following malware families were most prevalent: Jsecoin, XMRig, and AgentTesla. The most wanted mobile malware families during the period were: Lotoor, AndroidBauts, and Hiddad.
The Emotet botnet has reemerged to send new spam campaigns after taking a hiatus during the summer months, according to Check Point Software's Global Threat Index for September. Some of the Emotet spam campaigns featured emails which contained a link to download a malicious Word file, and some contained the malicious document itself. During the month of September, the following malware families were most prevalent: Jsecoin, XMRig, and AgentTesla. The most wanted mobile malware families during the period were: Lotoor, AndroidBauts, and Hiddad.
Fake Jailbreak iPhone Site Lures in Victims to Conduct Click Fraud (10/15/2019)
Cisco's Talos researchers discovered a malicious actor using a fake Web site that claims to give iPhone users the ability to jailbreak their phones. However, the site prompts users to download a malicious profile which allows the attacker to conduct click-fraud. Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. A project called "checkra1n" uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. The attackers run a malicious Web site called "checkrain[.]com" that aims to draw in users who are looking for checkra1n.
Cisco's Talos researchers discovered a malicious actor using a fake Web site that claims to give iPhone users the ability to jailbreak their phones. However, the site prompts users to download a malicious profile which allows the attacker to conduct click-fraud. Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. A project called "checkra1n" uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. The attackers run a malicious Web site called "checkrain[.]com" that aims to draw in users who are looking for checkra1n.
McAfee Researches Trail of Money Associated with Sodinokibi aka REvil RaaS (10/14/2019)
Continued analysis of the Sodinokibi (aka Revil) Ransomware-as-a-Service (RaaS) by McAfee gives details on the size of the campaign and its associated revenue. The research team followed a ransomware affiliate's trail of money based on transaction IDs posted by a different affiliate. The average ransom payment was between 0.44 and 0.45 bitcoin ($4,000 USD). McAfee could view ransomware payments being made and revenue splits between the affiliate and the RaaS operators.
Continued analysis of the Sodinokibi (aka Revil) Ransomware-as-a-Service (RaaS) by McAfee gives details on the size of the campaign and its associated revenue. The research team followed a ransomware affiliate's trail of money based on transaction IDs posted by a different affiliate. The average ransom payment was between 0.44 and 0.45 bitcoin ($4,000 USD). McAfee could view ransomware payments being made and revenue splits between the affiliate and the RaaS operators.
New Graboid Cryptojacking Worm Found in Docker Hosts (10/16/2019)
Over 2,000 unsecured Docker hosts have been infected with Graboid, a new cryptojacking worm discovered by Palo Alto Networks' Unit 42 research team. The malicious actor gained an initial foothold through unsecured Docker daemons where a Docker image was first installed to run on the compromised host. The malware, which was downloaded from command and control (C2) servers, is deployed to mine for Monero and periodically queries for new vulnerable hosts from the C2 and picks the next target at random to spread the worm to.
Over 2,000 unsecured Docker hosts have been infected with Graboid, a new cryptojacking worm discovered by Palo Alto Networks' Unit 42 research team. The malicious actor gained an initial foothold through unsecured Docker daemons where a Docker image was first installed to run on the compromised host. The malware, which was downloaded from command and control (C2) servers, is deployed to mine for Monero and periodically queries for new vulnerable hosts from the C2 and picks the next target at random to spread the worm to.
TA505 Threat Actor Pushing Out New SDBbot RAT Via Get2 Downloader (10/16/2019)
Proofpoint has analyzed the tactics, techniques, and procedures associated with the TA505 threat actor's campaigns and provided an assessment of the Get2 downloader and SDBbot RAT. Since September, TA505 has been using Get2 as its initial downloader, which dropped the FlawedAmmyy and FlawedGrace malware as its payloads. Beginning on October 7, Get2 began downloading a new remote access Trojan: SDBbot. In addition to the new malware, TA505 has been pushing out between tens of thousands and millions of spam messages daily; is focused on targeting financial institutions alternating with more widely-targeted campaigns going after other verticals; has taken aim at organizations in Greece, Germany, and Georgia; and has employed new Office macros with the Get2 downloader.
Proofpoint has analyzed the tactics, techniques, and procedures associated with the TA505 threat actor's campaigns and provided an assessment of the Get2 downloader and SDBbot RAT. Since September, TA505 has been using Get2 as its initial downloader, which dropped the FlawedAmmyy and FlawedGrace malware as its payloads. Beginning on October 7, Get2 began downloading a new remote access Trojan: SDBbot. In addition to the new malware, TA505 has been pushing out between tens of thousands and millions of spam messages daily; is focused on targeting financial institutions alternating with more widely-targeted campaigns going after other verticals; has taken aim at organizations in Greece, Germany, and Georgia; and has employed new Office macros with the Get2 downloader.
Zero-Day in iTunes Exploited in BitPaymer Campaign (10/15/2019)
Morphisec identified the abuse of a zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows. The adversaries abused an unquoted path to maintain persistence and evade detection. Morphisec said the bug was exploited in an attack used to spread the BitPaymer ransomware against an enterprise in the automotive industry in August. The vendor contacted Apple and the issue was patched on October 7.
Morphisec identified the abuse of a zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows. The adversaries abused an unquoted path to maintain persistence and evade detection. Morphisec said the bug was exploited in an attack used to spread the BitPaymer ransomware against an enterprise in the automotive industry in August. The vendor contacted Apple and the issue was patched on October 7.