Malware Watch - W/E - 10/25/19

BlackBerry Publishes New Report on Mobile Malware and Threat Groups (10/23/2019)
BlackBerry released the findings of a new report titled Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform, an investigation into how "advanced persistent threat (APT) groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing surveillance and espionage campaigns." According to the software maker, the report discovered "several previously unidentified APT attack campaigns and new malware families," as well as connections between perpetrators and state agencies in China, Iran, North Korea, and Vietnam. BlackBerry claims the report is the first of its kind to truly delve into the full breadth of state-sponsored APT attacks employing mobile platforms, and the impact those attacks can have on global security.

ESET Spots Adware Campaign Affecting Millions of Android Users (10/24/2019)
A year-long adware campaign on Google Play resulted in eight million installations of the malicious apps. ESET scientists identified 42 apps on Google Play as belonging to the campaign, which had been running since July 2018. Of those, 21 were still available at the time of discovery. The apps can set a custom delay between displaying ads as a mechanism to trick users and also check to see if Google's security method flags the apps for being malicious. If the apps are flagged, they don't trigger their payloads. Upon notification, Google pulled the apps from Play but the apps remain on some third party stores. ESET said that the developer of the apps is Vietnamese university student living in Hanoi.

Fake Beautication App Reads SMS Verification, Triggers WAP Billing (10/22/2019)
An app spotted on Google Play called Yellow Camera masquerades as a camera and photo beautification or editing app is embedded with a routine that reads SMS verification codes from the System Notifications and activate a Wireless Application Protocol billing. The app has been seen targeting users in Southeast Asia. The app has been removed by Google but similar apps have shown up on Apple's iOS App Store. Trend Micro analyzed Yellow Camera's malicious traits in a blog post.

Gustuff Banking Trojan Takes Aim at Australian Victims (10/22/2019)
A new variant of the Gustuff banking Trojan, spotted by Cisco's Talos security researchers, is making its rounds with updated features in tow. Gustuff is using a "poor man scripting engine" based on JavaScript to enable its operator to execute scripts while using its own internal commands backed by the power of JavaScript language. The malware is targeting users in Australia and relies primarily on malicious SMS messages to infect users.

Microsoft SQL Under Attack from Winnti Group's skip-2.0 Backdoor (10/22/2019)
A previously unknown backdoor associated with the Winnti Group is targeting Microsoft SQL (MSSQL) and allows attackers to maintain a discreet foothold inside compromised organizations. The malware, "skip-2.0," bears some similarities to Winnti's PortReuse backdoor. The skip-2.0 backdoor targets MSSQL 11 and 12 and connects stealthily to any MSSQL account by using a magic password - while automatically hiding these connections from the logs. It can allow an attacker to copy, modify, or delete database content. ESET researchers have detailed their findings on skip-2.0 in a blog post.

Pony's C&C Servers Hidden within Bitcoin Blockchain Thanks to Redaman Malware (10/21/2019)
Check Point Software has identified a new version of the Redaman banking malware that hides Pony command-and-control (C&C) server IP addresses inside the bitcoin blockchain. This technique of using the blockchain has been dubbed "chaining" by Check Point's researchers. Redaman typically targets Russian language speakers.

Trojanized Tor Browser Dupes Victims into Parting with Bitcoin (10/22/2019)
Cyber thieves are pushing a Trojanized version of an official Tor Browser package and have accumulated over $40,000 USD in bitcoin, the researchers at ESET say. The malicious browser is spread by two sites that claim that they distribute the official Russian language version of the Tor Browser. On clicking the Update Tor Browser button, the visitor is redirected to a second Web site with the possibility of downloading a Windows installer. The malicious domain torproect[.]org domain is very similar to the real torproject.org; it is just missing one letter. By changing some settings in the Browser, the attackers have been able to siphon digital currency