Malware Watch - W/E - 10/3/19
Attackers Exploit OpenDocument to Slip Malware Past Antivirus (10/02/2019)
Cisco's Talos researchers noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass antivirus detections. Multiple nefarious campaigns have been seen using ODT to deliver malware that would normally get blocked by traditional antivirus software. Microsoft Office, OpenOffice, and LibreOffice have been targeted in attacks, but Office has been the most widely attacked, the researchers noted. Warren Mercer and Paul Rascagneres said, "the use of the ODT file format shows that actors are happy to try out different mechanisms of infection, perhaps in an attempt to see if they are these documents have a higher rate of infection or are better at avoiding detection. As we point out some AV engines and sandboxes do not handle these file formats with the appropriate method so they become "missed" in some instances."
Cisco's Talos researchers noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass antivirus detections. Multiple nefarious campaigns have been seen using ODT to deliver malware that would normally get blocked by traditional antivirus software. Microsoft Office, OpenOffice, and LibreOffice have been targeted in attacks, but Office has been the most widely attacked, the researchers noted. Warren Mercer and Paul Rascagneres said, "the use of the ODT file format shows that actors are happy to try out different mechanisms of infection, perhaps in an attempt to see if they are these documents have a higher rate of infection or are better at avoiding detection. As we point out some AV engines and sandboxes do not handle these file formats with the appropriate method so they become "missed" in some instances."
eGobbler Malvertising Campaign Infects More than 1 Billion Ads (10/02/2019)
The eGobbler threat actor launched a malicious advertising campaign that compromised 1.16 billion sessions between August 1 and September 23, according to the researchers at Confiant. The campaign has taken aim at iOS and macOS devices running Safari and iOS devices running Chrome. Google fixed the issue in Chrome in August while both Safari and iOS received updates in September.
The eGobbler threat actor launched a malicious advertising campaign that compromised 1.16 billion sessions between August 1 and September 23, according to the researchers at Confiant. The campaign has taken aim at iOS and macOS devices running Safari and iOS devices running Chrome. Google fixed the issue in Chrome in August while both Safari and iOS received updates in September.
Hqwar Dropper Trojan Used in Attacks, Packaged with Other Malware (10/02/2019)
Kaspersky published analysis of the Hqwar Trojan dropper that targets Android devices. Originally created as a Malware-as-a-Service infrastructure, Hqwar is now used in small and large-scale attacks and is often distributed with other Trojans, including Asacub, Marcher, and Svpeng. Kaspersky noted 22 families of different Trojans packed with Hqwar.
Kaspersky published analysis of the Hqwar Trojan dropper that targets Android devices. Originally created as a Malware-as-a-Service infrastructure, Hqwar is now used in small and large-scale attacks and is often distributed with other Trojans, including Asacub, Marcher, and Svpeng. Kaspersky noted 22 families of different Trojans packed with Hqwar.
KovCoreG Threat Group Returns with Fileless Botnet Malware "Novter" (10/01/2019)
Trend Micro uncovered a modular fileless botnet malware called Novter (also reported and known as Nodersok and Divergent) that the KovCoreG campaign has been distributing since March. KovCoreG, active since 2011, is a long-running campaign known for using the Kovter botnet malware, which was distributed mainly through malvertisements and exploit kits. The botnet was dismantled at the end of 2018 but KovCoreG has returned with Novter. While working closely with Proofpoint's researcher Kafeine, Trend Micro discovered Novter, a backdoor in the form of an executable file. Immediately after its execution, it performs anti-debugging and anti-analysis checks. Trend Micro has released a technical brief with further details about Novter and its modules.
Trend Micro uncovered a modular fileless botnet malware called Novter (also reported and known as Nodersok and Divergent) that the KovCoreG campaign has been distributing since March. KovCoreG, active since 2011, is a long-running campaign known for using the Kovter botnet malware, which was distributed mainly through malvertisements and exploit kits. The botnet was dismantled at the end of 2018 but KovCoreG has returned with Novter. While working closely with Proofpoint's researcher Kafeine, Trend Micro discovered Novter, a backdoor in the form of an executable file. Immediately after its execution, it performs anti-debugging and anti-analysis checks. Trend Micro has released a technical brief with further details about Novter and its modules.
Masad Stealer Abuses Telegram to Swipe Stolen Passwords, Financial Data (10/01/2019)
Juniper Networks discovered a Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a command and control channel allows the malware some anonymity. The malware is being advertised on black market forums as "Masad Clipper and Stealer." It steals browser data, which might contain usernames, passwords, and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.
Juniper Networks discovered a Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a command and control channel allows the malware some anonymity. The malware is being advertised on black market forums as "Masad Clipper and Stealer." It steals browser data, which might contain usernames, passwords, and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.
McAfee Connects Dots from GandCrab to Sodinokibi Ransomware (10/03/2019)
McAfee analyzed the Sodinokibi (also known as REvil) Ransomware-as-a-Service (RaaS), which is most likely the work of the GandCrab ransomware authors. The Sodinokibi creator had access to GandCrab source code, among other things. Both ransomware families have similar functionality and both variants offer patterns and flows that resemble each other. In a separate post, McAfee explains how some of GandCrab's affiliates - individuals who use the RaaS to generate victims for the malware's developers - have moved on to Sodinokibi since this is considered a highly profitable infection method.
McAfee analyzed the Sodinokibi (also known as REvil) Ransomware-as-a-Service (RaaS), which is most likely the work of the GandCrab ransomware authors. The Sodinokibi creator had access to GandCrab source code, among other things. Both ransomware families have similar functionality and both variants offer patterns and flows that resemble each other. In a separate post, McAfee explains how some of GandCrab's affiliates - individuals who use the RaaS to generate victims for the malware's developers - have moved on to Sodinokibi since this is considered a highly profitable infection method.
PKPLUG Campaign Attacks Asia with Custom, Public Malware (10/03/2019)
Palo Alto Networks tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. It is unclear if the activities, which have been dubbed "PKPLUG," are the work of one threat group or several. PKPLUG delivers PlugX malware inside ZIP archive files as part of a DLL side-loading package. Additional payloads include HenBox, an Android app,; a Windows backdoor called Farseer, the 9002 Trojan, Poison Ivy, and Zupdax. It appears that one of PKPLUG's main goals is to install backdoor Trojan implants on victim systems, including mobile devices, to track victims and gather information. Victims are mostly in Taiwan, Vietnam, Indonesia, Tibet, Xinjiang, and Mongolia and it is widely suspected that the threat actor is from China.
Palo Alto Networks tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. It is unclear if the activities, which have been dubbed "PKPLUG," are the work of one threat group or several. PKPLUG delivers PlugX malware inside ZIP archive files as part of a DLL side-loading package. Additional payloads include HenBox, an Android app,; a Windows backdoor called Farseer, the 9002 Trojan, Poison Ivy, and Zupdax. It appears that one of PKPLUG's main goals is to install backdoor Trojan implants on victim systems, including mobile devices, to track victims and gather information. Victims are mostly in Taiwan, Vietnam, Indonesia, Tibet, Xinjiang, and Mongolia and it is widely suspected that the threat actor is from China.
Reductor Malware: Trojan-Like Features Combined with Certificate Manipulation (10/02/2019)
Kaspersky discovered malware that hijacks victims' interactions with HTTPS Web pages by patching the pseudo random number generator used in establishing an encrypted connection. It gives threat actors the ability to spy on users' browser activity, as well as to install rogue digital certificates. Reductor is a tool developed for intrusion purposes and was used for cyber espionage on diplomatic entities, primarily by monitoring employees' Internet traffic. Besides typical remote access Trojan functions such as uploading, downloading, and executing files, Reductor's authors manipulate digital certificates and mark outbound TLS traffic with unique host-related identifiers. Analysis shows strong code similarities between this family and the COMPfun Trojan and the original COMpfun Trojan is likely used as a downloader in one of the distribution schemes.
Kaspersky discovered malware that hijacks victims' interactions with HTTPS Web pages by patching the pseudo random number generator used in establishing an encrypted connection. It gives threat actors the ability to spy on users' browser activity, as well as to install rogue digital certificates. Reductor is a tool developed for intrusion purposes and was used for cyber espionage on diplomatic entities, primarily by monitoring employees' Internet traffic. Besides typical remote access Trojan functions such as uploading, downloading, and executing files, Reductor's authors manipulate digital certificates and mark outbound TLS traffic with unique host-related identifiers. Analysis shows strong code similarities between this family and the COMPfun Trojan and the original COMpfun Trojan is likely used as a downloader in one of the distribution schemes.
Stalkerware Installation Attempts Ballooned in Year-over-Year Comparison (10/02/2019)
The number of users who encountered at least one so-called stalkerware installation attempt surpassed 37,000 in the first eight months of 2019, a 35% increase over the same period in 2018. The findings come from Kaspersky's The State of Stalkerware in 2019 report, which looks at commercial spyware often used as a tool for domestic espionage. Kaspersky also found that the threat landscape has expanded, with 380 variants of stalkerware discovered in the wild in 2019, 31% more than in the same period of 2018.
The number of users who encountered at least one so-called stalkerware installation attempt surpassed 37,000 in the first eight months of 2019, a 35% increase over the same period in 2018. The findings come from Kaspersky's The State of Stalkerware in 2019 report, which looks at commercial spyware often used as a tool for domestic espionage. Kaspersky also found that the threat landscape has expanded, with 380 variants of stalkerware discovered in the wild in 2019, 31% more than in the same period of 2018.
US Petroleum Industry Victimized by Adwind Campaign (10/03/2019)
A new campaign spreading the Adwind remote access Trojan (RAT) has been seen in the wild, specifically targeting the petroleum industry in the US. According to Netskope, the attacker either uses the Westnet ISP or has compromised the account of one or more Westnet users since the same RAT is being hosted by multiple users. Although Adwind has been a payload in previous attacks, it has altered its obfuscation technique - multiple embedded JAR archives are used before unpacking the actual payload. The URLs hosting the Adwind RAT were reported to Westnet on September 9. Westnet is an Australian ISP.
A new campaign spreading the Adwind remote access Trojan (RAT) has been seen in the wild, specifically targeting the petroleum industry in the US. According to Netskope, the attacker either uses the Westnet ISP or has compromised the account of one or more Westnet users since the same RAT is being hosted by multiple users. Although Adwind has been a payload in previous attacks, it has altered its obfuscation technique - multiple embedded JAR archives are used before unpacking the actual payload. The URLs hosting the Adwind RAT were reported to Westnet on September 9. Westnet is an Australian ISP.
WhiteShadow Downloader Abuses SQL to Launch Other Malware (10/01/2019)
Proofpoint researchers encountered new Microsoft Office macros, which collectively act as a staged downloader dubbed "WhiteShadow." Since the first observed occurrence of WhiteShadow in a small campaign leading to infection with an instance of Crimson RAT (remote access Trojan), the malware has introduced detection evasion techniques. These changes include ordering of various lines of code as well as certain basic obfuscation attempts. When recipients open malicious document attachments in the campaigns and activate macros, WhiteShadow operates by executing SQL queries against attacker-controlled Microsoft SQL Server databases. Once retrieved, the macro decodes the string and writes it to disk as a PKZip archive of a Windows executable. Once extracted by the macro, the executable is run on the system to start installing malware.
Proofpoint researchers encountered new Microsoft Office macros, which collectively act as a staged downloader dubbed "WhiteShadow." Since the first observed occurrence of WhiteShadow in a small campaign leading to infection with an instance of Crimson RAT (remote access Trojan), the malware has introduced detection evasion techniques. These changes include ordering of various lines of code as well as certain basic obfuscation attempts. When recipients open malicious document attachments in the campaigns and activate macros, WhiteShadow operates by executing SQL queries against attacker-controlled Microsoft SQL Server databases. Once retrieved, the macro decodes the string and writes it to disk as a PKZip archive of a Windows executable. Once extracted by the macro, the executable is run on the system to start installing malware.