Malware Watch - W/E - 11/22/19
Check Point Assesses Nuances of Phorphiex Botnet (11/19/2019)
Check Point Software analyzed the Phorpiex botnet and provided information on its latest features. Previously, the botnet operated using the IRC protocol (also known as Trik) but has switched to a modular architecture and removed the IRC communication. The malware is titled Tldr, which probably stands for TrikLoader, and has become the core component of the Phorpiex botnet. Tldr is a downloader that uses HTTP protocol for communication with command and control servers. Its main purpose is to load another malware on the infected machines. Tldr and its modules distribute the botnet as much as possible for monetization purposes. Phorpiex is monetized through sextortion spam, crypto-jacking, cryptocurrency clipping, and delivering services to load other types of malware.
Check Point Software analyzed the Phorpiex botnet and provided information on its latest features. Previously, the botnet operated using the IRC protocol (also known as Trik) but has switched to a modular architecture and removed the IRC communication. The malware is titled Tldr, which probably stands for TrikLoader, and has become the core component of the Phorpiex botnet. Tldr is a downloader that uses HTTP protocol for communication with command and control servers. Its main purpose is to load another malware on the infected machines. Tldr and its modules distribute the botnet as much as possible for monetization purposes. Phorpiex is monetized through sextortion spam, crypto-jacking, cryptocurrency clipping, and delivering services to load other types of malware.
Fake Windows Update Leads to Cyborg Ransomware (11/20/2019)
Cybercriminals are circulating fake Windows update messages that is an executable file containing a malicious .NET downloader that drops the Cyborg ransomware. The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient's attention to the attachment as the "latest critical update." Trustwave researchers spotted the malicious campaign and provided additional details in a blog post.
Cybercriminals are circulating fake Windows update messages that is an executable file containing a malicious .NET downloader that drops the Cyborg ransomware. The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient's attention to the attachment as the "latest critical update." Trustwave researchers spotted the malicious campaign and provided additional details in a blog post.
Lazarus Threat Group Abuses Koreans wit
h New Version of Mac Backdoor (11/20/2019)
The cybercriminal adversary Lazarus is using a new variant of a Mac backdoor with a macro-embedded Microsoft Excel spreadsheet to target Korean victims. Trend Micro's team of researchers spotted the campaign and observed the macro in the file running a PowerShell script that connects to three command and control servers set up by Lazarus. The backdoor is called Nukesped.
The cybercriminal adversary Lazarus is using a new variant of a Mac backdoor with a macro-embedded Microsoft Excel spreadsheet to target Korean victims. Trend Micro's team of researchers spotted the campaign and observed the macro in the file running a PowerShell script that connects to three command and control servers set up by Lazarus. The backdoor is called Nukesped.
Monero Project Site Exploited to Serve Up Malware-Laced Binaries (11/20/2019)
The Monero cryptocurrency site had the binaries of the CLI (command line interface) wallet compromised to serve up malware, The issue was resolved on November 19 but the malware had been active for about 14 hours. The Monero Project stated in a post, "It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason."
The Monero cryptocurrency site had the binaries of the CLI (command line interface) wallet compromised to serve up malware, The issue was resolved on November 19 but the malware had been active for about 14 hours. The Monero Project stated in a post, "It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason."
Not Loving It: Mispadu Trojan Serves Up Unhappiness with McDonald's Malvertising (11/20/2019)
The Mispadu banking Trojan uses malicious ads for McDonald's to push its attack surface to Web browsers, the researchers at ESET say. Mispadu targets Brazil and Mexico, is written in Delphi, and displays fake pop-up windows to persuade victims to divulge sensitive information. For its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It can also update itself via a Visual Basic Script file that it downloads and executes.
The Mispadu banking Trojan uses malicious ads for McDonald's to push its attack surface to Web browsers, the researchers at ESET say. Mispadu targets Brazil and Mexico, is written in Delphi, and displays fake pop-up windows to persuade victims to divulge sensitive information. For its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It can also update itself via a Visual Basic Script file that it downloads and executes.
Phoenix Rising: The Tale of a Keylogger Turned Info Stealer (11/21/2019)
Cybereason is tracking Phoenix, a keylogger that extends beyond that capability and is considered an information stealing malware. Analysis shows that Phoenix operates under a Malware-as-a-Service model and steals personal data from almost 20 different browsers, four different mail clients, FTP clients, and chat clients. The malware also has multiple mechanisms that try to kill the processes of over 80 different security products and analysis tools. Phoenix was released in July 2019 and has targetedvictims across North America, the United Kingdom, France, Germany, and other parts of Europe and the Middle East.
Cybereason is tracking Phoenix, a keylogger that extends beyond that capability and is considered an information stealing malware. Analysis shows that Phoenix operates under a Malware-as-a-Service model and steals personal data from almost 20 different browsers, four different mail clients, FTP clients, and chat clients. The malware also has multiple mechanisms that try to kill the processes of over 80 different security products and analysis tools. Phoenix was released in July 2019 and has targetedvictims across North America, the United Kingdom, France, Germany, and other parts of Europe and the Middle East.