Malware Watch - W/E - 11/8/19
Adware-Laced Apps with Over 3 Million Downloads Discovered Lurking on Google Play (11/07/2019)
Forty-nine apps on Google Play were found by Trend Micro to be spewing adware. The apps were disguised as games and stylized cameras. The apps have been removed by Google but were downloaded more than three million times prior to that.
Forty-nine apps on Google Play were found by Trend Micro to be spewing adware. The apps were disguised as games and stylized cameras. The apps have been removed by Google but were downloaded more than three million times prior to that.
Buran RaaS Rises from the Flames of VegaLocker (11/06/2019)
Buran, a Ransomware-as-a-Service (RaaS) family, emerged in May and has been assessed by McAfee researchers. The threat author takes 25% of the income earned by affiliates and is willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. Ads for Buran state that all affiliates will have a personal arrangement with the threat author. Buran is coded in Delphi, which McAfee noted is difficult to reverse-engineer, and it originated from the VegaLocker malware family.
Buran, a Ransomware-as-a-Service (RaaS) family, emerged in May and has been assessed by McAfee researchers. The threat author takes 25% of the income earned by affiliates and is willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. Ads for Buran state that all affiliates will have a personal arrangement with the threat author. Buran is coded in Delphi, which McAfee noted is difficult to reverse-engineer, and it originated from the VegaLocker malware family.
Cyber Command Posts Seven Malware Samples to VirusTotal (11/06/2019)
The US Cyber Command (CYBERCOM) has released seven malware samples to the VirusTotal malware aggregation tool and repository. These samples are used in various malicious activities, including remote access, beaconing, and malware command by adversaries.
The US Cyber Command (CYBERCOM) has released seven malware samples to the VirusTotal malware aggregation tool and repository. These samples are used in various malicious activities, including remote access, beaconing, and malware command by adversaries.
DarkUniverse Updated Malware Immediately Before Phishing Its Victims (11/06/2019)
Kaspersky discovered an adversary that was active between 2009 and 2017 and is considered the 27th function of ShadowBrokers script that reviewed compromised systems for traces of other advanced persistent threats. This adversary has been named "DarkUniverse" and is linked to the ItaDuke threat actor due to unique code overlaps. The attackers continuously updated the malware so that the latest samples in 2017 are completely different from the initial ones from 2009. DarkUniverse was spread via spear phishing and every malware sample was compiled immediately before being sent and included the latest available version of the malware executable.
Kaspersky discovered an adversary that was active between 2009 and 2017 and is considered the 27th function of ShadowBrokers script that reviewed compromised systems for traces of other advanced persistent threats. This adversary has been named "DarkUniverse" and is linked to the ItaDuke threat actor due to unique code overlaps. The attackers continuously updated the malware so that the latest samples in 2017 are completely different from the initial ones from 2009. DarkUniverse was spread via spear phishing and every malware sample was compiled immediately before being sent and included the latest available version of the malware executable.
Feds Warn of North Korean Malware HOPLIGHT (11/04/2019)
The Departments of Homeland Security (DHS), Justice (DOJ), and the FBI issued a joint malware analysis report on HOPLIGHT, a Trojan variant with ties to the North Korean government. When executed the HOPLIGHT malware will collect system information about the victim machine including operating system version, volume data, and system time, as well as enumerate the system drives and partitions. The report provides analysis of 20 malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key.
The Departments of Homeland Security (DHS), Justice (DOJ), and the FBI issued a joint malware analysis report on HOPLIGHT, a Trojan variant with ties to the North Korean government. When executed the HOPLIGHT malware will collect system information about the victim machine including operating system version, volume data, and system time, as well as enumerate the system drives and partitions. The report provides analysis of 20 malicious executable files. Sixteen of these files are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key.
Newly Uncovered Capesand EK Reuses Old Source Code (11/06/2019)
Capesand is a new exploit kit that exploits vulnerabilities in Flash and Internet Explorer. The adversary behind this EK is continuously developing it and reuses open-source code, including the exploits, obfuscation, and packing techniques. The EK checks for anti-malware installation packages. Trend Micro's team published details to educate others on Capesand.
Capesand is a new exploit kit that exploits vulnerabilities in Flash and Internet Explorer. The adversary behind this EK is continuously developing it and reuses open-source code, including the exploits, obfuscation, and packing techniques. The EK checks for anti-malware installation packages. Trend Micro's team published details to educate others on Capesand.
Trik Botnet Targets Asian Countries Using Nemty Ransomware as Payload (11/04/2019)
Symantec warned that the Nemty ransomware, initially detected in August 2019, has increased its reach by partnering up with the Trik botnet, which now delivers Nemty to compromised computers. Most Nemty infections have been spotted in China and Korea. A new version of Trik delivers a tiny component that uses the Server Message Block protocol and a list of hardcoded credentials to try to connect to remote computers with port 139 open. The malware can infect public IP addresses with port 139 open that are using any of the common administrator usernames and passwords on its list.
Symantec warned that the Nemty ransomware, initially detected in August 2019, has increased its reach by partnering up with the Trik botnet, which now delivers Nemty to compromised computers. Most Nemty infections have been spotted in China and Korea. A new version of Trik delivers a tiny component that uses the Server Message Block protocol and a list of hardcoded credentials to try to connect to remote computers with port 139 open. The malware can infect public IP addresses with port 139 open that are using any of the common administrator usernames and passwords on its list.
WIZARD SPIDER Adds Features to Ryuk Ransomware to Take Aim at LAN Hosts (11/06/2019)
CrowdStrike analyzed variants of the Ryuk ransomware family with new functionality for identifying and encrypting files on hosts in a local area network (LAN). These features target systems that have recently been placed in a standby power state, as well as online systems on the LAN. Ryuk is distributed by a threat group called WIZARD SPIDER. By attempting to wake systems and using ARP ping scanning combined with network drive mounting, WIZARD SPIDER is seeking to maximize the number of systems that can be impacted by Ryuk's file encryption.
CrowdStrike analyzed variants of the Ryuk ransomware family with new functionality for identifying and encrypting files on hosts in a local area network (LAN). These features target systems that have recently been placed in a standby power state, as well as online systems on the LAN. Ryuk is distributed by a threat group called WIZARD SPIDER. By attempting to wake systems and using ARP ping scanning combined with network drive mounting, WIZARD SPIDER is seeking to maximize the number of systems that can be impacted by Ryuk's file encryption.