Malware Watch - W/E - 12/13/19
Feds Issue Dridex Alert to Warn Financial Services Organizations (12/09/2019)
The Treasury Department and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to inform the financial sector about the Dridex malware and variants. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Dridex has the capability to impact confidentiality of customer data and availability of data and systems for business processes. Threat actors typically deploy Dridex and its variants through phishing email campaigns.
The Treasury Department and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to inform the financial sector about the Dridex malware and variants. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Dridex has the capability to impact confidentiality of customer data and availability of data and systems for business processes. Threat actors typically deploy Dridex and its variants through phishing email campaigns.
Kaspersky Analyzes Malware Stats for 2019 (12/12/2019)
An assessment by Kaspersky between November 2018 and December 2019 found that 19.8% of user computers were subjected to at least one malware-class Web attack while nearly one billion attacks were launched from online resources located all over the world.. Millions of Kaspersky product users from 203 countries and territories participate in this global exchange of information about malicious activity. More than 755,000 computers of unique users were targeted by encryptors while over 2.2 million computers were targeted by mining malware.
An assessment by Kaspersky between November 2018 and December 2019 found that 19.8% of user computers were subjected to at least one malware-class Web attack while nearly one billion attacks were launched from online resources located all over the world.. Millions of Kaspersky product users from 203 countries and territories participate in this global exchange of information about malicious activity. More than 755,000 computers of unique users were targeted by encryptors while over 2.2 million computers were targeted by mining malware.
Legitimate CyberIT Service Encrypts Malicious Files to Stay Below Security Radar (12/12/2019)
Check Point Software analyzed CypherIT, which is sold publicly as a legitimate service to encrypt executable files but is used to wrap malware and hide malicious content. According to the vendor's telemetry, about 13% of all the malicious executables sent by email during August - October 2019 used AutoIt crypters such as CypherIT to hide their malicious content. CyberIT claims to make files fully undetectable, is sold publicly on certain Web sites, and is considered a packer. Additionally, CypherIT changes the encryption methodology from time to time, enabling it to better hide malicious payloads.
Check Point Software analyzed CypherIT, which is sold publicly as a legitimate service to encrypt executable files but is used to wrap malware and hide malicious content. According to the vendor's telemetry, about 13% of all the malicious executables sent by email during August - October 2019 used AutoIt crypters such as CypherIT to hide their malicious content. CyberIT claims to make files fully undetectable, is sold publicly on certain Web sites, and is considered a packer. Additionally, CypherIT changes the encryption methodology from time to time, enabling it to better hide malicious payloads.
New Buer Downloader Actively Being Sold in Hacker Underground (12/09/2019)
Since August, Proofpoint researchers have been tracking the development and sale of a modular loader named Buer that is being actively sold in prominent underground marketplaces and is intended for use by actors seeking a turn-key, off-the-shelf solution. Buer's author posted text in Russian on an underground bulletin board requesting $400 USD in payment for the malware and promising free updates and bug fixes. Buer has appeared via malvertising leading to exploit kits; as a secondary payload via Ostap; and as a primary payload downloading malware such as The Trick banking Trojan. It has robust geotargeting, system profiling, and anti-analysis features.
Since August, Proofpoint researchers have been tracking the development and sale of a modular loader named Buer that is being actively sold in prominent underground marketplaces and is intended for use by actors seeking a turn-key, off-the-shelf solution. Buer's author posted text in Russian on an underground bulletin board requesting $400 USD in payment for the malware and promising free updates and bug fixes. Buer has appeared via malvertising leading to exploit kits; as a secondary payload via Ostap; and as a primary payload downloading malware such as The Trick banking Trojan. It has robust geotargeting, system profiling, and anti-analysis features.
Ransomware Attacks Focusing on NAS Devices and Backup Data (12/09/2019)
Researchers at Kaspersky have warned that ransomware attacks targeting network attached storage (NAS) are gaining in popularity while posing new risks for backup data. Ransomware operators scan ranges of IP addresses looking for NAS devices accessible via the Web. Although only Web interfaces protected with authentication are accessible, a number of devices have integrated software with vulnerabilities in it. This allows the attackers to install a Trojan using exploits, which will then encrypt all data on the devices connected to the NAS. Kaspersky has seen a number of new ransomware families solely targeting NAS in 2019.
Researchers at Kaspersky have warned that ransomware attacks targeting network attached storage (NAS) are gaining in popularity while posing new risks for backup data. Ransomware operators scan ranges of IP addresses looking for NAS devices accessible via the Web. Although only Web interfaces protected with authentication are accessible, a number of devices have integrated software with vulnerabilities in it. This allows the attackers to install a Trojan using exploits, which will then encrypt all data on the devices connected to the NAS. Kaspersky has seen a number of new ransomware families solely targeting NAS in 2019.
Snatch Ransomware Bypasses Security Using Safe Mode Reboot (12/09/2019)
Sophos issued a warning about a ransomware trick - encrypting data only after rebooting Windows PCs into "safe mode." Deployed by the Russian-developed "Snatch"' ransomware, the trick is effective against endpoint security software, which often doesn't load when safe mode is in operation. The attackers look for weakly secured Remote Desktop ports to force their way into Azure servers, a foothold they use to move sideways to Windows domains controllers, often spending weeks gathering reconnaissance. In one network attack, the attackers installed the ransomware on around 200 machines using command and control after utilizing various legitimate tools (Process Hacker, IObit Uninstaller, PowerTool, PsExec, Advanced Port Scanner) plus some of their own. Sophos provides some methods for mitigation so users can protect against a compromise.
Sophos issued a warning about a ransomware trick - encrypting data only after rebooting Windows PCs into "safe mode." Deployed by the Russian-developed "Snatch"' ransomware, the trick is effective against endpoint security software, which often doesn't load when safe mode is in operation. The attackers look for weakly secured Remote Desktop ports to force their way into Azure servers, a foothold they use to move sideways to Windows domains controllers, often spending weeks gathering reconnaissance. In one network attack, the attackers installed the ransomware on around 200 machines using command and control after utilizing various legitimate tools (Process Hacker, IObit Uninstaller, PowerTool, PsExec, Advanced Port Scanner) plus some of their own. Sophos provides some methods for mitigation so users can protect against a compromise.
Trickbot Campaign Uses Fake Payroll Emails in Phishing Attacks (12/10/2019)
Palo Alto Networks discovered a Trickbot campaign leveraging legitimate cloud service providers to obfuscate malicious delivery behavior. Between November 7 and 8, 2019, the vendor identified a Trickbot distribution campaign delivered via phishing emails with subject lines using topics around payroll or annual bonuses. In this campaign, the adversaries included links to what appeared to be a legitimate Google Docs document which itself contained links to malicious files hosted on Google Drive. To further obfuscate the malicious activity, the adversaries leveraged a legitimate Email Delivery Service called SendGrid to distribute the initial emails, and also hide the Google Drive links in the documents behind a SendGrid URL.
Palo Alto Networks discovered a Trickbot campaign leveraging legitimate cloud service providers to obfuscate malicious delivery behavior. Between November 7 and 8, 2019, the vendor identified a Trickbot distribution campaign delivered via phishing emails with subject lines using topics around payroll or annual bonuses. In this campaign, the adversaries included links to what appeared to be a legitimate Google Docs document which itself contained links to malicious files hosted on Google Drive. To further obfuscate the malicious activity, the adversaries leveraged a legitimate Email Delivery Service called SendGrid to distribute the initial emails, and also hide the Google Drive links in the documents behind a SendGrid URL.
Waterbear Hides from Security Products by Using API Hooking Method (12/11/2019)
The Waterbear threat campaign has added a new technique - hiding its network behaviors from a specific security product by application programming interface hooking techniques - according to evidence from Trend Micro. Waterbear is associated with the cyber espionage group BlackTech, which mainly targets technology companies and government agencies, typically in East Asia.
The Waterbear threat campaign has added a new technique - hiding its network behaviors from a specific security product by application programming interface hooking techniques - according to evidence from Trend Micro. Waterbear is associated with the cyber espionage group BlackTech, which mainly targets technology companies and government agencies, typically in East Asia.
XHelper Mobile Malware Spreading Quickly (12/11/2019)
The mobile Trojan xHelper was the most prevalent malware during November, according to Check Point Software's monthly Global Threat Index. XHelper is a multi-purpose Android trojan that can download other malicious applications as well as displaying malicious advertisements and was first seen in the wild in March. It is listed at number eight on Check Point's top 10 malware index. The top malware families for November were Emotet, XMRig, and Trickbot while XHelper, Guerrilla, and Lotoor were the top mobile malware families.
The mobile Trojan xHelper was the most prevalent malware during November, according to Check Point Software's monthly Global Threat Index. XHelper is a multi-purpose Android trojan that can download other malicious applications as well as displaying malicious advertisements and was first seen in the wild in March. It is listed at number eight on Check Point's top 10 malware index. The top malware families for November were Emotet, XMRig, and Trickbot while XHelper, Guerrilla, and Lotoor were the top mobile malware families.
Zeppelin Ransomware-as-a-Service Takes Aim at US, European Targets (12/11/2019)
BlackBerry Cylance reported that Zeppelin has emerged as a member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Vega appeared in early 2019, was part of a campaign aimed at Russian speakers, and was designed with a broad reach. Zeppelin was observed targeting a group of carefully chosen tech and healthcare companies in Europe and the US. Unlike the Vega campaign, all Zeppelin binaries are designed to quit if running on machines that are based in Russia and some other ex-USSR countries. Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed Web sites and, in the case of PowerShell, on Pastebin.
BlackBerry Cylance reported that Zeppelin has emerged as a member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Vega appeared in early 2019, was part of a campaign aimed at Russian speakers, and was designed with a broad reach. Zeppelin was observed targeting a group of carefully chosen tech and healthcare companies in Europe and the US. Unlike the Vega campaign, all Zeppelin binaries are designed to quit if running on machines that are based in Russia and some other ex-USSR countries. Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed Web sites and, in the case of PowerShell, on Pastebin.