Malware Watch - W/E - 12/20/19
Cryptominer Hides from Detection Thanks to Process Hollowing (12/16/2019)
A cryptominer is using process hollowing and a dropper component that requires a specific set of command line arguments to trigger its malicious behavior, leaving no trace of malicious activity detection or analysis to reference the file as malicious. According to research from Trend Micro, the dropped file also acts as a container, which renders the main file inactive (without the correct arguments, the coinmining activity will also remain unexecuted). On its own, the file itself has no use and is not malicious, which allows it to evade detection. The campaign's increased activity started in early November and most infection attempts took place on November 20 in Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.
A cryptominer is using process hollowing and a dropper component that requires a specific set of command line arguments to trigger its malicious behavior, leaving no trace of malicious activity detection or analysis to reference the file as malicious. According to research from Trend Micro, the dropped file also acts as a container, which renders the main file inactive (without the correct arguments, the coinmining activity will also remain unexecuted). On its own, the file itself has no use and is not malicious, which allows it to evade detection. The campaign's increased activity started in early November and most infection attempts took place on November 20 in Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.
Kaspersky Discovers Mistakes in OilRig's Poison Frog Malware (12/17/2019)
Kaspersky has analyzed the Poison Frog backdoor after scanning its archives with its YARA rule to look for malware samples employed by the OilRig threat group. The OilRig developers disguised Poison Frog as a legitimate Cisco application but it contained errors - namely, an info popup appeared every time it was clicked, which doesn't occur with the actual Cisco application. It is, at this point, that the backdoor is silently installed on the system. Kaspersky also found that one Poison Frog sample did not execute because the developers misspelled a word in the code - they used Poweeershell.exe instead of Powershell.exe.
Kaspersky has analyzed the Poison Frog backdoor after scanning its archives with its YARA rule to look for malware samples employed by the OilRig threat group. The OilRig developers disguised Poison Frog as a legitimate Cisco application but it contained errors - namely, an info popup appeared every time it was clicked, which doesn't occur with the actual Cisco application. It is, at this point, that the backdoor is silently installed on the system. Kaspersky also found that one Poison Frog sample did not execute because the developers misspelled a word in the code - they used Poweeershell.exe instead of Powershell.exe.
Mirai Variant ECHOBOT Evolves with 71 Exploits in Tow (12/16/2019)
A variant of the Mirai botnet known as ECHOBOT appeared in May and has been seen by researchers at Palo Alto Networks using 71 unique exploits. Thirteen of these bugs have never been exploited in the wild previously and some date back to 2003. The combination of exploits attempts to infiltrate a range of devices including routers, firewalls, IP cameras, server management utilities, programmable logic controllers, an online payment system, and a yacht control Web application. ECHOBOT has changed its infrastructure since it first appeared and has been steadily adding vulnerabilities to its arsenal
A variant of the Mirai botnet known as ECHOBOT appeared in May and has been seen by researchers at Palo Alto Networks using 71 unique exploits. Thirteen of these bugs have never been exploited in the wild previously and some date back to 2003. The combination of exploits attempts to infiltrate a range of devices including routers, firewalls, IP cameras, server management utilities, programmable logic controllers, an online payment system, and a yacht control Web application. ECHOBOT has changed its infrastructure since it first appeared and has been steadily adding vulnerabilities to its arsenal
MyKings Cryptominer's Evolution Includes EternalBlue (12/17/2019)
Sophos researchers detailed the morphing attack components of the globally-reaching MyKings cryptominer in a report. MyKings uses a combination of techniques - gaining access through open remote services, botnets to orchestrate parts of the attack, and living off the land to evade detection. The criminals behind MyKings have added the EternalBlue exploit into newer versions of the botnet and more than 45,000 hosts around the world are infected. The botnet can spread by attacking weak username/password combinations via MySQL, MSSQL, telnet, ssh, IPC, WMI, RDP, and CCTV connections.
Sophos researchers detailed the morphing attack components of the globally-reaching MyKings cryptominer in a report. MyKings uses a combination of techniques - gaining access through open remote services, botnets to orchestrate parts of the attack, and living off the land to evade detection. The criminals behind MyKings have added the EternalBlue exploit into newer versions of the botnet and more than 45,000 hosts around the world are infected. The botnet can spread by attacking weak username/password combinations via MySQL, MSSQL, telnet, ssh, IPC, WMI, RDP, and CCTV connections.
Rancor Threat Group Takes Aim at Southeast Asia with Custom Dudell Malware (12/17/2019)
A cyberspy group called Rancor is using a custom malware family, dubbed "Dudell" by researchers at Palo Alto Networks, to download a second stage payload once its malicious macro is executed. Additionally, Rancor is using the Derusbi malware family to load a secondary payload once it infiltrates a target. Rancor targets entities in Southeast Asia.
A cyberspy group called Rancor is using a custom malware family, dubbed "Dudell" by researchers at Palo Alto Networks, to download a second stage payload once its malicious macro is executed. Additionally, Rancor is using the Derusbi malware family to load a secondary payload once it infiltrates a target. Rancor targets entities in Southeast Asia.