Malware Watch - W/E - 12/6/19
Agent Smith Compromised 30 Million Devices by Swapping Apps with Malware (11/26/2019)
The threat team at Check Point Software discovered Agent Smith, a malware campaign that infected approximately 30 million devices and disguised itself as a Google app. The malware exploits various known Android vulnerabilities and automatically replaces multiple installed apps on the device with malicious versions. Check Point's artificial intelligence engines detected Agent Smith before the command and control sites were known to be malicious.
The threat team at Check Point Software discovered Agent Smith, a malware campaign that infected approximately 30 million devices and disguised itself as a Google app. The malware exploits various known Android vulnerabilities and automatically replaces multiple installed apps on the device with malicious versions. Check Point's artificial intelligence engines detected Agent Smith before the command and control sites were known to be malicious.
CallerSpy Spyware Disguised as Mobile Apps (12/02/2019)
Spyware disguised as chat apps were discovered by Trend Micro on a phishing site. The apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. The threat was first spotted in May but the Web site then went quiet for a few months until it reactivated in October with a new app dubbed "Apex App." This app is actually CallerSpy spyware.
Spyware disguised as chat apps were discovered by Trend Micro on a phishing site. The apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. The threat was first spotted in May but the Web site then went quiet for a few months until it reactivated in October with a new app dubbed "Apex App." This app is actually CallerSpy spyware.
Capesand EK Uses Multiple Stealth Tools in KurdishCoder Campaign (12/04/2019)
The security team at Trend Micro analyzed the Capesand exploit kit and identified 300 samples as part of campaign that uses tools to provide fully-undetectable obfuscation capabilities. This campaign has been called "KurdishCoder." One of the Capesand samples deployed the njRAT malware and used multiple layers of obfuscation via two tools: .NET protectors ConfuserEx and Cassandra (CyaX). Both of these tools are used in combination to provide an array of fully undetectable capabilities to the deployed njRat malware variant.
The security team at Trend Micro analyzed the Capesand exploit kit and identified 300 samples as part of campaign that uses tools to provide fully-undetectable obfuscation capabilities. This campaign has been called "KurdishCoder." One of the Capesand samples deployed the njRAT malware and used multiple layers of obfuscation via two tools: .NET protectors ConfuserEx and Cassandra (CyaX). Both of these tools are used in combination to provide an array of fully undetectable capabilities to the deployed njRat malware variant.
Over 1/3 of Computers Used to Collect, Process Biometrics Targeted by Malware (12/04/2019)
Thirty-seven percent of servers and workstations used to collect, process, and store biometric data, such as fingerprints, hand geometry, face, voice, and iris templates, on which Kaspersky products are installed, faced at least one attempt of malware infection in Q3 2019. Remote-access Trojans (5.4%), malware used in phishing attacks (5.1%), ransomware (1.9%), and Trojan bankers (1.5%) were among the malware samples that Kaspersky's products blocked. Threats from the Internet were blocked on 14.4% of all biometric data processing systems during the third quarter.
Thirty-seven percent of servers and workstations used to collect, process, and store biometric data, such as fingerprints, hand geometry, face, voice, and iris templates, on which Kaspersky products are installed, faced at least one attempt of malware infection in Q3 2019. Remote-access Trojans (5.4%), malware used in phishing attacks (5.1%), ransomware (1.9%), and Trojan bankers (1.5%) were among the malware samples that Kaspersky's products blocked. Threats from the Internet were blocked on 14.4% of all biometric data processing systems during the third quarter.
Polymorphic Malware "Dexphot" Hides from Security Software, Uses Fileless Methods (11/27/2019)
Microsoft began tracking Dexphot, a polymorphic type of malware, in October 2018 and has released its analysis of this threat. Dexphot uses sophisticated methods to evade security and then utilizes fileless techniques to run malicious code directly in memory. It leaves very scant traces behind, hijacks legitimate services to disguise its malicious activity, and later runs a cryptominer. Dexphot exhibits multiple layers of polymorphism across the binaries it distributes.
Microsoft began tracking Dexphot, a polymorphic type of malware, in October 2018 and has released its analysis of this threat. Dexphot uses sophisticated methods to evade security and then utilizes fileless techniques to run malicious code directly in memory. It leaves very scant traces behind, hijacks legitimate services to disguise its malicious activity, and later runs a cryptominer. Dexphot exhibits multiple layers of polymorphism across the binaries it distributes.
PyXie RAT Infiltrates Various Industries in Ongoing Campaign (12/05/2019)
A Python-based remote access Trojan dubbed "PyXie" has been deployed in an ongoing campaign that targets a wide range of industries and has been seen in conjunction with Cobalt Strike beacons as well as a downloader that has similarities to the Shifu banking Trojan. BlackBerry Cylance provided details of the PyXie campaign which includes legitimate LogMeIn and Google binaries used to sideload payloads, a Trojanized Tetris app to load and execute Cobalt Strike stagers from internal network shares, use of a modified RC4 algorithm to encrypt payloads with a unique key per infected host, and other capabilities.
A Python-based remote access Trojan dubbed "PyXie" has been deployed in an ongoing campaign that targets a wide range of industries and has been seen in conjunction with Cobalt Strike beacons as well as a downloader that has similarities to the Shifu banking Trojan. BlackBerry Cylance provided details of the PyXie campaign which includes legitimate LogMeIn and Google binaries used to sideload payloads, a Trojanized Tetris app to load and execute Cobalt Strike stagers from internal network shares, use of a modified RC4 algorithm to encrypt payloads with a unique key per infected host, and other capabilities.
Ransomware Hit NYPD's Fingerprint System in 2018 (11/27/2019)
The New York Post learned that the New York Police Department's (NYPD) biometric database was infected with ransomware that spread to 23 machines that never executed. The incident occurred in October 2018 when a contractor who was setting up a digital display at the NYPD's police academy plugged in an infected mini-PC that transmitted the virus to devices hooked up to the LiveScan fingerprint tracking system. Within hours, the NYPD realized the breach and took LiveScan offline before the ransomware launched. Software was then reinstalled citywide as a cautionary tactic. The vendor with the infected computer has not been publicly identified.
The New York Post learned that the New York Police Department's (NYPD) biometric database was infected with ransomware that spread to 23 machines that never executed. The incident occurred in October 2018 when a contractor who was setting up a digital display at the NYPD's police academy plugged in an infected mini-PC that transmitted the virus to devices hooked up to the LiveScan fingerprint tracking system. Within hours, the NYPD realized the breach and took LiveScan offline before the ransomware launched. Software was then reinstalled citywide as a cautionary tactic. The vendor with the infected computer has not been publicly identified.
Scammers Use Push Notifications to Phish for New Victims (11/26/2019)
Kaspersky warned that browser push notifications can deliver nefarious consequences in the form of scams. Offers of money in exchange for filling out surveys typically lead to phishing attacks. Between January 1 and September 30, Kaspersky products blocked ad and scam notification sign ups and demonstration attempts on the devices of more than 14 million unique users globally. Algeria (27.2%) and Belarus (24.1%) were the hardest nations hit. The vendor also noted an upward trend in the spread of ad and scam subscriptions.
Kaspersky warned that browser push notifications can deliver nefarious consequences in the form of scams. Offers of money in exchange for filling out surveys typically lead to phishing attacks. Between January 1 and September 30, Kaspersky products blocked ad and scam notification sign ups and demonstration attempts on the devices of more than 14 million unique users globally. Algeria (27.2%) and Belarus (24.1%) were the hardest nations hit. The vendor also noted an upward trend in the spread of ad and scam subscriptions.
Sneaky Buer Downloader Used in Multiple Campaigns (12/04/2019)
Since August, Proofpoint researchers have been tracking the development and sale of a modular loader named Buer. The loader has features that are highly competitive with Smoke Loader, is being actively sold in prominent underground marketplaces, and is intended for use actors seeking a turn-key, off-the-shelf solution. Buer has been seen in a variety of campaigns, via malvertising leading to exploit kits; as a secondary payload via Ostap; and as a primary payload downloading malware such as The Trick banking Trojan. The malware has robust geotargeting, system profiling, and anti-analysis features and is in active development by its Russian-speaking author.
Since August, Proofpoint researchers have been tracking the development and sale of a modular loader named Buer. The loader has features that are highly competitive with Smoke Loader, is being actively sold in prominent underground marketplaces, and is intended for use actors seeking a turn-key, off-the-shelf solution. Buer has been seen in a variety of campaigns, via malvertising leading to exploit kits; as a secondary payload via Ostap; and as a primary payload downloading malware such as The Trick banking Trojan. The malware has robust geotargeting, system profiling, and anti-analysis features and is in active development by its Russian-speaking author.
Stantinko Botnet Now Features Stealthy Cryptomining Tool to Boost Profits (11/26/2019)
The Stantinko botnet, which has been active since at least 2012 and mostly targets entities in Russia, Ukraine, Belarus, and Kazakhstan, has added a cryptomining module to amp up its profits, the ESET research team learned. The cryptomining module uses interesting tactics to remain obfuscated. Due to the use of source level obfuscations, a bit of randomness, and the fact that Stantinko's operators compile this module for each new victim, each sample of the module is unique. The module itself is a highly modified version of the xmr-stak open-source cryptominer.
The Stantinko botnet, which has been active since at least 2012 and mostly targets entities in Russia, Ukraine, Belarus, and Kazakhstan, has added a cryptomining module to amp up its profits, the ESET research team learned. The cryptomining module uses interesting tactics to remain obfuscated. Due to the use of source level obfuscations, a bit of randomness, and the fact that Stantinko's operators compile this module for each new victim, each sample of the module is unique. The module itself is a highly modified version of the xmr-stak open-source cryptominer.
TrickBot Spreads Its Nefarious Activities to Japan (12/03/2019)
TrickBot malware campaigns, which typically target English-speaking nations, have begun attacking Japanese banks, the team at IBM X-Force reported. Campaigns in Japan have been leveraging malicious spam and distribution by the Emotet botnet to drop TrickBot onto user devices. The predominant attack mode involves Web injections on banking Web sites that lead to eventual online banking fraud.
TrickBot malware campaigns, which typically target English-speaking nations, have begun attacking Japanese banks, the team at IBM X-Force reported. Campaigns in Japan have been leveraging malicious spam and distribution by the Emotet botnet to drop TrickBot onto user devices. The predominant attack mode involves Web injections on banking Web sites that lead to eventual online banking fraud.
Wiper with Similarities to Shamoon Used in Nation-State Attacks in Middle East (12/03/2019)
A new wiper malware dubbed "ZeroCleare" by IBM's X-Force team was used to execute a destructive attack on the energy and industrial sectors in the Middle East. The researchers suspect Iranian-based nation-state adversaries were involved to develop and deploy the wiper. ZeroCleare aims to overwrite the master boot record (MBR) and disk partitions on Windows-based machines, much like the Shamoon wiper did beginning in 2012. ZeroCleare uses EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions, to wipe the MBR and damage disk partitions on a large number of networked devices. To gain access to the device's core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls.
A new wiper malware dubbed "ZeroCleare" by IBM's X-Force team was used to execute a destructive attack on the energy and industrial sectors in the Middle East. The researchers suspect Iranian-based nation-state adversaries were involved to develop and deploy the wiper. ZeroCleare aims to overwrite the master boot record (MBR) and disk partitions on Windows-based machines, much like the Shamoon wiper did beginning in 2012. ZeroCleare uses EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions, to wipe the MBR and damage disk partitions on a large number of networked devices. To gain access to the device's core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls.