Malware Watch - W/E - 1/17/20
5ss5c Ransomware Rises from Satan's Ashes (01/15/2020)
The developers behind the Satan ransomware have created 5ss5c, a new ransomware with similar functionality. Security researcher Bart Blaze spotted 5ss5c, which appeared in November, and noticed some connections to Satan, including the malware's launch process using a downloader and spreading via the EternalBlue exploit to spread. Satan also disappeared in the summer of 2019, a few months before 5ss5c emerged. Blaze said it appears that the new ransomware is still under development.
The developers behind the Satan ransomware have created 5ss5c, a new ransomware with similar functionality. Security researcher Bart Blaze spotted 5ss5c, which appeared in November, and noticed some connections to Satan, including the malware's launch process using a downloader and spreading via the EternalBlue exploit to spread. Satan also disappeared in the summer of 2019, a few months before 5ss5c emerged. Blaze said it appears that the new ransomware is still under development.
December Spam Campaigns Spread Emotet, Making It the Most Wanted Malware (01/13/2020)
Emotet was the most popular malware during the month of December, according to Check Point Software's assessment. The malware was spread in several December spam campaigns, including "Support Greta Thunberg - Time Person of the Year 2019" and "Christmas Party." XMRig and Trickbot rounded out the top three of most wanted malware families for the last month of 2019.
Emotet was the most popular malware during the month of December, according to Check Point Software's assessment. The malware was spread in several December spam campaigns, including "Support Greta Thunberg - Time Person of the Year 2019" and "Christmas Party." XMRig and Trickbot rounded out the top three of most wanted malware families for the last month of 2019.
Google Boots 17,000 Malicious Bread Apps Associated with Billing Fraud (01/14/2020)
A large-scale billing fraud family of apps called "Bread" (also known as Joker) has found its way into Google Play and more than 17,000 of the apps associated with Bread have been culled from Play. As Google implemented new policies and defenses against malware, Bread added new obfuscation techniques to try and stay hidden. Older versions of Bread use SMS fraud while the newer variants employ toll fraud.
A large-scale billing fraud family of apps called "Bread" (also known as Joker) has found its way into Google Play and more than 17,000 of the apps associated with Bread have been culled from Play. As Google implemented new policies and defenses against malware, Bread added new obfuscation techniques to try and stay hidden. Older versions of Bread use SMS fraud while the newer variants employ toll fraud.
Malicious, Pre-Installed Apps Found on Government-Funded Phones (01/14/2020)
Assurance Wireless by Virgin Mobile sold phones via the Lifeline Assistance program that came pre-installed with two types of malware, Malwarebytes stated. Virgin Mobile offered the UMX U683CL phone at $35 USD under a government-funded program. Analysis of the phone found a variant of Adups, an application that auto-installs apps without any notification or consent by the user. The more dangerous program is an unremovable dropper that has the same code for a known Trojan that contains a hidden library file named com.android.google.bridge.LibImp. Once the library is loaded into memory, it installs HiddenAds, a malicious app onto the UMX U683CL unbeknownst to the user.
Assurance Wireless by Virgin Mobile sold phones via the Lifeline Assistance program that came pre-installed with two types of malware, Malwarebytes stated. Virgin Mobile offered the UMX U683CL phone at $35 USD under a government-funded program. Analysis of the phone found a variant of Adups, an application that auto-installs apps without any notification or consent by the user. The more dangerous program is an unremovable dropper that has the same code for a known Trojan that contains a hidden library file named com.android.google.bridge.LibImp. Once the library is loaded into memory, it installs HiddenAds, a malicious app onto the UMX U683CL unbeknownst to the user.
Oski Info Stealer Swipes Browser and Crypto Wallet Data (01/15/2020)
Security researcher Aditya K Sood warned that an information stealing malware is targeting Internet browsers and cryptocurrency wallet applications as it has already swiped over 50,000 passwords. Sood told SecurityWeek that the malware, which is called the Oski Stealer, is being sold in several underground forums and is distributed via drive-by downloads and phishing attacks. The malware has mostly targeted victims in the US and Chromium browsers have been the most impacted.
Security researcher Aditya K Sood warned that an information stealing malware is targeting Internet browsers and cryptocurrency wallet applications as it has already swiped over 50,000 passwords. Sood told SecurityWeek that the malware, which is called the Oski Stealer, is being sold in several underground forums and is distributed via drive-by downloads and phishing attacks. The malware has mostly targeted victims in the US and Chromium browsers have been the most impacted.
Saigon Backdoor Swiped Source Code from Ursnif Trojan (01/13/2020)
FireEye reported that the Saigon malware, which was spotted in 2019, is based on source code from the Ursnif Trojan. The researchers say that Saigon appears to be a generic backdoor and shows on an infected computer as a Base64-encoded shellcode blob stored in a registry key, which is launched using PowerShell via a scheduled task. There have been a small number of Saigon samples and all have compilation timestamps for 2018 so the malware may have only been adapted for use in a few operations.
FireEye reported that the Saigon malware, which was spotted in 2019, is based on source code from the Ursnif Trojan. The researchers say that Saigon appears to be a generic backdoor and shows on an infected computer as a Base64-encoded shellcode blob stored in a registry key, which is launched using PowerShell via a scheduled task. There have been a small number of Saigon samples and all have compilation timestamps for 2018 so the malware may have only been adapted for use in a few operations.
Shopper Malware Abuses Google Accessibility Service, Spreads Fake Reviews (01/13/2020)
Kaspersky researchers detected a Trojan application called "Shopper" that targets users with unsolicited ads and boosts installations of online shopping applications, fooling both users and advertisers. This malicious app visits smartphone app stores, downloads and launches applications, and leaves fake reviews on behalf of the user, all while hiding itself from the device owner. Shopper uses the Google Accessibility Service, enabling a voice to read out content and automate interaction with the user interface.Once it has the permission to use the service, the malware can gain almost unlimited opportunities to interact with the system interface and applications
Kaspersky researchers detected a Trojan application called "Shopper" that targets users with unsolicited ads and boosts installations of online shopping applications, fooling both users and advertisers. This malicious app visits smartphone app stores, downloads and launches applications, and leaves fake reviews on behalf of the user, all while hiding itself from the device owner. Shopper uses the Google Accessibility Service, enabling a voice to read out content and automate interaction with the user interface.Once it has the permission to use the service, the malware can gain almost unlimited opportunities to interact with the system interface and applications