Malware Watch - W/E - 1/24/20
16Shop Phishing Kits Target PayPal and American Express (01/22/2020)
A prolific phishing kit distribution network known as 16Shop that is attributed to a cybercriminal group called Indonesian Cyber Army has been targeting PayPal and American Express, the researchers at ZeroFox say. The PayPal kit employs three anti-bot and anti-indexing features. Many features of 16Shop are a la carte, and adding additional features helps the operators land and expand when selling their kits. 16Shop also has phishing kits to target Apple and Amazon.
A prolific phishing kit distribution network known as 16Shop that is attributed to a cybercriminal group called Indonesian Cyber Army has been targeting PayPal and American Express, the researchers at ZeroFox say. The PayPal kit employs three anti-bot and anti-indexing features. Many features of 16Shop are a la carte, and adding additional features helps the operators land and expand when selling their kits. 16Shop also has phishing kits to target Apple and Amazon.
Emotet-Laden Spam Emails Increased in Last Few Months of 2019 (01/22/2020)
Symantec noted an uptick in Emotet activity beginning in September 2019 as the vendor began blocking spam messages laced with the Trojan. At times, Symantec products blocked more than one million hits per day. Prior to September, Emotet activity had dwindled.
Symantec noted an uptick in Emotet activity beginning in September 2019 as the vendor began blocking spam messages laced with the Trojan. At times, Symantec products blocked more than one million hits per day. Prior to September, Emotet activity had dwindled.
FTCODE Ransomware Lifts Credentials from Popular Browsers (01/22/2020)
Zscaler found FTCODE, a PowerShell-based ransomware that targets Italian speakers. FTCODE has been around for several years but this variant, version number 1117.1, steals credentials from Internet Explorer, Firefox, Thunderbird, Chrome, and Outlook and from email clients.
Zscaler found FTCODE, a PowerShell-based ransomware that targets Italian speakers. FTCODE has been around for several years but this variant, version number 1117.1, steals credentials from Internet Explorer, Firefox, Thunderbird, Chrome, and Outlook and from email clients.
One in 10 macOS Users Attacked by Shlayer Malware (01/23/2020)
An analysis by Kaspersky of the Shlayer Trojan has determined that it accounts for almost 30% of detections on the macOS platform. In 2019, one in 10 of Kaspersky's Mac security offerings encountered the malware at least once. Shlayer is written in Python and 31% of its attacks between February 2018 and October 2019 were at targets in the US.
An analysis by Kaspersky of the Shlayer Trojan has determined that it accounts for almost 30% of detections on the macOS platform. In 2019, one in 10 of Kaspersky's Mac security offerings encountered the malware at least once. Shlayer is written in Python and 31% of its attacks between February 2018 and October 2019 were at targets in the US.
sLoad Trojan Debuts Sophisticated, New Version: Starslord (01/22/2020)
Microsoft determined that sLoad, the PowerShell-based Trojan downloader which uses the Background Intelligent Transfer Service for malicious activities, has launched version 2.0. sLoad has added the ability to track the stage of infection on every affected machine. Microsoft has dubbed this version as Starslord based on strings in the malware code.
Microsoft determined that sLoad, the PowerShell-based Trojan downloader which uses the Background Intelligent Transfer Service for malicious activities, has launched version 2.0. sLoad has added the ability to track the stage of infection on every affected machine. Microsoft has dubbed this version as Starslord based on strings in the malware code.
Tomato Routers Under Attack from Muhstik Botnet (01/22/2020)
Palo Alto Networks discovered a new variant of the Muhstik botnet that adds a scanner to attack Tomato routers using Web authentication brute-forcing. Tomato is an open-source alternative firmware for routers. Muhstik has wormlike self-propagating capabilities and infects Linux servers and Internet of Things devices and typically launches cryptocurrency mining and distributed denial-of-service attacks in IoT bots to earn profit. The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin Web authentication by default credentials brute-forcing. More than 4,600 Tomato routers are vulnerable.
Palo Alto Networks discovered a new variant of the Muhstik botnet that adds a scanner to attack Tomato routers using Web authentication brute-forcing. Tomato is an open-source alternative firmware for routers. Muhstik has wormlike self-propagating capabilities and infects Linux servers and Internet of Things devices and typically launches cryptocurrency mining and distributed denial-of-service attacks in IoT bots to earn profit. The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin Web authentication by default credentials brute-forcing. More than 4,600 Tomato routers are vulnerable.