Malware Watch - W/E - 1/31/20
Attackers Exploit Zero-Day Citrix Hole to Spread Ransomware (01/28/2020)
FireEye has been tracking multiple clusters of malicious activity associated with exploitation of the vulnerability that impacts Citrix Application Device Controller and Citrix Gateway. Previously, FireEye spotted the NOTROBIN malware family. A separate threat actor is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization. Based on initial observations, the ultimate intent may be to deploy ransomware, using the Gateway as a central pivot point.
FireEye has been tracking multiple clusters of malicious activity associated with exploitation of the vulnerability that impacts Citrix Application Device Controller and Citrix Gateway. Previously, FireEye spotted the NOTROBIN malware family. A separate threat actor is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization. Based on initial observations, the ultimate intent may be to deploy ransomware, using the Gateway as a central pivot point.
Check Point Gives Details on Phorphiex Botnet's Modules (01/28/2020)
Check Point Software evaluated the modules belonging to the Phorpiex botnet, which consists of over one million infected Windows computers. The core part of the Phorpiex botnet is a loader named Tldr that is responsible for loading additional malicious modules and other malware to the infected computers. Each module is a separate Windows executable. The malware configuration is hardcoded to the malware executables. Check Point has seen modules for spam, two different worms, and the XMRig cryptominer.
Check Point Software evaluated the modules belonging to the Phorpiex botnet, which consists of over one million infected Windows computers. The core part of the Phorpiex botnet is a loader named Tldr that is responsible for loading additional malicious modules and other malware to the infected computers. Each module is a separate Windows executable. The malware configuration is hardcoded to the malware executables. Check Point has seen modules for spam, two different worms, and the XMRig cryptominer.
Popular Musical Artist Names, Song Titles Used to Spread Malicious Files (01/28/2020)
Cybercriminals are actively abusing the names of artists and songs featured in the Grammy Awards, in order to spread malware. Kaspersky researchers analyzed Grammy-nominated artists' names and song titles for malicious files. They found 30,982 malicious files that used the names of artists or their tracks in order to spread malware. Taylor Swift, Ariana Grande, and Post Malone were the three artists and Sunflower, Talk, and Old Town Road were the song titles most often found in malicious files in 2019.
Cybercriminals are actively abusing the names of artists and songs featured in the Grammy Awards, in order to spread malware. Kaspersky researchers analyzed Grammy-nominated artists' names and song titles for malicious files. They found 30,982 malicious files that used the names of artists or their tracks in order to spread malware. Taylor Swift, Ariana Grande, and Post Malone were the three artists and Sunflower, Talk, and Old Town Road were the song titles most often found in malicious files in 2019.
Predator the Thief Malware Sells for $150 in Dark Underground (01/29/2020)
The team at Check Point Software assessed Predator the Thief, an information stealing malware that was first sold in a Russian underground forum in June 2018. Since then, Predator has evolved five times and is being sold on a different dark underground site and a Telegram channel for $150 USD. Predator steals data and uses anti-debugging and anti-analysis techniques to stay hidden from protective software.
The team at Check Point Software assessed Predator the Thief, an information stealing malware that was first sold in a Russian underground forum in June 2018. Since then, Predator has evolved five times and is being sold on a different dark underground site and a Telegram channel for $150 USD. Predator steals data and uses anti-debugging and anti-analysis techniques to stay hidden from protective software.