Malware Watch - W/E - 2/14/20
Cybercriminals Exploit Coronavirus Fears to Target Specific Industries (02/12/2020)
Concerns and fears about the coronavirus are being used as fodder for cyber attackers who are sending malicious health-related emails to Japanese speakers. One campaign, which was seen by Proofpoint, featured malicious Microsoft Word documents, exploited a two-and-a-half-year-old vulnerability, and installed the AZORult information stealing malware. In this campaign, attackers are nearly exclusively targeting industries that are particularly susceptible to shipping disruptions including manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic companies.
Concerns and fears about the coronavirus are being used as fodder for cyber attackers who are sending malicious health-related emails to Japanese speakers. One campaign, which was seen by Proofpoint, featured malicious Microsoft Word documents, exploited a two-and-a-half-year-old vulnerability, and installed the AZORult information stealing malware. In this campaign, attackers are nearly exclusively targeting industries that are particularly susceptible to shipping disruptions including manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic companies.
Kaspersky Team Spots KBOT, an Old-Fashioned Computer Virus (02/10/2020)
KBOT is a computer virus discovered by Kaspersky that the research team says is the first "living" virus it has seen in years in the wild. KBOT penetrates users' computers via the Internet, a local network, or from infected external media, and once launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys Web injects to try to steal the victim's bank and personal data.
KBOT is a computer virus discovered by Kaspersky that the research team says is the first "living" virus it has seen in years in the wild. KBOT penetrates users' computers via the Internet, a local network, or from infected external media, and once launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys Web injects to try to steal the victim's bank and personal data.
Malicious Optimizer, Booster, and Utility Apps Found on Google Play (02/10/2020)
Trend Micro discovered several malicious optimizer, booster, and utility apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times and the campaign has been active since 2017. Google has removed the malicious apps from Play.
Trend Micro discovered several malicious optimizer, booster, and utility apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times and the campaign has been active since 2017. Google has removed the malicious apps from Play.
Malware Impersonating Tinder, Other Dating Apps to Lure in Victims (02/12/2020)
Kaspersky research found 1,963 unique malicious files disguised as popular dating apps. The analysis of malware using the names of over 20 popular dating applications and the keyword "dating" revealed 1,963 unique files that were spread in 2019 under the guise of legitimate applications. Two-thirds of them were masked as Tinder (1,262 files) and 263 files were linked to Badoo.
Kaspersky research found 1,963 unique malicious files disguised as popular dating apps. The analysis of malware using the names of over 20 popular dating applications and the keyword "dating" revealed 1,963 unique files that were spread in 2019 under the guise of legitimate applications. Two-thirds of them were masked as Tinder (1,262 files) and 263 files were linked to Badoo.
Outlaw Threat Group Returns to Take Aim at Automotive, Financial Industries (02/12/2020)
A cyber adversary known as Outlaw, which had gone silent for several months, has returned with updates to its malicious toolkit which include improved evasion methods for scanning purposes and enhanced mining capabilities. Trend Micro analyzed Outlaw's toolkit and found that it is designed to steal information from the automotive and finance industries, launch subsequent attacks on already compromised systems, and (possibly) sell stolen information. Outlaw has been targeting organizations in the US and Europe.
A cyber adversary known as Outlaw, which had gone silent for several months, has returned with updates to its malicious toolkit which include improved evasion methods for scanning purposes and enhanced mining capabilities. Trend Micro analyzed Outlaw's toolkit and found that it is designed to steal information from the automotive and finance industries, launch subsequent attacks on already compromised systems, and (possibly) sell stolen information. Outlaw has been targeting organizations in the US and Europe.
RobbinHood Ransomware Abuses Vulnerable Driver to Remove Security Software (02/13/2020)
Sophos investigated two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack. The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, which was widely reported in 2018 but was disclaimed by the company. Gigabyte later recanted and has discontinued using the vulnerable driver, but it still exists. In the attack scenario, the criminals have used the Gigabyte driver as a wedge to load a second, unsigned driver into Windows. This second driver then kills processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference. The ransomware that was being installed in both instances calls itself RobbinHood. Sophos researchers said, "This is the first time we have observed ransomware shipping a trusted, signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space."
Sophos investigated two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack. The signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte, has a known vulnerability, which was widely reported in 2018 but was disclaimed by the company. Gigabyte later recanted and has discontinued using the vulnerable driver, but it still exists. In the attack scenario, the criminals have used the Gigabyte driver as a wedge to load a second, unsigned driver into Windows. This second driver then kills processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference. The ransomware that was being installed in both instances calls itself RobbinHood. Sophos researchers said, "This is the first time we have observed ransomware shipping a trusted, signed (yet vulnerable) third party driver to patch the Windows kernel in-memory, load their own unsigned malicious driver, and take out security applications from kernel space."
Scammers Use Valentine's Theme to Create Bogus Sites (02/12/2020)
According to Check Point Software, the use of the word "Valentine" within malicious Web sites soared during the month of February in both 2018 and 2019. The increase was over 200% compared to the previous months and this was the biggest increase reported throughout the year. By using such a word, attackers can lure in users who are interested in Valentine's Day, hiding easily among legitimate sites.
According to Check Point Software, the use of the word "Valentine" within malicious Web sites soared during the month of February in both 2018 and 2019. The increase was over 200% compared to the previous months and this was the biggest increase reported throughout the year. By using such a word, attackers can lure in users who are interested in Valentine's Day, hiding easily among legitimate sites.