Malware Watch - W/E - 2/7/20
Brazilians Targeted by Resurfaced CamuBot Malware (02/06/2020)
The CamuBot malware has reemerged after a year-long hiatus to resume targeted attacks on the Brazilian financial industry. IBM X-Force researchers assessed CamuBot and found that it impersonates a security application that banks ask users to install and uses tactics similar to those in use by cybercriminal gangs. The attack begins when someone from the attacker's side phones the victim and instructs him or her over the phone to browse to an infection page that hosts the CamuBot Trojan.
The CamuBot malware has reemerged after a year-long hiatus to resume targeted attacks on the Brazilian financial industry. IBM X-Force researchers assessed CamuBot and found that it impersonates a security application that banks ask users to install and uses tactics similar to those in use by cybercriminal gangs. The attack begins when someone from the attacker's side phones the victim and instructs him or her over the phone to browse to an infection page that hosts the CamuBot Trojan.
EKANS Ransomware Discovered Targeting ICS Operations (02/04/2020)
Multiple vendors have been analyzing an industrial control systems (ICS) ransomware that emerged in December and can halt various processes related to ICS operations. Dragos, MalwareHunterTeam, and SentinelOne have all assessed the EKANS (also called Snake) ransomware. In its research, Dragos connected EKANS to the MEGACORTEX ransomware and also determined that EKANS terminates the named processes on victim machines, a unique aspect of the malware. Although some researchers have considered that Iranian sympathizers are behind EKANS, Dragos scientists did not elaborate on who could be the executor of the ransomware.
Multiple vendors have been analyzing an industrial control systems (ICS) ransomware that emerged in December and can halt various processes related to ICS operations. Dragos, MalwareHunterTeam, and SentinelOne have all assessed the EKANS (also called Snake) ransomware. In its research, Dragos connected EKANS to the MEGACORTEX ransomware and also determined that EKANS terminates the named processes on victim machines, a unique aspect of the malware. Although some researchers have considered that Iranian sympathizers are behind EKANS, Dragos scientists did not elaborate on who could be the executor of the ransomware.
Hackers Can Plant Malware, Control Screen Brightness to Steal Data from Air-Gapped Systems (02/05/2020)
Air-gapped computers - systems that are kept isolated from the Internet because they store or process sensitive information - can have their data exfiltrated by cyber thieves, researchers from Ben-Gurion University of the Negev and the Shamoon College of Engineering reveal. The team determined that malware placed on a compromised computer could make changes to the screen's brightness yet remain unnoticed by users. The brightness changes can be recovered from video streams taken by cameras such as a local security camera, smartphone cameras, or a Webcam.
Air-gapped computers - systems that are kept isolated from the Internet because they store or process sensitive information - can have their data exfiltrated by cyber thieves, researchers from Ben-Gurion University of the Negev and the Shamoon College of Engineering reveal. The team determined that malware placed on a compromised computer could make changes to the screen's brightness yet remain unnoticed by users. The brightness changes can be recovered from video streams taken by cameras such as a local security camera, smartphone cameras, or a Webcam.
Malicious Campaign Takes Aim at Manufacturing Sites' IoT Devices (02/06/2020)
TrapX Security identified a malware campaign specifically targeting Internet of Things (IoT) devices using Windows 7 at various global manufacturing sites. The campaign uses a self-spreading downloader that runs malicious scripts as part of the Lemon_Duck PowerShell malware variant family. It has targeted smart printers, smart TV and automated guided vehicles at specific manufacturer sites. The report found that the malware's infection may cause IoT devices to malfunction.
TrapX Security identified a malware campaign specifically targeting Internet of Things (IoT) devices using Windows 7 at various global manufacturing sites. The campaign uses a self-spreading downloader that runs malicious scripts as part of the Lemon_Duck PowerShell malware variant family. It has targeted smart printers, smart TV and automated guided vehicles at specific manufacturer sites. The report found that the malware's infection may cause IoT devices to malfunction.
MINEBRIDGE Backdoor Spotted in Multiple Phishing Campaigns in US (02/05/2020)
FireEye observed multiple targeted phishing campaigns designed to download and deploy a backdoor dubbed "MINEBRIDGE." The campaigns primarily targeted financial services organizations in the United States but at least one campaign targeted South Korean organizations, including a marketing agency. MINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application.
FireEye observed multiple targeted phishing campaigns designed to download and deploy a backdoor dubbed "MINEBRIDGE." The campaigns primarily targeted financial services organizations in the United States but at least one campaign targeted South Korean organizations, including a marketing agency. MINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application.
Trickbot Trojan Abuses Windows 10 UAC Bypass (02/05/2020)
The newest variant of the Trickbot Trojan leverages the Windows 10 WSReset UAC Bypass to circumvent user account control (UAC) and deliver its payload onto user machines. This allows attackers to take advantage of the WSReset.exe process to reset Windows Store settings according to its manifest file. The "autoElevate" property is set to "true," enabling the WSReset UAC Bypass to be used for privilege escalation. The team at Morphisec provided further details about this technique and Trickbot variant in a blog post.
The newest variant of the Trickbot Trojan leverages the Windows 10 WSReset UAC Bypass to circumvent user account control (UAC) and deliver its payload onto user machines. This allows attackers to take advantage of the WSReset.exe process to reset Windows Store settings according to its manifest file. The "autoElevate" property is set to "true," enabling the WSReset UAC Bypass to be used for privilege escalation. The team at Morphisec provided further details about this technique and Trickbot variant in a blog post.
Triple-Encrypted AZORult Trojan Evades Security Packages (02/04/2020)
A malicious document observed by a researcher with the Internet Storm Center (ISC) contained macros as is typical but hid a triple-encrypted AZORult downloader. The multiple encryption layers make it difficult for the malware to be picked up by security software. AZORult is an information stealing Trojan.
A malicious document observed by a researcher with the Internet Storm Center (ISC) contained macros as is typical but hid a triple-encrypted AZORult downloader. The multiple encryption layers make it difficult for the malware to be picked up by security software. AZORult is an information stealing Trojan.
Warzone RAT Has Wealth of Features with the Right Options Packages for Thieves (02/03/2020)
A remote access Trojan (RAT) called Warzone offers various features including a live keylogger with an offline keylogger, remote Webcam control, a password grabber, privilege escalation for Windows 10, and more. According to Check Point Software's researchers, the RAT's selling service is hosted on warzone[.]pw and buyers have their choice of three different subscription plans. Two additional plans let cyber thieves add options like an exploit builder and a crypter to their packages. Warzone is written in C++ and is compatible with all Windows releases. It can bypass the User Access Control to disarm Windows Defender.
A remote access Trojan (RAT) called Warzone offers various features including a live keylogger with an offline keylogger, remote Webcam control, a password grabber, privilege escalation for Windows 10, and more. According to Check Point Software's researchers, the RAT's selling service is hosted on warzone[.]pw and buyers have their choice of three different subscription plans. Two additional plans let cyber thieves add options like an exploit builder and a crypter to their packages. Warzone is written in C++ and is compatible with all Windows releases. It can bypass the User Access Control to disarm Windows Defender.