Bi-weekly Security Update 12/21-1/3

Malicious content identified and inserted:

  • IPs – 1625
  • Domains – 4562

Target lists updated:

  • TSCritical (Domains and IPs)
  • TSRansomware (Domains and IPs)
  • TSPhishing (Domains and IPs) – New Targets added!
  • TSBanking (Domains and IPs) – New Targets added!

Indicators of compromise have been updated for the following:

  • Phishing and specifically Phishing targeting the World Anti-Doping Agency
  • Domains associated with Nigerian cybercrime and phishing.
  • TeleBots, a group that has been using targeted tools against Ukrainian financial institutions. These attackers are highly similar to the BlackEnergy group, which is known for attacks against Ukraine's energy industry.
  • Fancy Bear, also known as Sofacy and APT28, is an APT group that is known for spear-phishing attacks against government and military organizations. They have been sending Trojans through weaponized documents to conduct cyber espionage, with their latest target being the United States government.
  • Tools and infrastructure used in the "Grizzly Steppe" campaign. This campaign is attributed to the Russian civilian and military intelligence Services, was intended to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.
  • Mirai, a Linux malware targeting IoT systems, which is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, then logging into them in order to infect them. This botnet has been used in the recent large DDoS attacks against computer security journalist Brian Krebs' web site, and in the October 2016 Dyn cyberattack. You can read more in our blog - https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/
  • Tordow, an Android-based malware that has the ability to steal login information, remove security software, make telephone calls, and install other programs. It can also encrypt files using the AES encryption scheme, giving it the capability to act as ransomware.
  • Nuclear Bot, a new banking malware which is being advertised on underground markets. Although it appears to be in a "proof of concept" stage at the moment, the high asking price for use of the malware is notable.
  • Emmental, a cybercriminal operation also referred to as "SmsSecurity", that uses malicious apps that can intercept SMS to hijack a user’s banking session. Its distribution is through malicious mobile apps that claim to be banking apps who generate one-time passwords. Also, it has been reported that this campaign is used to gain root access in the infected devices. It has been first discovered in 2014, by Trend Micro Labs.
  • StrongPity APT, a group that has used Zero-day vulnerabilities in the past and maintain their own tool. Recent targets of this group has been encrypted data, mainly from victims in Belgium and Italy.
  • DealersChoice, an exploit platform discovered by Palo Alto Networks, and related to the cybercriminal group Sofacy. The product of this platform's activity is Adobe Flash (.SWF) file, designed to exploit Flash vulnerabilities.
  • Scanners

 The following Targets were added to the Policy Editor (Additional targets were updated to include the new data):

  1. Standard:
    1. TSBanking IPs - IP addresses that are related to banking malware (Distribution or C2). This list contains, among others, information for the following malware families Zeus, Feodo, the manually curated feed TSBanking and others.
    2. TSBanking domains - Domains that are related to banking malware (Distribution or C2). This list contains, among others, information for the following malware families Zeus, Feodo, the manually curated feed TSBanking and others.
    3. Phishing IPs - IP addresses that are current, and actively Phishing. Note that due to the way that Phishing works on specific URLs, and the fact that we block the IP address on which it is hosted, this target may contain False Positives in higher probabilities.
  2. Expert:
    1. TSBanking Threats IPs - IP addresses that are related to banking malware (Distribution and C2) and have been manually analyzed by our team of security experts and were deemed malicious.
    2. TSBanking Threats Domains - Domains that are related to banking malware (Distribution and C2) and have been manually analyzed by our team of security experts and were deemed malicious.
    3. TSPhishing Domains - Domain addresses that the ThreatSTOP security team has determined are current and actively used for Phishing. Note that due to the way that Phishing works on specific URLs, and the fact that we block whole domains, this target may contain False Positives in higher probabilities.
    4. TSPhishing IPs - IP addresses that the ThreatSTOP security team has determined are current and actively used for Phishing. Note that due to the way that Phishing works on specific URLs, and the fact that we block the IP address on which it is hosted, this target may contain False Positives in higher probabilities.
    5. Locky DGA Domains - Locky: ransomware released in 2016. It is delivered through emails posing as invoices requiring payment with an attached Microsoft Word document containing malicious macros. This target contains a list of DGA Domains used by Locky and collected by the Security Research Lab at Qihoo 360.
    6. Magnitude Exploit Kit Domains - Magnitude Exploit Kit is an attack toolkit that infects victims through compromised websites and uses a variety of exploits to download malware onto the victimized computer. The U.S. is the country with the most Magnitude EK victims.
    7. Mirai DGA Domains - Mirai is a Linux malware targeting IoT systems, which are mainly used for DDoS This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, and logging into them in order to infect them. This botnet has been used in the recent large DDoS attacks against computer security journalist Brian Krebs' web site, and in the October 2016 Dyn cyberattack. The DGA Domains in this target are provided thanks to the Security Research Lab at Qihoo 360.

 

As well – the following blog posts have been published:

Share this: