<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em><img src="http://info.threatstop.com/hubfs/cyber-security-icon.png" alt="cyber-security-icon.png" width="454" height="454"><!--more--></em></p> <p>&nbsp;</p> <p><em>Malicious Content Identified and Inserted:</em></p> <ul> <li>IPs – 2177</li> <li>Domains – 522</li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> </ul> <p><em>Indicators of compromise have been updatedfor the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li>IOCs involved in <strong>suspicious scanning activities</strong> on domains and hosts.</li> <li>IOCs involved in <strong>malspam</strong></li> <li>IOCs involved in <strong>phishing</strong>.</li> <li><span></span><strong>Mirai</strong>, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our <a href="https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions" data-hs-link-id="0" target="_blank">blog</a>.</li> <li><span></span><strong><a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-ewind-adware-applications-clothing/" data-hs-link-id="0" target="_blank">Ewind</a>&nbsp;</strong>is an Android Adware.<strong>&nbsp;</strong><span>If a package name matches the list of targeted applications, it will run on the infected device. Each time an application is sent to the foreground or background, <strong>Ewind</strong> notifies the C2. The C2 responds with a command for <strong>Ewind</strong> to execute, typically displaying an advert List of applications <a href="https://github.com/pan-unit42/iocs/blob/master/ewind/apps.csv" data-hs-link-id="0" target="_blank">here</a>.</span></li> <li><strong>Nemucod</strong> is a JavaScript downloader Trojan targeting users through malspam campaigns. <strong>Nemucod</strong> downloads and executes malware without the user’s consent, usually through malicious spam emails with .zip extensions. Recently, there has been a rise in the number of cases where <strong>Nemucod</strong> distributes ransomware. More on the blog <a href="https://blog.threatstop.com/nemucod-spreads-through-facebook-messages" data-hs-link-id="0" target="_blank">here</a>.</li> <li><strong>Sundown Exploit Kit</strong>&nbsp;includes a&nbsp;<a href="http://blog.talosintelligence.com/2017/03/sundown-matures.html" data-hs-link-id="0" target="_blank">landing page</a> and one additional page, with a payload, on a different domain. It is distributed through malvertising and compromised sites. It has a relatively large number of domains for execution, most of which are obtained through domain shadowing. (Creating subdomains under a compromised legitimate domains)</li> <li><strong>Nebula</strong> <strong>Exploit Kit</strong> is a new variant of a known EK, <strong>Sundown</strong>, with some alterations. The only difference between the two Exploit Kits, as mentioned in this report by cyber researcher Kafeine, is Nebula’s internal TDS. (TDS is a gate that is used to redirect visitors to various content) Recently it was reported to distribute <strong>DiamondFox</strong> malware, with information disclosure capabilities (specifically credentials and financial information), and known for point of sale system attacks.</li> <li><strong>Rig Exploit Kit</strong>, discovered in mid-2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight. In March 2017, a campaign involving the transfer of <strong>Cerber</strong> ransomware (utilizing RIG EK) was published in <a href="http://www.malware-traffic-analysis.net/2017/03/20/index2.html" data-hs-link-id="0" target="_blank">Malware-Traffic-Analysis</a>.</li> <li><a href="http://www.malware-traffic-analysis.net/2017/03/31/index.html" data-hs-link-id="0" target="_blank"><strong>Cerber</strong> <strong>Ransomware</strong></a>. This ransomware debuted in February 2016 as one of the most prevalent ransomware variants. This ransomware is typically distributed through emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. <strong>Cerber</strong> uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending massive amounts of network traffic from infected machines. You can read more about it in our blog post <a href="https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities" data-hs-link-id="0" target="_blank">here</a>.</li> <li><strong>Gh0st RAT</strong> is a <a href="http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/" data-hs-link-id="0" target="_blank">Remote Access Trojan Horse </a>used for cyber-spying, giving attackers full, real-time control. A variant of this RAT, Piano Ghost, was part of a&nbsp;campaign "Musical Chairs,” reported by Palo Alto and distributed via phishing e-mails.</li> <li><strong>The Lazarus Group</strong> is belived to have&nbsp;<a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" data-hs-link-id="0" target="_blank">ties</a>&nbsp;to the North Korean government, known for their involvement in the 2014 Sony Pictures hack and <strong>Operation</strong> <strong>DarkSeoul</strong>.</li> <li><strong>Carbon backdoor</strong> is attributed to <strong>Turla</strong>&nbsp;Group.&nbsp;<strong>Snake</strong>\<strong>Turla</strong> is cyber espionage group reported by <a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" data-hs-link-id="0" target="_blank">G-data</a>&nbsp;and active&nbsp;in APT campaigns. In 2016, <strong>Turla</strong> was discovered to infect targets in over 45 countries. This malware is distributed by direct spear phishing and watering hole attacks. Also, this group has a distinct modus operandi with the regular usage of satellite-based Internet links. In 2016, the Swiss GovCERT.ch published a report on the Carbon, a second stage backdoor in the <strong>Turla</strong> group arsenal. In 2017, ESET had published report of updates on this backdoor.</li> <li><strong>Red leaves </strong>is<strong>&nbsp;</strong><a href="https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Source/Red%20Leaves%20technical%20note%20v1.0.md" data-hs-link-id="0" target="_blank">malware</a>&nbsp;implemented and used by Chinese APT group, <strong>APT10</strong>. Capabilities include a desktop screenshot, returning host information, downloading a file from a remote server using HTTP and deleting local files. Communication to command and control is through protocols HTTP, HTTPS and a custom binary protocol using TCP.</li> <li><strong>CopyKitten</strong> is an <a href="http://www.clearskysec.com/copykitten-jpost/" data-hs-link-id="0" target="_blank">Iranian threat actor</a>. In this specific campaign, the attackers insert a single line of Javascript code into compromised domains of known public and governmental organizations, particularly in Israel. This malicious download was used in the 'Browser Exploitation Framework Project' penetration testing tool, focusing on targeting web browsers.</li> <li>The <strong>Trojan</strong> <strong>Kovter</strong> surfaced in 2014 as a screenlocker and scareware sample, posing as a law enforcement tool. Since then, it has been used in click-fraud and malvertising campaigns (as data-encrypting ransomware) and a malware installation tool. Recently, <a href="http://phishme.com/kovter-ad-fraud-trojan-now-shipping-locky-ransomware/" data-hs-link-id="0" target="_blank">Phishme</a>&nbsp;revealed that Locky ransomware was distributed alongside the <strong>Kovter</strong> ad fraud Trojan.</li> <li><strong>Locky</strong>, the most widespread ransomware in the world, encrypts a victim’s data using a strong RSA-2048+AES-128 encryption, demanding 2-4 bitcoins for decryption. This ransomware debuted in early 2016 and is distributed in numerous ways, including spam emails with Word/Excel documents through malicious macros and JS scripts. <strong>Locky</strong> is also delivered through popular Exploit Kits. It has a widespread reach, already attacking in over 100 countries.</li> <li>Since May 2016, the <strong>APT-C-23</strong> has organized, planned and targeted long-term uninterrupted attack on Palestinian and Israeli Targets. This campaign targeted Windows and Android platforms.</li> <li><strong>Dridex</strong> is a strain of&nbsp;<a href="http://www.malware-traffic-analysis.net/2017/03/30/index2.html" data-hs-link-id="0" target="_blank">banking malware</a> leveraging macros in Microsoft Office. Once a computer has been infected, <strong>Dridex</strong> attackers steal banking credentials and other personal information to access a user’s financial records.</li> <li><strong>Trochilus</strong> <strong>RAT</strong> is a <a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" data-hs-link-id="0" target="_blank">remote access Trojan (RAT)</a> specifically engineered to evade detection through traditional signature-based malware detection techniques, like sandboxing. <strong>Trochilus</strong> <strong>RAT</strong> is part of a seven malware cluster called the “<strong>Seven Pointed Dagge</strong>r,” operated by Group 27. Researchers consider this a multi-stage attack campaign targeting Asian governments. In September 2016, Palo Alto networks detected this RAT activity alongside a new RAT, <strong>MoonWind</strong>.</li> </ul> <p><em>&nbsp;</em><em>Security Blog Roundup:</em></p> <ul> <li><a href="https://blog.threatstop.com/dimnie-targeting-the-unexpected" data-hs-link-id="0" target="_blank">Dimnie</a>: Targeting the Unexpected</li> </ul></span>
![Darkside Ransomware Group domains fotoeuropa[.]ro and catsdegree[.]com](https://www.threatstop.com/hs-fs/hubfs/pipeline.jpg?width=600&name=pipeline.jpg)