Bi-weekly Security Update 2/15/2017

Malicious content identified and inserted:

  • IPs – 1318
  • Domains – 323

Target list content updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Indicators of compromise have been updated for the following:

  • The GRIZZLY STEPPE campaign, which has been attributed to Russian civilian and military intelligence services, was intended to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.
  • SteamStealer, a malware distributed through the Steam gaming platform. The distribution of the malware is done by sending malicious files through the platform chats, which then install the malware once opened. The malware can steal Steam credentials and in turn access the user’s financial information used on the platform.
  • Cerber, a malware that debuted in late February of 2016, has already become one of the most prevalent ransomware variants. Typically, it is distributed via emails containing macro-enabled Word documents, Windows Script Files, or Rich Text Documents. Cerber uses a strong, currently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new version of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. You can read more about it in our blog post - https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities/
  • ZeroT, a downloader which is used to install the PlugX remote access Trojan (RAT) and distributed mainly through spear-phishing emails. This malware has been known to target entities in Russia, Belarus plus a few countries in Asia. ZeroT came onto the scene in the summer of 2016 after being used by the Chinese APT group associated with cyber actor TA459.
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader that is known for spreading the Pony and Vawtrak Trojans, among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • MacDownloader, a macOS agent, which was observed in the wild as targeting a defense industry base, and reported elsewhere to have been used against human rights advocates. This is attributed to Iranian based group Charming Kitten. MacDownloader attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.
  • Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.
  • Mirai, a Linux malware targeting IoT systems, which is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, then logging into them in order to infect them. This botnet has been used in the recent large DDoS attacks against computer security journalist Brian Krebs' web site, and in the October 2016 Dyn cyber-attack. You can read more in our blog - https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/
  • Fareit, aka Pony is a data stealing Trojan which is capable of collecting sensitive user information such as usernames and passwords in certain browsers, stored email credentials, bitcoin-related details, and more. You can read about it more in our blog post - https://blog.threatstop.com/2016/11/30/dont-pony-up-your-data-to-fareit/IOCs that were involved in suspicious scanning activities on domains and hosts.
  •  A malspam campaign which includes distribution of malware by attachments in spoofed emails
  • Indicators pertaining to an email related to other domains involved in malicious activity attributed to Iranian actors.
  • A backdoor threat targeting Mac devices. Although the code used in the malware is fairly old, it has been seen in biomedical research facilities, raising concerns about how long the malware went undetected and what information was compromised.
  • Indicators pertaining to suspicious activity which concludes an execution of an unattributed payload.
  • Phishing with a subject of updated details.

 Security blog roundup:

  • Cryptxxx Ransomware Spread Through Soaksoak Botnet: Two Big Actors As One
  • Locky Back in Action

 New/updated Targets:

  • New in Expert mode:
    • Vawtrak DGA Domains
    • Tofsee DGA Domains
    • Rovnix DGA Domains
    • GSpy DGA Domains
    • Ranbyus DGA Domains
    • Chinad DGA Domains
    • Vidro DGA Domains
  • Updated in Standard mode:
    • DGAs supplied by 360.cn feeds
    • TSBanking domains

   

Share this: