<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em><img src="http://info.threatstop.com/hubfs/cyber-security-icon.jpg" alt="cyber-security-icon.jpg" width="400" height="250" style="display: block; margin-left: auto; margin-right: auto;"></em><em>Malicious Content Identified and Inserted:</em></p> <!--more--><ul> <li>IPs – 2308</li> <li>Domains – 974</li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li>IOCs that were involved in <strong>suspicious scanning activities</strong> on domains and hosts.</li> <li>IOCs that were involved in <strong>malspam</strong>.</li> <li>IOCs that were involved in <strong>phishing</strong>.</li> <li><span> </span><strong>Mirai</strong>, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog <a href="https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/" target="_blank">here</a>.&nbsp;</li> <li><strong>Machete</strong> is a <a href="https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html">malware </a>targeting&nbsp;intelligence services, military, embassies and government institutions in South America and Russia. It was first detected by Kaspersky in August 2014. It was found to log keystrokes, capture audio from a computer’s microphone, capture screenshots, capture geolocation data and take photos from a computer’s web camera.</li> <li><strong>Gh0st RAT</strong> is a <a href="http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/">Remote Access Trojan Horse </a>used for cyber-spying, giving attackers full, real-time control. This malware was used in the <strong>GhostNet</strong> campaign, attributed to Chinese entities. A variant of this RAT, Piano Ghost, was used in the "Musical Chairs" campaign (reported by Palo Alto) and distributed via phishing e-mails.</li> <li><strong>Carbon backdoor</strong> is attributed to <strong>Turla</strong> <strong>Snake</strong>\<strong>Turla, </strong>a&nbsp;cyber espionage group reported by <a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/">G-data </a>and active in APT campaigns. In 2016, <strong>Turla</strong> was discovered to infect targets in over 45 countries. This malware is distributed by direct spear phishing and watering hole attacks. Also, this group has a distinct modus operandi with consistent&nbsp;use&nbsp;of satellite-based Internet links. In 2016, the Swiss GovCERT.ch published a report on the Carbon, a second stage backdoor in the <strong>Turla</strong> group arsenal. In 2017, ESET had published report of updates on this backdoor.</li> <li><strong>Winnti</strong> <strong>Group</strong>, a cybercriminal group active since 2011 and likely originating from China, has a past of traditional cybercrime, particularly with financial fraud and targeting the online video game industry. This group has been seen abusing GitHub, turning it into a conduit for the command and control. Upon l infection, this malware starts communicating with an HTML page from a repository stored in a GitHub project. <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/">Trend Micro researchers</a> claim the repository was opened for this purpose and not compromised. Alongside with the malware attributed to this group, they use the PlugX remote access tool.</li> <li><strong>Crypt0l0cker</strong> is a variant of <strong>Torrentlocker,</strong> found in late 2016. This variant of <strong>TorrentLocker</strong> encrypts victim's files with the .ENC extension, first spotted by Emsisoft security researcher xXToffeeXx. <strong>TorrentLocker</strong> is a family of file-encrypting ransomware, initially observed in late 2014 and almost exclusively distributed through spam email campaigns.</li> <li><strong>CopyKitten</strong> is an <a href="http://www.clearskysec.com/copykitten-jpost/">Iranian threat actor</a>. In this specific campaign, the attackers insert a single line of Javascript code into compromised domains of known public and governmental organizations, particularly in Israel. This malicious download was used in the 'Browser Exploitation Framework Project' penetration testing tool, focusing on targeting web browsers.</li> <li><strong>Omaneat</strong> is a <a href="https://www.microsoft.com/en-us/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy:MSIL/Omaneat">malware</a> mainly targeting information disclosure. These threats can log keystrokes, monitor the applications you open and track your web browsing history.</li> <li><strong>Dimne</strong> is a <a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/">malware</a> family first distributed in 2014. Recently, it was distributed through phishing e-mails targeting Github users. This malware connects to the C2 servers over HTTP and uses diverse tactics to camouflage these connections.</li> <li><strong>Trochilus</strong> <strong>RAT</strong> is a <a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/">remote access Trojan (RAT)</a> specifically engineered to evade detection through sandboxing and other more traditional signature-based malware detection techniques. <strong>Trochilus</strong> <strong>RAT</strong> is part of a seven malware cluster, nicknamed the “<strong>Seven Pointed Dagge</strong>r,” which is being operated by Group 27. Researchers consider this a multi-stage attack campaign targeting Asian governments. In September 2016, Palo Alto networks has detected this RAT activity alongside with anew RAT which was named <strong>MoonWind</strong>.</li> <li><strong>The Gamaredon Group</strong>, discovered by <a href="http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/">Palo Alto Networks</a>, has been active since 2013. Although previously using off the shelf products, they are now developing their own tools that can download and execute payloads, capture screenshots, scan network drives for specific data and remotely execute commands on a victim's computer. They primarily use compromised domains, Russian and Ukrainian country code top-level domains (ccTLDs) and Russian hosting providers to distribute their malware.</li> </ul> <p><em>Security Blog Roundup:</em></p> <ul> <li><span> </span><a href="https://blog.threatstop.com/new-targets-to-protect-against-incoming-attacks">New Targets To Protect Against Incoming Attacks</a></li> </ul> <p><em>New/Updated Targets:</em></p> <ul> <li>New: <ul> <li><strong>Attacks</strong><strong>on Apache Servers:&nbsp;</strong>IP addresses, reported within the last 48 hours, that have run attacks on Apache Servers.</li> <li><strong>Brute Force Attacks:&nbsp;</strong>IPs that attack Joomla, WordPress and other Web-login services with Brute-Force attempts.</li> <li><strong>Attacks on VOIP:</strong>IP addresses that tried to login into a SIP, VOIP or Asterisk-Server.</li> </ul> </li> <li>Updated: <ul> <li><strong>UNIX Server – 2</strong>– Will include all new IPs involving attacks against the following services: Brute Force Login attempts, FTP services, IMAP services, Apache Servers and different Mail services (such as Postfix and Exim).</li> <li><strong>Botnets&nbsp;- 2</strong>– Will include all new IPs involving attacks by bots, such as Bad Bots.</li> <li><strong>SSH Crackers</strong>- Will include all new IPs attacking SSH services. (Expert Mode only)</li> </ul> </li> </ul></span>
