Malicious Content Identified and Inserted:
- IPs – 2308
- Domains – 974
Target List Content Updated:
Indicators of compromise have been updated for the following:
(For a deeper dive into the research behind a threat or campaign, click on the links in each description)
- IOCs that were involved in suspicious scanning activities on domains and hosts.
- IOCs that were involved in malspam.
- IOCs that were involved in phishing.
- Mirai, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog here.
- Machete is a malware targeting intelligence services, military, embassies and government institutions in South America and Russia. It was first detected by Kaspersky in August 2014. It was found to log keystrokes, capture audio from a computer’s microphone, capture screenshots, capture geolocation data and take photos from a computer’s web camera.
- Gh0st RAT is a Remote Access Trojan Horse used for cyber-spying, giving attackers full, real-time control. This malware was used in the GhostNet campaign, attributed to Chinese entities. A variant of this RAT, Piano Ghost, was used in the "Musical Chairs" campaign (reported by Palo Alto) and distributed via phishing e-mails.
- Carbon backdoor is attributed to Turla Snake\Turla, a cyber espionage group reported by G-data and active in APT campaigns. In 2016, Turla was discovered to infect targets in over 45 countries. This malware is distributed by direct spear phishing and watering hole attacks. Also, this group has a distinct modus operandi with consistent use of satellite-based Internet links. In 2016, the Swiss GovCERT.ch published a report on the Carbon, a second stage backdoor in the Turla group arsenal. In 2017, ESET had published report of updates on this backdoor.
- Winnti Group, a cybercriminal group active since 2011 and likely originating from China, has a past of traditional cybercrime, particularly with financial fraud and targeting the online video game industry. This group has been seen abusing GitHub, turning it into a conduit for the command and control. Upon l infection, this malware starts communicating with an HTML page from a repository stored in a GitHub project. Trend Micro researchers claim the repository was opened for this purpose and not compromised. Alongside with the malware attributed to this group, they use the PlugX remote access tool.
- Crypt0l0cker is a variant of Torrentlocker, found in late 2016. This variant of TorrentLocker encrypts victim's files with the .ENC extension, first spotted by Emsisoft security researcher xXToffeeXx. TorrentLocker is a family of file-encrypting ransomware, initially observed in late 2014 and almost exclusively distributed through spam email campaigns.
- Omaneat is a malware mainly targeting information disclosure. These threats can log keystrokes, monitor the applications you open and track your web browsing history.
- Dimne is a malware family first distributed in 2014. Recently, it was distributed through phishing e-mails targeting Github users. This malware connects to the C2 servers over HTTP and uses diverse tactics to camouflage these connections.
- Trochilus RAT is a remote access Trojan (RAT) specifically engineered to evade detection through sandboxing and other more traditional signature-based malware detection techniques. Trochilus RAT is part of a seven malware cluster, nicknamed the “Seven Pointed Dagger,” which is being operated by Group 27. Researchers consider this a multi-stage attack campaign targeting Asian governments. In September 2016, Palo Alto networks has detected this RAT activity alongside with anew RAT which was named MoonWind.
- The Gamaredon Group, discovered by Palo Alto Networks, has been active since 2013. Although previously using off the shelf products, they are now developing their own tools that can download and execute payloads, capture screenshots, scan network drives for specific data and remotely execute commands on a victim's computer. They primarily use compromised domains, Russian and Ukrainian country code top-level domains (ccTLDs) and Russian hosting providers to distribute their malware.
Security Blog Roundup:
- Attackson Apache Servers: IP addresses, reported within the last 48 hours, that have run attacks on Apache Servers.
- Brute Force Attacks: IPs that attack Joomla, WordPress and other Web-login services with Brute-Force attempts.
- Attacks on VOIP:IP addresses that tried to login into a SIP, VOIP or Asterisk-Server.
- UNIX Server – 2– Will include all new IPs involving attacks against the following services: Brute Force Login attempts, FTP services, IMAP services, Apache Servers and different Mail services (such as Postfix and Exim).
- Botnets - 2– Will include all new IPs involving attacks by bots, such as Bad Bots.
- SSH Crackers- Will include all new IPs attacking SSH services. (Expert Mode only)