<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=439793516377641&amp;ev=PageView&amp;noscript=1">

Bi-Weekly Security Update 7/24/17

blog_antivirus.png

Malicious Content Identified and Inserted:

  • IPs – 2892
  • Domains – 752

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking
  • TSInbound

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • A Chinese IoT bot, discovered by ADLab researchers, floods targets with UDP packets containing the phrase "trumpisdaddy," repeated multiple times.
  • A fake Windows Defender Alert that (the infamous) ZeuS malware has been seen on a device.
  • Phishing campaigns discovered by Comodo, aimed at French entities.
  • An eBay phishing scam pretending that a user sent money to a victim’s PayPal account.
  • A phishing campaign claiming to have a UPS Receipt attachment.
  • Rig Exploit Kit, discovered in mid-2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight. More on our blog, here.
  • This android malware, dubbed Inta Mumbaire or Cheker Profile, is capable of extracting information from an infected device, including contacts, SMS messages and Google account information.
  • NotPetya ransomware, also known at PetrWrap, is a destructive wiper disguised as ransomware. Ground zero for the infection stemmed from a hack on the Ukrainian MeDoc accounting software. It's estimated that over 12,500 machines in Ukraine alone were infected by the ransomware. After infection and encryption of the files, there is no method available for decryption. Read more on our blog, here.
  • SpyDealer is a malware targeting Android devices. It has the ability to record audio, capture screenshots, monitor GPS location, intercept SMS messages and steal information from various installed apps. It uses known exploits to obtain root privileges on the phone, and abuses accessibility tools in order to steal plain-text messages being displayed on the device.
  • Bronze Union, dubbed by researchers at SecureWorks, is a cyberespionage group thought to be based in China and targeting Turkish organizations. The group performed a watering-hole attack to spread their malware and relied heavily on compromised infrastructure to perform their attacks. Their campaign reached victims in academic groups, financial services and the Turkish government, all in a little over a week.
  • Ursnif is a Trojan used to steal account credentials from its victims. It binds to various web browsers on the victim's machine, captures passwords in plain text from websites that the victim visits, and then exfiltrates this data to a remote server. Victims can become infected with Ursnif by visiting compromised or malicious websites, as well as through contact with other malware.
  • A Powershell-based ransomware, similar to PoshCoder, has been seen spreading in the Netherlands by way of "failed delivery" notifications.
  • ZXShell, also known as Sensode, is a RAT thought to be used by cyber attackers part of, or affiliated, with the Winnti Group. Winnti Group, a cybercriminal group active since 2011 and likely originating from China, has a past of traditional cybercrime, particularly with financial fraud and targeting the online video game industry. This group has been seen abusing GitHub, turning it into a conduit for the command and control. Upon successful infection, this malware starts communicating with an HTML page from a repository stored in a GitHub project. Trend Micro researches claims the repository was opened for this purpose and was not compromised. Alongside with the malware attributed to this group, they use the PlugX remote access tool. Read more about it in our blog post, here.
  • Nemucod is a JavaScript downloader Trojan that targets users through malspam campaigns. Nemucod downloads and executes additional malware without the user’s consent. Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of Nemucod distributing ransomware. More on the blog, here.
  • Kovter is a multifaceted malware that gained notoriety in 2013 for its scareware capabilities. It pretended to be a law enforcement tool locking down the computer for the victim's "illegal" activities. Since then, it has also been used in click-fraud and malvertising campaigns, acted as ransomware, and has served as a malware installation tool.
  • Steam Stealers is the blanket name given to malware specifically targeting users of the popular gaming platform, Steam. The often-simple malware is usually spread through fake websites that mirror legitimate gaming websites, as well as through links sent through Steam's messaging system. This type of malware usually tries to steal Steam login credentials, but some samples have been seen trying to steal in-game items.
  • MoleRats, also known as the Gaza Cybergang, is a threat group based in the Middle East. They have a wide variety of targets, including governments, defense contractors, journalists, and software developers. Most of their targets are also from the Middle East, but they've also targeted institutions in the United States and several countries in Europe. They usually send executable files disguised as documents containing relevant geopolitical news. To avoid suspicion, a decoy document is dropped after the executable is run.
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader known for spreading the Pony and Vawtrak Trojans, among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • PoSeidon is a malware targeting Point of Sale (PoS) devices. Upon infection, the malware will establish persistence on the device so that it can survive log-offs and reboots. Then, it contacts the criminal's command and control server, where it downloads another binary that installs a keylogger on the infected machine and scrapes the memory for credit card information that it can exfiltrate.
  • LeakerLocker is a ransomware targeting Android devices, locks a screen but doesn't encrypt the user's files. Instead, it threatens to send the victim's private information to all their contacts, unless they send a $50 credit card payment to the malware's authors. LeakerLocker was spread within two apps on the Google Play store, "Wallpapers Blur HD" and "Booster & Cleaner Pro.”
  • Astrum is an Exploit Kit, found to be used in the AdGholas Malvertising campaign that delivered several types of malware, including Dreambot/Gozi and RAMNIT. Read more on our blog, here.
  • The AdGholas malvertising campaign is notable for its use of steganography to hide malicious JavaScipt code in ads that redirected victims to a cloned version of a legitimate website. This campaign leveraged various filters to target victims based upon criteria such as their language settings and time zone, with victims receiving different banking Trojans based on their geographic location.
  • This campaign was likely targeted by Chinese reporters via phishing methods with domains mimicking central Chinese language news sites. (In addition to using malware against these targets) Stemming from CitizenLab's analysis of this campaign, they connections to previous malware operations targeting Tibetan journalists and the Thai government were uncovered.

 Blog Roundup:

 New/Updated Targets:

  • All of our Standard Policy Targets are now available in Expert mode
  • DynDNS: Enabling the DynDNS target in your user policy will provide control of communications to Dynamic DNS services to your ThreatSTOP Services

Don't have ThreatSTOP but want to try it out? Check out our no fuss, quick product demo here

Share this:

Home Page

OTHER THREATSTOP OUTLETS

  1. ThreatSTOP on YouTube
  2. ThreatSTOP on Twitter