Biweekly Security Update

Malicious content identified and inserted:

  • IPs – 232
  • Domains – 386

Target lists updated:

  • TS-CRIT
  • TS-RANS

Indicators of compromise have been updated for the following:

  • Two cyber-criminal groups, using the same vulnerability in Adobe Flash Player, which was a zero-day exploit when they used it in May 2016. This exploit was used to download the PROMETHIUM group's malware Truvasys, and for the NEODYMIUM group - their malware Wingbird.
  • Remote Access Trojan Hworm which is attributed to the cyber-criminal persona Houdini, related to the cybercriminal group MoleRats. This Trojan’s capabilities include information disclosure, keylogging and enabling webcam and microphone. It’s communication to command and control servers is via Dynamic DNS domains and currently, there are more than 10 known versions of this Trojan. You can read about this more in our blog - https://blog.threatstop.com/2016/12/01/houdinis-rat-is-no-disappearing-act/
  • Gooligan is a mobile malware, recently found in the mobile app SnapPea, and reported by Check Point. It has been reported that this malware has breached more than 1 Million Google accounts in November of 2016. This malware has been found in several apps, that are available in third party android app stores and was distributed by downloads of these apps and by spear phishing. Its goals are mainly click-fraud and theft of credentials to Google services.
  • Mirai is a Linux malware targeting IoT systems, which are mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, and logging into them in order to infect them. This botnet has been used in the recent large DDoS attacks against computer security journalist Brian Krebs' web site, and the October 2016 Dyn cyberattack. You can read more in our blog - https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/
  • Brute Force and Shell interaction attacks with info gathered through Crownie Honeypot. Emmental, a cybercriminal operation which is also named "SmsSecurity", that uses malicious apps that can intercept SMS to hijack a user’s banking session. Its distribution is through malicious mobile apps that claim to be banking apps who generate one-time passwords. Also, it has been reported that this campaign was used to gain root access in the infected devices. It was first revealed on 2014, by Trend Micro Labs.
  • Cerber This ransomware debuted in late February of 2016, and has already become one of the most prevalent ransomware variants. This ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files, or Rich Text Documents. Cerber uses a strong, currently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDoS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. You can read more about it in our blog post - https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities/

 Security blog roundup:

  • Operation Avalanche describing the Avalanche takedown and the targets introduced in the system to help you find infections in your network
  • DGA’s For the masses describing 25 new DGA targets in Expert mode and a cumulative target in standard mode allowing you to protect for a variety of malware families
  • A description of an Android malware – Plugin Phantom
  • A description of an Android banking malware - Marcher