This week @J2CS:
This week; we discovered some DNSMessenger Fileless attack vectors and also see that the Wheels on the bus go round and round as again we see many old enemies return…
Nebula Exploit Kit
While Empire (RIG-E) disappeared at the end of December after 4 months of activity on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground this week.
We Discovered a unique attack called DNSMessenger which uses DNS queries to carry out malicious PowerShell commands on compromised computers. What makes this particularly scary is that makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.
Nigerian credit card offer – Zenith Bank of Nigeria
We have uncovered several fictitious websites linked to persons sending emails, letters and telephone calls to unsuspecting members of the public by impersonating Directors or staff of the Bank and claiming: Disclosure of PII will result in you receiving a loaded Vise [sic] credit card from Zenith Bank Nigeria.
• To have access to huge US dollar deposits in the Bank held in the names of deceased persons.
• Huge US Dollar contract sums due for payment.
• To offer employment in the Bank on outrageous terms and conditions.
Compromised Websites (March 2017)
General compromised websites I come across. Some are spreading malware, others are SEO SPAMing and others are hosting phishing websites.
Will update this list for a month and then make a new one.
Covert Channels and Poor Decisions: The Tale of DNSMessenger
What initially drew our interest to this malware sample was a tweet published by security researcher on Twitter (thanks simpo!) regarding a Powershell script that he was analyzing that contained the base64 encoded string 'SourceFireSux'. Sourcefire was the only security vendor directly referenced in the Powershell script. After analysis of the encoded value which was referenced in the tweet, identifying a sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis led us to a malicious Word document that had also been uploaded to a public sandbox. The Word document initiated the same multiple-stage infection process as the file from the Hybrid Analysis report we previously discovered and allowed us to reconstruct a more complete infection process.
Google Play Apps Infected with Malicious IFrames
Recently, we discovered 132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone.
The Gamaredon Group Toolset Evolution
Recent discovery of distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.