Cyber Security 13th - 17th March Weekly Briefing
This week @J2CS:
One of the busiest weeks we have had to date, Malware as a paid service, DNS Messenger continues to morph, Phishing and loads of Ransomware continue to be the biggest contributor to the latest Cyber-deluge:
Geocities hosting APT PoisonIvy via PowerSploit
VXRL(credit) contacted our AlienVault platform team regarding an APT phishing email that included a download link to a malware being hosted on a Geocities website.
Attackers Leverage Excel, PowerShell and DNS in Latest Non-Malware Attack
Increasingly, cyberattackers have been leveraging “non-malware” attack methods to target vulnerable organizations. Recently, the Carbon Black Threat Research Team was alerted about such an attack by a partner’s incident response (IR) team. The attack ultimately compromised accounts and stole research and intellectual property. In this specific attack, a malicious Excel document was used to create a PowerShell script, which then used the Domain Name System (DNS) to communicate with an Internet Command and Control (C2) server.
NexusLogger: A New Cloud-based Keylogger Enters the Market
Unit 42 has recently discovered a new keylogger, named NexusLogger, being used in attempted unsuccessful attacks against Palo Alto Networks customers. NexusLogger is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication. NexusLogger collects keystrokes, system information, stored passwords and will take screenshots. It also specifically seeks to harvest game credentials for UPlay, Minecraft, Steam, and Origin.
MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks
Crooks behind MajikPOS have various tricks up their sleeves. Apart from infecting systems with it, we also spotted instances where common lateral movement tools were detected around the same time they were actively compromising the endpoint with MajikPOS. These tools include: HKTL_MIMIKATZ, HKTL_FGDUMP, and HKTL_VNCPASSVIEW. We surmise that the bad guys attempted to gain further access within the victim’s network. In separate isolated incidents, we also noticed the deployment of MajikPOS via PsExec, a command-line tool that can be used to remotely execute processes on other systems. This may indicate that valid, administrative level credentials were used against the host. The attackers also tend to deploy what works or what's convenient, as we’ve also seen them attempt to infect the target host with other PoS malware such as PwnPOS (TSPY_PWNPOS.SMA), and BlackPOS (TSPY_POCARDL.AI).
Hancitor Downloader Spam Runs
Hancitor is one of the better-known malware downloaders due to its numerous SPAM runs and evolving delivery technique. It reminds us of Upatre, which gained notoriety status over the past two years but has now died down, possibly due to the takedowns of its major payloads. In the case of Hancitor, it still seen as a favourite carrier of very much active malware families such as Pony and Vawtrak. Just recently, we found a new spam campaign of Hancitor with some notable developments that may have been in the previous variants, but were not discussed in any other reports. This article revolves around the macro tricks it uses to stall analysts, and new commands that it utilizes to better persist on infected devices. Finally, this variant also contains an interesting piece of comment by the malware author written in the macro code, which made us feel obliged to take a closer look in the first place.
Version 2, also referred to as Globe2, appeared two months later, in October, but both versions were no match for Emsisoft’s team, who released free decrypters for both variants shortly after Globe and Globe2 started hitting users. Around New Year, the Emsisoft Lab team was alerted to the presence of a new Globe variant, Globe3, which was infecting users using a new mode of operation.
The Trojan deletes Volume Shadow Copies. The Trojan may connect to and send infection reports to the following remote location: [http://]220.127.116.11/pw/gate[REMOVED] The Trojan may download files from the following remote location: [http://]bit.ly/2k4[REMOVED] The Trojan encrypts files on the compromised computer and adds the following prefix before file names: ISHTAR- The Trojan may ask the user to pay a ransom in order to have their files decrypted.
While adware is usually considered annoying for users and relatively harmless to enterprise security, the adware campaigns we’ve seen since the beginning of 2016 behave more like advanced network threats. One particularly persistent adware attack piqued our interest around March. This attack leverages PowerShell, a Windows scripting language, to execute commands and remain persistent on the host machines. Along with creating hourly scheduled tasks, the adware also has the potential to download additional malicious code and direct the user to compromised websites.
This threat can download other malware and unwanted software onto your PC. We have seen this threat connect to a remote host, including: pic-save.pw using port 80 Malware can connect to a remote host to do any of the following: Check for an Internet connection Download and run files (including updates or other malware) Report a new infection to its author Receive configuration or other data Receive instructions from a malicious hacker Search for your PC location Upload information taken from your PC Validate a digital certificate We have seen this threat access online content, including: JDUDUIFIB.exe
Blank Slate Campaign Takes Advantage of Hosting Providers to Spread Ransomware
The infrastructure behind the Blank Slate campaign has two distinct phases. The first phase is receiving malspam from a botnet. The second phase is when an attachment from the malspam retrieves ransomware from a web server. The ransomware is designed to infect Microsoft Windows computers.
Operation Electric Powder – Who is targeting Israel Electric Company?
From April 2016 and at least until February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifices indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names, and Facebook activity. We dubbed this campaign “Operation Electric Powder“.
RawPOS Malware Rides Again
The new Rawpos variant is largely like the 2015 variant.
Apache Struts - CVE-2017-5638 - Delivered Payloads
Collection of payloads being delivered via the Apache Struts vulnerability - CVE-2017-5638
This threat can collect your sensitive information without your consent. This can include: The keys you press; The applications you open; Your web browsing history; Your credit card information; Your user names and passwords It can also imitate a legitimate website to lure you into revealing your sensitive information.
A commercially available RAT.
A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer.
RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment.
Backdoor that installs itself at %Application Data%\remcos
Macro Downloaders (Aga Dell)
This threat may arrive as an email spammed macro malware which, when opened, socially engineers you to enable it in your PC.
The Full Shamoon How the Devastating Malware Was Inserted Into Networks
Researchers from the IBM X-Force Incident Response and Intelligence Services (IRIS) team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations. These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states. Shamoon is designed to destroy computer hard drives by wiping the master boot record (MBR) and data irretrievably, unlike ransomware, which holds the data hostage for a fee.
A Guide to the RTM Banking Trojan
We call this new group RTM- it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighbouring countries. In this paper, we cover the details of their tools, whom they target, and offer a rare glimpse into the type of operation they are carrying out.
Fake Accounts and Crude Malware
We are seeing more multi-channel attacks whereby the target receives an unexpected phone call. This is usually preceded by an email where the target is presented with an activity that ultimately requires them to share personal information that is then exploited later for financial loss to the target and financial gain by the attackers.
- Hits: 747