Cyber Security 20th - 27th March Weekly Briefing
This week @J2CS:
Spear Phishing and Phishing is the flavor of the week for malicious code deployment and cybersecurity bypass - Protect yourself by being vigilant!
Shamoon 2 Delivering Disttrack
Shamoon 2 attack campaign continues to bring waves of destructive attacks to organizations within Saudi Arabia. Investigations into these attacks has unearthed more details into the method by which the threat actors delivered the Disttrack payload. Evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network.
New targeted attack against Saudi Arabia Government
A “new” spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.
Ploutus-D Malware turns ATMs into IoT Devices
One of the most profitable cybercrimes in recent years is ATM robbery, where the cyber criminals extract cash directly from automated teller machines that have already been infected with malware, causing millions of dollars in loss for the banks worldwide. Ploutus Team with its malware variant known as Ploutus-D, where one of the most interesting features allows the attackers to manage the infected ATMs from the Internet and therefore making them operate like an IoT device.
IOS_FakeAppStore.A: Third-Party App Stores Delivered via the iOS App Store
The iOS ecosystem is usually described as a closed ecosystem, under the strict control of Apple. However, there are still ways to get around this tight control. Remember the Haima app? That method relied on enterprise certificates from Apple—which are costly, since the certificates needed are changed very frequently. Third-party app stores are improving. Recently, an app that leads to a third-party app store being offered on the official iOS App Store. To evade detection, this app was concealed as a legitimate app. In at least one case, an app used for jailbreaking was available via this third-party app store.
This threat can collect your sensitive information without your consent. This can include: The keys you press; the applications you open; your web browsing history; your credit card information; your usernames and passwords. It also takes screenshots, encrypts them, and saves them. We have seen it take screenshots every 10 minutes, but it may vary based on the configuration.
Primarily targets South Korea. Some samples talk to compromised South Korean server at 184.108.40.206 and communicate in port 30000.
Multiple Stages Dropper
Deploy malicious files in a very slick install to the victim computers.
The mail looks like a classic phishing attempt:
Stage 1: A file was attached to this email. A RAR archive “Catalogue Request.rar".
Stage 2: The archive contained a PE (Portable Executable) file "Catalogue Request.exe”.
Stage 3: The final decoded file is a classic Fareit trojan.
It communicates with the following C&C:
El Machete Malware Attacks Cut Through LATAM (Phishing emails with external ZIP or RAR archives)
Over three hundred unique victims were identified over the past month, as well as over 100GB worth of data that was exfiltrated and stored on one of the C&C servers. The bulk of the victims were predominantly based out of Ecuador, Venezuela, Peru, Argentina, and Columbia; however, other victims were identified in Korea, the United States, the Dominican Republic, Cuba, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany, Russia, and Ukraine. Targets included a wide array of high-profile entities, including intelligence services, military, utility providers (telecommunications and power), embassies, and government institutions
Winnti Abuses GitHub for CC Communications
Recently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM). Research shows that the group still uses some of the infamous PlugX malware variants—a staple in Winntis arsenal—to handle targeted attack operations via the GitHub account we identified.
Swearing Trojan Continues to Rage
Recently disclosed details continue with Swearing Trojan, a mobile banking malware that attacked users in China. Swearing Trojan’s name comes from Chinese swear words found inside the malware’s code. The malware continues to infect a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information. IT is only a matter of time before this spreads to the rest of the world in the form a variant. Watch this space.
menuPass (also known as Stone Panda and APT10)
As reported previously “menuPass” targeted Japanese academics working in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese manufacturing organizations.
“menuPass” has targeted individuals and organizations in Japan since at least 2014, and as the same organizations and academics were largely targeted each month in these attacks, it further shows menuPass is persistent in attempts to compromise their targets. “menuPass” heavily favors spear phishing, and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy.
- Hits: 617