Cyber Security April 18th Weekly Briefing
This week @J2CS:
This week, Autumn is coming with RedLeaves Malware based on open source RAT and Lazarus Rises - Be Vigilant!
The Callisto Group has again been sending highly targeted spear phishing emails with malicious attachments that contained, as their final payload, the “Scout” malware tool from the Hacking Team RCS Galileo platform. The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions. In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target’s webmail credentials.
Microsoft Office OLE2Link vulnerability samples - a quick triage
On April 7th 2017 Haifei Li published on the McAfee blog1 about a “Critical Office Zero-Day” in the wild. Few details were given and no hashes were available, which made it interesting to find samples and conduct an initial analysis. A further blog by FireEye titled “Acknowledgement of Attacks Leveraging Microsoft Zero-Day” provided additional useful information. During testing we were able to generate a number of proof-of-concept (PoC) documents both with and without a prompt to the user. It is likely the vulnerability will be documented in full detail over the coming days. Therefore, we instead discuss several ways to detect and analyse these documents using freely available tools. This information may be useful to any incident responder or blue team looking to defend an organisation.
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
Recent detection of malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families. FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here. The vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft.
Ewind – Adware in Applications Clothing
2017-04-11 17:10:36 by AlienVault
Multiple new samples of the Android Adware family “Ewind” have been observed since mid-2016. The actors behind this adware utilize a simple yet effective approach – they download a popular, legitimate Android application, decompile it, add their malicious routines, then repackage the Android application package (APK). They then distribute the trojanized application using their own, Russian-language-targeted Android Application sites. Some of the popular Android applications that Ewind targets include GTA Vice City, AVG cleaner, Minecraft – Pocket Edition, Avast! Ransomware Removal, VKontakte, and Opera Mobile. Although Ewind is fundamentally adware, monetization through displaying advertising on the victim device, it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker. The adware Trojan in fact potentially allows full remote access to the infected device.
Unraveling the Lamberts Toolkit
Ongoing analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity. Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero-day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high-profile organization in Europe.
Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
This weekend saw multiple reports a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.
Lazarus Under the Hood
Malware has been found in many serious cyberattacks, such as the massive data leak and file wiper attack on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South Korea, dubbed Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and financial companies in 2013.
The dawn of nation state digital espionage
Intrusions began as early as 1996. The early targets: a vast number of US military and government networks, including Wright Patterson and Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA, and the Department of Energy labs. By mid-1998 the FBI and Department of Defense investigators had forensic evidence pointing to Russian ISPs.
Updated Cloud Hopper Indicators of Compromise
Ongoing anaylsis and working with PwC’s cyber security practice, BAE Systems, UK’s National Cyber Security Centre (NCSC) and other members of the security community, to uncover and disrupt what is thought to be one of the largest ever sustained global cyber espionage campaigns in an operation referred to as ‘Operation Cloud Hopper’.
The Blockbuster Sequel
Unit 42 has identified malware with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta. This report details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer networks. The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks.
Red Leaves Implant - overview
This technical note discusses a relatively undocumented implant used by the APT10 group. This is named “Red Leaves” after strings found in the malware. The sample discussed was found during an incident response engagement in March 2017. The earliest evidence obtained shows it has been in use since at least November 2016.
(APT-C-23) To the Pakistani and the United States
Since May 2016, the APT-C-23 has organized an organized, planned and targeted long-term uninterrupted attack on important areas such as Palestinian educational institutions and military institutions. The attack platform mainly includes Windows and Android, the attack range is mainly for the Middle East region, as of now we have captured a total of 24 Android samples, 19 Windows samples, involving C & C domain name 29.
Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
Over the past few months Palo Alto Networks have been working together with ClearSky on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and two families of Google Android malware we are calling SECUREUPDATE and VAMP.
- Hits: 674