Skip to main content

CSC May 5th Weekly Briefing

This week, Snakes on a plane, to Russia with Love and the Internet Of Things …could be worse - Be Vigilant!

Kazuar: Multiplatform Espionage Backdoor with API Access

Last Updated: 2017-05-04 00:59:20
Created: 2017-05-04 00:59:20

Our researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver.

Google Docs Phishing domains

Last Updated: 2017-05-04 02:23:40
Created: 2017-05-03 21:46:40

Ongoing detection of Phishing targeting Google Docs. Lesson - Don’t click on random Google Doc links.
A massive phishing campaign targeting Google accounts ripped through the internet since Wednesday Afternoon.
A range of industries are receiving emails containing what looks like a link to a Google Docs that appeares to come from a known source. These malicious emails are designed to hijack accounts.

KONNI: A Malware Under The Radar For Years

Last Updated: 2017-05-03 20:36:15
Created: 2017-05-03 20:36:15

A previously unknown Remote Administration Tool (RAT) that is believed to have been in use for over 3 years has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. The malware is known as KONNI.
#Korea #United Nations #UNICEF

Carbanak attacks against Chipotle, Baja Fresh and Ruby Tuesday

Last Updated: 2017-05-03 18:02:41
Created: 2017-05-03 18:02:41

A sophisticated hacking group with suspected ties to cybercrime gangs operating in Eastern Europe is now actively targeting and breaching prominent, brand name restaurants in the U.S.A recently disclosed data breach suffered by Mexican fast food restaurant Chipotle was carried out by hackers linked to a group known as FIN7 or Carbanak Group. In addition to Chipotle, the hackers appears to be targeting national restaurant franchises Baja Fresh and Ruby Tuesday, according to malware samples and other evidence obtained.
#FIN7 #Carbanak #Restaurant #Chipotle

Snake: Coming soon in Mac OS X flavour

Last Updated: 2017-05-03 17:51:41
Created: 2017-05-03 17:51:41

Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks.
For Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the presence of several Snake components and to provide low-level access to network communication. Depending on the architecture of a targeted machine either kernel or user mode is used for network communication.
The OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and Named Pipes are still present in the binary.
#Russia #Turla #Snake

Greenbugs DNS-isms

Last Updated: 2017-05-01 20:50:33
Created: 2017-05-01 20:49:40

Over the past few months there has been a lot of research and press coverage on the Shamoon campaigns. These have been the attacks on Saudi Arabian companies where a destructive malware known as Disttrack was deployed. The malware, using stolen credentials, spreads throughout the targeted networks and then at a set date and time wipes the disks attached to the victim computers.
#Greenbug #malware #dns #arbornetworks


Last Updated: 2017-04-28 12:10:02
Created: 2017-04-28 12:10:02

Backdoor.Win32.Denis uses DNS tunneling for communication.
Backdoor.Win32.Denis extracts the addresses of the functions it needs to operate from loaded DLLs. However, instead of calculating the checksums of the names in the export table (which is what normally happens), this Trojan simply compares the names of the API calls against a list. The list of API names is encrypted by subtracting 128 from each symbol of the function name.
#DNS #tunneling #Denis #Backdoor.Win32.Denis #malware #kaspersky

APT Targets Financial Analysts with CVE-2017-0199

Last Updated: 2017-04-28 15:12:29
Created: 2017-04-28 11:18:51

On April 20, a targeted campaign focused on financial analysts working at top global financial firms operating out of Russia, China and neighboring countries was observed. Attackers opportunistically use spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan (RAT).
#Russia #China #PlugX #CVE-2017-0199

Intrusions Affecting Multiple Victims Across Multiple Sectors

Last Updated: 2017-04-28 11:05:38
Created: 2017-04-28 11:05:38

An emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
#Cloudhopper #apt10

  • Hits: 1159