J2SECOPS WEEKLY NEWS:
Everything from Androids dreaming of Electric Sheep to Every Mov(ie) You Make… I’ll Be Watching you…
MoviePass Subscription Service Tracks More Than Your Viewing Habits
The CEO of MoviePass recently revealed the full extent of its tracking functionality, which was originally thought to use your location to find a nearby theatre. The application can track any user from their home to the theatre, and then onward through the rest of their journey, keeping notes on businesses and restaurants the user may visit. While this data is said to only be used to help enhance the user’s evening, it does seem to be a massive breach of privacy given that there is nothing in the terms of service that mentions the full extent of the tracking.
Does ALEXA Dream of Electric Sheep?
Multiple people have been spooked by Amazon's virtual AI assistant, Alexa, laughing on its own. Amazon has promised it will implement changes to avoid similar incidents in the future, but it's good to look at what we could learn from all of this. First, let’s set a couple of things straight. Alexa laughing at seemingly random moments, coupled with little acts of defiance, sure sounds chillingly familiar — but this (probably) isn’t a sign of an AI takeover. What it is, rather, is a chance to reconsider some of the realities of living with virtual AI assistants today, and in the future.
Latest Crypto-Miner Introduces Kill List for Competitive Processes
A new cryptocurrency miner has recently been discovered that seems to have an edge over its competition: the ability to terminate conflicting processes to maintain control over the device’s processing power. While the use of a ‘kill list’ isn’t new to malware in general, this does seem to be the first program that uses it for mining purposes, rather than continuing to propagate.
MacOS Users Getting Browsing Security Update
Within the last week, Google has announced it will begin rolling out a new security feature for MacOS that will give Chrome users additional warnings when attempting to access malicious or compromised websites. While these features have been functional for Windows users for quite some time, it will begin implementing them for MacOS in April of this year. As Mac malware continues to proliferate, the necessity of these features grows right alongside it.
New Detection Technique – Memcrashed
Cybercriminals used Memcached servers in a campaign called Memcrashed. The purpose is to execute DDoS attacks over 51,000 times more powerful than their original strength, which could knock down major websites and Internet infrastructure. The Memcrashed amplification attack works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim's IP.
The easiest way to prevent a Memcached server from being used as a reflector is blocking UDP on port 11211. Internet service providers (ISPs) can also help to mitigate these and other types of amplification attacks by fixing vulnerable protocols and trying to prevent IP spoofing.
We've updated the 'Delivery & Attack – DDOS' correlation rule to detect Memcrashed activity.
New Detection Technique – Chafer
Chafer is a trojan first exposed by Symantec in early 2015. It is now supported by new campaigns targeting the Middle East. Its activity is focused on information-gathering and creating backdoors, targeting important software services in the region such as airlines, telecom companies, engineering, etc. Some countries affected by these campaigns are Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey.
The infection vector is an Office Excel document spread by email. When opened, it downloads a malicious VBS file that in turn runs a PowerShell script. Some hours later, a dropper appears on the compromised computer. The dropper installs three files on the computer: an information stealer, a screen capture utility, and an empty executable.
Some tools added to Chafer include Remcom, Non-sucking Service Manager (NSSM), SMB hacking tools, and a custom screenshot/clipboard capture tool, among others.
We've updated the 'Malware Infection – Trojan' correlation rule to detect Chafer activity.
New Detection Technique – Cannibal RAT
Cannibal RAT is a new remote administration tool, written entirely in Python, that was exposed by Talos group in February 2018. Samples of two versions of this malware (3.0 and 4.0) were detected, both sharing most of the same packages and behaviors; however, version 4.0 uses obfuscation techniques to avoid detection. Recent campaigns target Brazil, specifically the INESAP (Instituto Nacional Escola Superior da Administração Pública).
The malware is distributed in py2exe format, with the python27.dll and the python bytecode attached as a PE resource. The C&C uses the DNS technique Fast Flux, allowing the hosts to quickly change their resolution. The C&C is linked to four hostnames which always point to IP addresses hosted within the same ASN.
Version 4.0 of the RAT was hosted at inesapconcurso[.]webredirect[.]org and filebin[.]net. After installation, the malware creates a PDF file with HTML code embedded, mimicking an official document from the INESAP. Afterwards, it will start Chrome to open the created PDF.
We've updated the 'Malware Infection – RAT' correlation rule to detect Cannibal RAT activity.
New Detection Technique – Malware SSL Certificates
We've updated the ‘Malware Infection – Malicious SSL Certificate’ correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.
New Detection Techniques – Trojan Infection
We've added the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Icefog, Know Malicious Redirector, Sality.AE, SteamStealer, and W32/Kutaki families.
New Detection Techniques
Additional correlation rules were added as a result of recent malicious activity.
Updated Detection Technique – Asacub
The trojan Asacub, discovered in 2015, is considered an evolution of the CoreBot trojan. Distributed for Android devices, it was first classified as spyware, although it was later found to share connectivity with C&C servers used by Windows banker trojans.
The malware's banking functionality is based on displaying a bank phishing window, enabling call forwarding, and running specified Unstructured Supplementary Service Data (USSD) requests. In the last several years, it has mutated at least three times, adding capabilities such as GPS tracking and taking snapshots.
Recent campaigns started during December 2017, with a high traffic rate, infecting thousands of devices in Russia. The SMS spam campaigns infected more than 6,500 unique users in this country.
We've updated the 'Malware Infection – Mobile Trojan' correlation rule to detect Asacub activity.
Updated Detection Techniques – Trojan Infection
We've updated the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Bitcoin Miner, KovCoreG, Linux.Mirai, LokiBot, Nitol, Oilrig, SmokeLoader, and SmsThief.jz trojan families.
Updated Correlation Rules
Additional correlation rules were updated as a result of recent malicious activity.