Bi-weekly Security Update

Malicious content identified and inserted:

  • IPs – 960
  • Domains – 1653

Target lists updated:

  • TSCritical (Domains and IPs)
  • TSRansomware (Domains and IPs)
  • TSPhishing (Domains and IPs)
  • TSBanking (Domains and IPs)

Indicators of compromise have been updated for the following:

  • General Phishing attacks
  • Phishing email targeting Santander Bank customers.
  • General VOIP attacks
  • Turkojan RAT, which was used to target Odatv, a news organization based in Turkey. After computers used by Odatv journalists were seized by the Turkish National Police, researchers at Arsenal discovered that incriminating documents were placed on the machines prior to their seizure using the RAT.
  • The "Digital Plagiarist" campaign run by the "TelePort Crew", as dubbed by researchers at the tr1adx team, appears to be an evolution of the Carbanak cybercrime group, which is infamous for a large-scale campaign against banks that led to the 2015 theft of hundreds of millions of dollars, as well as the Carbanak/Anunak malware that targets point of sale machines.
  • Switcher, an android malware, which, is targeted at routers and was first reported by Kaspersky. This particular malware hijacks the DNS configured to the infected router. Its first step is to download the malicious app containing the malware to an android device owned by the user. These apps are imitations of well-known Chinese services such a Baidu - the popular Chinese search engine. After the malware is downloaded, it executes a brute-force password guessing attack on the router’s admin web interface and if it succeeds, it changes the DNS servers configured in the exploited router.
  • Rig Exploit Kit, which was discovered in mid-2014 and mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight.
  • Sundown Exploit Kit, which is composed of a landing page and another page on a different domain which contains the payload. It is distributed is by malvertsing and compromised sites. It has a relatively large number of domains for execution, most of which were obtained through domain shadowing (creating subdomains under a compromised legitimate domains).
  • Marcher, an Android-based malware that pretends to be a mobile banking app. Once installed, the malware targets not only banking credentials, but also credentials for Google Play, Facebook, Skype, and Instagram using overlays on top of the legitimate applications. The I/S for this malware was taken down during the Avalanche take down. Check out our blog on Marcher here and on the Avalanche take-down here.
  • OilRig Campaign, as dubbed Palo Alto Networks and based on the Persian word "Nafti" (Oily) which was hardcoded into a number of analyzed malware samples, consists of two attack waves against Saudi Arabian organizations starting in late 2015. This campaign has been seen targeting financial institutions and technology organizations in Saudi Arabia, as well as the defense industry. The malware used in the OilRig Campaign is the Helminth Backdoor Trojan.
  • Mirai is a Linux malware targeting IoT systems, which are mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords and logging into them in order to infect them. This botnet have been used in the recent large DDoS attacks against computer security journalist Brian Krebs' web site, and the October 2016 Dyn cyber-attack. You can read more in our blog - https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/

The following Targets were added to the Policy Editor (Additional targets were updated to include the new data):

  1. Skype super nodes whitelist – Skype - peer-to-peer voice service. Uses a distributed network of "super nodes" to maintain quality and speed of communication across the Internet. This list contains the domains for these super nodes to allow whitelisting. (This target is available both in standard and expert modes)

As well – the following blog posts have been published: