Malicious Content Identified and Inserted:

  • IPs – 2177
  • Domains – 522

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Indicators of compromise have been updatedfor the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • IOCs involved in suspicious scanning activities on domains and hosts.
  • IOCs involved in malspam
  • IOCs involved in phishing.
  • Mirai, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog.
  • Ewind is an Android Adware. If a package name matches the list of targeted applications, it will run on the infected device. Each time an application is sent to the foreground or background, Ewind notifies the C2. The C2 responds with a command for Ewind to execute, typically displaying an advert List of applications here.
  • Nemucod is a JavaScript downloader Trojan targeting users through malspam campaigns. Nemucod downloads and executes malware without the user’s consent, usually through malicious spam emails with .zip extensions. Recently, there has been a rise in the number of cases where Nemucod distributes ransomware. More on the blog here.
  • Sundown Exploit Kit includes a landing page and one additional page, with a payload, on a different domain. It is distributed through malvertising and compromised sites. It has a relatively large number of domains for execution, most of which are obtained through domain shadowing. (Creating subdomains under a compromised legitimate domains)
  • Nebula Exploit Kit is a new variant of a known EK, Sundown, with some alterations. The only difference between the two Exploit Kits, as mentioned in this report by cyber researcher Kafeine, is Nebula’s internal TDS. (TDS is a gate that is used to redirect visitors to various content) Recently it was reported to distribute DiamondFox malware, with information disclosure capabilities (specifically credentials and financial information), and known for point of sale system attacks.
  • Rig Exploit Kit, discovered in mid-2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight. In March 2017, a campaign involving the transfer of Cerber ransomware (utilizing RIG EK) was published in Malware-Traffic-Analysis.
  • Cerber Ransomware. This ransomware debuted in February 2016 as one of the most prevalent ransomware variants. This ransomware is typically distributed through emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. Cerber uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending massive amounts of network traffic from infected machines. You can read more about it in our blog post here.
  • Gh0st RAT is a Remote Access Trojan Horse used for cyber-spying, giving attackers full, real-time control. A variant of this RAT, Piano Ghost, was part of a campaign "Musical Chairs,” reported by Palo Alto and distributed via phishing e-mails.
  • The Lazarus Group is belived to have ties to the North Korean government, known for their involvement in the 2014 Sony Pictures hack and Operation DarkSeoul.
  • Carbon backdoor is attributed to Turla Group. Snake\Turla is cyber espionage group reported by G-data and active in APT campaigns. In 2016, Turla was discovered to infect targets in over 45 countries. This malware is distributed by direct spear phishing and watering hole attacks. Also, this group has a distinct modus operandi with the regular usage of satellite-based Internet links. In 2016, the Swiss published a report on the Carbon, a second stage backdoor in the Turla group arsenal. In 2017, ESET had published report of updates on this backdoor.
  • Red leaves is malware implemented and used by Chinese APT group, APT10. Capabilities include a desktop screenshot, returning host information, downloading a file from a remote server using HTTP and deleting local files. Communication to command and control is through protocols HTTP, HTTPS and a custom binary protocol using TCP.
  • CopyKitten is an Iranian threat actor. In this specific campaign, the attackers insert a single line of Javascript code into compromised domains of known public and governmental organizations, particularly in Israel. This malicious download was used in the 'Browser Exploitation Framework Project' penetration testing tool, focusing on targeting web browsers.
  • The Trojan Kovter surfaced in 2014 as a screenlocker and scareware sample, posing as a law enforcement tool. Since then, it has been used in click-fraud and malvertising campaigns (as data-encrypting ransomware) and a malware installation tool. Recently, Phishme revealed that Locky ransomware was distributed alongside the Kovter ad fraud Trojan.
  • Locky, the most widespread ransomware in the world, encrypts a victim’s data using a strong RSA-2048+AES-128 encryption, demanding 2-4 bitcoins for decryption. This ransomware debuted in early 2016 and is distributed in numerous ways, including spam emails with Word/Excel documents through malicious macros and JS scripts. Locky is also delivered through popular Exploit Kits. It has a widespread reach, already attacking in over 100 countries.
  • Since May 2016, the APT-C-23 has organized, planned and targeted long-term uninterrupted attack on Palestinian and Israeli Targets. This campaign targeted Windows and Android platforms.
  • Dridex is a strain of banking malware leveraging macros in Microsoft Office. Once a computer has been infected, Dridex attackers steal banking credentials and other personal information to access a user’s financial records.
  • Trochilus RAT is a remote access Trojan (RAT) specifically engineered to evade detection through traditional signature-based malware detection techniques, like sandboxing. Trochilus RAT is part of a seven malware cluster called the “Seven Pointed Dagger,” operated by Group 27. Researchers consider this a multi-stage attack campaign targeting Asian governments. In September 2016, Palo Alto networks detected this RAT activity alongside a new RAT, MoonWind.

 Security Blog Roundup:

  • Dimnie: Targeting the Unexpected