ThreatSTOP Blog

Bi-Weekly Security Update 3/15/2017

Written by Lauren Wilson | March 15, 2017

 

Malicious Content Identified and Inserted:

  • IPs – 3680
  • Domains – 603

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • Nebula Exploit Kit is a new variant of a known exploit kit, Sundown. Mentioned in this report by cyber researcher Kafeine, the key difference between the two is Nebula’s internal different TDS. (TDS is a gate that is used to redirect visitors to various content) Recently, it was reported to distribute DiamondFox malware, capable of information disclosure (specifically credentials and financial information) and known for point of sale systems attacks.
  • Shamoon is a wiper malware designed to destroy computer hard drives by wiping the master boot record (MBR) and data permanently. There have been two main of attacks: One in 2012 and a second in 2016-2017. These attacks targeted thousands of computers across government and civil organizations, including Saudi Arabia and the Gulf States.
  • More than 20 apps infected with HummingBad were discovered by Check Point. These apps have been removed from the Google app store, but still may be active on infected devices.
  • Smishing, or SMS phishing, is when a vector attacker sends SMS messages from supposedly legitimate organizations. This Domain related to an attack in the Czech Republic.
  • Nemucod is a JavaScript downloader Trojan that targets users through malspam campaigns. Nemucod downloads and executes additional malware without the user’s consent. Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of Nemucod distributing ransomware.
  • Since the summer of 2016, the Chinese APT Group associated with cyber actor TA459 started using a new downloader, ZeroT, to install the PlugX remote access Trojan (RAT). Distributed mainly in spear-phishing emails, this downloader targets entities in Russia, Belarus and other countries in Asia.
  • Mirai, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog - https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/
  • StoneDrill is a wiper malware that appears to be targeting organizations in Saudi Arabia, found by the researchers of Kaspersky lab. StoneDrill was discovered during the research of wiper malware Shamoon, with differences including techniques allowing for the better evasion of detection.
  • Lurk is a cyber group and one of the first to use file less exploit payloads campaigns. There were no traces left on affected systems, apart from files derived from the exploit process, if the target machine wasn’t interesting enough to the Lurk operators.
  • Recently, Palo Alto Networks researchers discovered 132 Android apps on Google Play that were infected with tiny, hidden IFrames. These IFrames link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone. The known infected apps were removed from Google Play’s store, but new ones may appear.
  • Neutrino Exploit Kit is a prevalent EK used for the exploitation of numerous vulnerabilities on a victims’ computer, and for downloading malware, including ransomware. Neutrino is sold underground and usually infects victims via compromised websites. You can read more about Neutrino in our paper from August 2016 - https://blog.threatstop.com/2016/08/30/security-report-neutrino-ek/
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader known for spreading the Pony and Vawtrak Trojans, among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • Fareit aka Pony is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials, bitcoin-related details and more.
  • Vawtrak is a banking Trojan that’s been active since 2013, already having made headlines this year for attacks on Japanese banks. The Trojan is spread using exploit kits, or via spam emails with malicious macros. Recently, Vawtrak was spotted in a campaign utilizing lawsuit and subpoena-related spam emails to infect victims. Once installed, the Trojan waits until the victim visits a major financial website (such as CapitalOne, Citibank, etc.), both in the U.S. and the U.K., then logs the user’s credentials for these sites. The new version of Vawtrak has antivirus evading features: Its target variety has grown over time, making it one of the more advanced baking Trojans today.
  • Snake Wine is a Chinese APT group targeting Japanese government, education and commerce organizations. The distribution of their campaign was through spear phishing, followed by using Ham backdoor and Tofu The main target of this campaign is information disclosure.
  • Cerber Ransomware. This ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. Cerber uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. You can read more about it in our blog post - https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities/
  • Locky, the most prevalent ransomware in the world, encrypts a victim’s data using a strong RSA-2048+AES-128 encryption, then demands between 2-4 bitcoins for the decryption of that data. This ransomware debuted in early 2016 and is currently being distributed in various ways, including spam emails that contain Word and Excel documents with malicious macros, as well as JS scripts. Locky is also delivered via popular Exploit Kits, such as Nuclear and Neutrino. Locky has a widespread reach, having been used to attack victims in over 100 countries. Read more here - https://blog.threatstop.com/locky-back-in-action and here -https://blog.threatstop.com/2016/02/24/locky-not-to-be-confused-with-lucky/

Security Blog Roundup:

  • EITEST – the long living campaign
  • 3 new targets protecting against drive-by attacks

New/Updated Targets:

  • New in Standard mode:
    • Driveby Domains
  • New in Expert model
    • Driveby Domains (Paranoid)
    • Driveby Domains (Super Paranoid)