ThreatSTOP Blog

Bi-Weekly Security Update 6/9/2017

Written by Lauren Wilson | June 9, 2017

Malicious Content Identified and Inserted:

  • IPs – 609
  • Domains – 1381

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking
  • TSInbound – NEW!

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • IOCs that were involved in suspicious scanning activities on domains and hosts.
  • IOCs that were involved in Malspam
  • IOCs that were involved in phishing.
  • IOCs that are related to the DucoSign breach, where phishing emails were utilized to spread malware sent to the Docosign customers’ corporate e-mail addresses.
  • WannaCry is a Ransomware that spread wildly in a short amount of time, detected at May 2017. It infected over 100K victims in over 99 countries, utilizing the MS17-010 Vulnerability in SMBv1 server, also named EternalBlue. This Ransomware has infected large financial and governmental entities. For more information, visit our blog here.
  • Jaff Ransomware was found distributed via Malspam from the Necurs These SPAM emails will have subjects like “Scan_84686473.” As of May 2017, it was determined that the Jaff Ransomware is not decryptable.
  • WildFire Locker is a new Ransomware that uses AES-256 CBC encryption on the user's files and asks for $299 from the victim, threatening to raise the price to $999 if they do not pay within a week. This Ransomware infects victims through a malicious word document containing embedded macros.
  • Emotet was firstly noticed in June 2014 by Trend Micro. This is a banking Trojan where the victims’ bank accounts were infiltrated by a web browser infection which intercept communication between webpage and bank servers. In such scenario, malware hooks specific routines to sniff network activity and steal information. This technique is typical for modern banking malware and is widely known as Man-in-the-Browser attack.
  • MoneyTaker, AKA Fin7, is a Russian speaking cyber-crime group known to be responsible for conducting targeted attacks on financial institutions, globally. The main objective of this group is to ultimately gain access to critical systems such as SWIFT payment systems, ATM systems, Card Processing systems, Banking Software, POS Software and sensitive documents from the organization to carry out other fraud schemes. One of their latest campaign was found by FireEye on February 2017, targeting cyber security entities in the USA.
  • Mirai, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog, here.
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader known for spreading the Pony and Vawtrak Trojans,among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • Mole Ransomware is part of the CryptoMix malware family. This malware is distributed through Malspam, primarily seen in USPS fake invoices dated April Read more about Mole Ransomware in our blog post here.
  • BankBot is a malware targeting android OS, appearing in Google Play in different forms, often impersonating well-known application icons or names. The predecessor of this malware, BankBotAlpha, was first advertised on December 19, 2016, on a Russian forum as a new initiative to build an Android banker from scratch. This malware achieves device admin privileges from the user and collects information like IMEI, Bank applications present on the device, OS version, presence of root, etc. The communicates to the C&C are by SMS and over HTTP protocol.
  • Msposer is a generic name given to a family of Trojans that pretend to be legitimate Microsoft products. This type of malware may be spread by "crackers" used to run software without a valid license.
  • Zyklon HTTP bot is a botnet allowing users to execute various types of DDoS attacks, data theft and fraud. It also features secure operation mechanisms to detect other malware and assure its availability and supports Tor for anonymization and comes loaded with a number of additional features. Zyklon HTTP Botnet targets PCs and spreads itself via a number of different methods including phishing attacks. The bot is reasonably well written with precautions for hiding the traffic from network based detection engines, even from intercepting proxies by encrypting all its communications.
  • StreamEx is a Trojan that can perform system enumeration, modify files, and execute remote commands. It was not only used by APT group Shell Crew in targeted attacks, but also spread through compromised Korean websites.
  • Winnti group, a cybercriminal group most likely originating from China active since 2011, with a past of traditional cybercrime - particularly with financial fraud and also against online video game industry, has been seen abusing GitHub by turning it into a conduit for the command and control. Upon successful infection, the malware starts communicating with an HTML page from a repository stored in a GitHub project. TrendMicro research claims the repository was opened for this purpose and was not compromised. Alongside with the malware attributed to this group, they use also PlugX RAT.
  • Reblight is a malware found by Symantec, and has capabilities of Downloading files, uploading files and installing browser extensions.
  • Styes is a worm detected by Symantec, capable of self-spreading through shared files and removable drivers.
  • Qbot is Linux malware, targeting IoT systems that spreads through methods of brute forcing over telnet platform (port 23). In one of the earliest reports by Level 3 researchers, after the attackers gain access to the device, it establishes a shell command to download other malicious binaries on the infected system. This bot has been found to be used for DDoS activity.
  • RoughTed is a large malvertising operation that has been active for a year, but was seen in increased activity on March 2017. This malvertising campaign is diverse and able to target any user of any operating system or browser, for each platform there is a distinct payload, including: exploit kits like magnitude and Rig EK, Rogue Chrome extensions and PUP for windows etc.
  • Nemucod is a JavaScript downloader Trojan that targets users through Malspam campaigns. Nemucod downloads and executes additional malware without the user’s consent. Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of Nemucod distributing ransomware. Read more here

 Security Blog Roundup: