ThreatSTOP Blog

Bi-Weekly Security Update 8/30/2017

Written by ThreatSTOP Security Team | August 30, 2017

Malicious Content Identified and Inserted:

  • IPs – 638
  • Domains – 526

Target List Content Updated:

  • TS Originated – Core Threats
  • TS Originated – Ransomware
  • TS Originated – Phishing
  • TS Originated – Inbound attacks
  • TS Originated – Banking Threats
  • TS Originated – Exploit Kits
  • TS Originated - Mobile

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • BankBot is a malware targeting Android devices that appears in Google Play store in different forms, often impersonating well-known application icons or names. The predecessor of this malware, BankBotAlpha, was first advertised back on December 19, 2016, on a Russian forum as a new initiative to build an Android banker from scratch. This malware receives device admin privileges from the user and collects information such as the device's IMEI, the names of banking applications present on the device, the OS version, and the presence of a root user. The malware communicates to the C&C server through SMS and HTTP. Read more about this malware on our blog, here.
  • Cerber ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. Cerber uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. Read more in our blog post, here
  • TrickBot is the successor of Dyre. This malware is distributed through spam emails and threat loader, TrickLoader. TrickLoader is associated with several other threats, including Pushdo, Cutwail, and Vawtrak. The primary target of this malware is credential theft.
  • Rig Exploit Kit, discovered in 2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight. These threats can be installed on your PC through an infected removable drive, such as a USB flash drive. Read more in our blog.
  • Magnitude Exploit Kit is an attack toolkit that infects victims through compromised websites and uses a variety of exploits to download malware on to the computer. The U.S. is the country with the most Magnitude EK victims. More on the blog, here.
  •  Adwind (also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat) is a relatively new cross-platform RAT (remote access trojan), discovered in late 2015 in a targeted attack on a bank in Singapore. The malware is written solely in JAVA, making it capable of running on Windows, MAC OS and Linux, and it includes capabilities such as remote desktop control, data gathering, data exfiltration and lateral movement. Adwind is available for purchase, and has been used in massive spam campaigns as well as targeted attacks. More on the blog, here.
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader known for spreading the Pony and Vawtrak Trojans, among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • "Magic Ferret" (魔鼬) is a Trojan (with DDoS capabilities) discovered by researchers at Antiy (安天). Infected computers will continuously fetch a list of websites to attack from the criminal's command and control server. Websites targeted by this Trojan receive a flood of SYN requests, with the longest documented attack lasting for more than 2 weeks. A CNCERT advisory disclosed that more than 6.4 million IP addresses were suspected of being enslaved by the Magic Ferret botnet.
  • Joao is a modular malware targeting PC gamers, discovered by ESET researchers in August 2017. The malware spread through infected copies of MMORPG's (massively-multiplayer online role-playing games) published by Aeria Games. The only visible difference between the infected and legitimate version is an additional DLL (mskdbe.dll) packaged with the game's launcher. Once the victim starts playing the infected game copy, it would reach out to the malware's command and control server to receive additional functionalities. (Including backdoor and DDoS capabilities) Because the game worked as intended and the malware was relatively quiet, victims were unlikely to notice the infection.
  • Malspam email pretending to be the Better Business Bureau (BBB) and informing the target that their company is in violation of the Fair Labor Standards Act.
  • Quasar is a free and open-source RAT most notably used in targeted attacks on Middle Eastern governments by the Gaza Cybercrime Group/the MoleRats group.
  • Kronos is a downloader malware that has been distributed by several exploit kits, including Sundown and Rig EK. In November 2016, Proofpoint researchers discovered that it downloaded ScanPOS, a Point-Of-Sale (POS) malware, as the secondary payload. Kronos originally targeted online banking credentials for theft, as it had evolved from the infamous Zeus malware.
  • Chthonic is a variant of the Zeus banking trojan, which has been used to target a large number of financial organizations in multiple countries. The trojan has several powerful characteristics, including the ability to collect system information, steal saved passwords, activate a keylogger, gain remote access, and perform web injections to obtain credentials and other sensitive information. There is also a proxy server module and one designed to capture video via the webcam. Chthonic is usually spread via spam emails with malicious attachments.
  • Disdain is an Exploit Kit discovered August 8th, 2017, as reported by Trend Micro. It is distributed via malvertising campaigns and only recently patched in March 2017. It includes these exploits in IE browser: CVE-2017-0059 and CVE-2017-0037.
  • EngineBox, a banking malware aimed at stealing credentials of large Brazilian located banks, is also capable of stealing browsers, SSH and FTP local stored credentials.
  • Bunitu is a Trojan that will open ports to remote connections and register itself as an open proxy server. While investigating the Bunitu botnet, researchers at Malwarebytes discovered that users of a VPN service called VIP72 were experiencing traffic rerouted through computers infected with Bunitu.
  • A malspam campaign that targets Brazilian users of the Boleto service. The subject of the mails are: AVISO DE INCLUSAO DE PROTESTO.
  • GootKit is a banking Trojan that primarily targets European bank accounts. It captures videos on infected machines and exfiltrates them back to a command and control server
  • ShadowPad is the nickname for a backdoor found in NetSarang's enterprise server management software. Researchers at Kaspersky discovered that the company's latest updates had been infected with malicious code, which needed a "magic packet" to fully activate. The methods used in this supply-chain attack are similar to those used by the Winnti group.
  • This phishing campaign is targeted at Russian banks.
  • A phishing email pretending to be from HSBC. An attached PDF displays a fake warning that it cannot be opened in an available version of Acrobat, and asks the user to open it in an "online viewer.” If the user continues, they will be presented with an "invoice" and a fake Excel popup that asks the victim to log in.
  • Carbon is a second stage backdoor in the Turla group's arsenal. Also known as Snake, Turla is a cyber espionage group reported by G-data and active in APT campaigns. In 2016, the Swiss GovCERT.ch published a report on the Carbon, revealing that Turla infected targets in over 45 countries. This group has a distinct modus operandi with their regular use of satellite-based Internet links, and usually distributes their malware through direct spear phishing and watering hole attacks. In their most recent campaign, this group was detected using a JavaScript-based backdoor known as KopiLuwak. Though the complete course of infection is not completely clear, researchers noted that the JS dropper installs a JS decryptor that decrypts and executes the actual KopiLuwak backdoor in memory only.
  • The CVE-2017-0199 exploit, which targets the Windows Object Linking and Embedding (OLE) interface of Microsoft Office, was discovered by Trend Micro researchers. This exploit was used within PPSX (Microsoft Open XML PowerPoint Show) files that led to the download of the REMCOS RAT. (A trojanized version of the free remote access tool REMCOS)
  • Patcher is a ransomware presented as an application for pirating popular software on macOS. It is distributed via BitTorrent distribution sites. Due to discovered communication to the command and control servers, there is no way for operators to decrypt a victim’s files. Paying the ransom, in this case, will not bring you back your files.
  • AZORult is a publicly available information stealer, usually dropped as a payload for other malware. It targets a victim's files and Bitcoin wallet, as well as cookies and passwords for popular programs like Google Chrome, Mozilla Firefox and Microsoft Outlook.
  • Emotet is a banking Trojan first noticed in June 2014 by Trend Micro. The malware hooks specific routines on the victim's computer to sniff network activity and steal information through a Man-in-the-Browser attack. It intercepts communications between the web browser and the bank's servers in order to access the victim's bank account. Read more on the blog, here.
  • The Terror Exploit Kit is advertised and sold in underground forums (by hacker @666_KingCobra) using various names. (i.e. Blaze, Neptune and Eris) According to experts at Malwarebytes Labs, Terror EK was used in a malvertising campaign distributing Smoke Loader through Internet Explorer, Flash and Silverlight exploits. Additionally, Terror EK was involved in a campaign that distributes Andromeda malware through landing pages. Read more on the blog, here.
  • Locky encrypts a victim's data using a strong RSA-2048+AES-128 encryption, then demands between 2-4 bitcoins for the decryption of that data. This ransomware debuted in early 2016 and is distributed in various ways, including spam emails that contain Word and Excel documents with malicious macros, as well as JS scripts. Locky is also delivered via popular Exploit Kits. Locky has a widespread reach, having been used to attack victims in over 100 countries. Read more on our blog, here.

If you don't have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our Support team.