<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><strong><em><img src="https://info.threatstop.com/hubfs/ransomware_1%20(1).jpg" alt="ransomware_1 (1).jpg"></em></strong></p> <!--more--> <p><strong><em>Malicious Content Identified and Inserted:</em></strong></p> <ul> <li>IPs – <strong>504</strong></li> <li>Domains – <strong>545</strong></li> </ul> <p><strong><em>Target List Content Updated:</em></strong></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> <li>TSInbound</li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li><strong>Aleta</strong> ransomware is attributed to the <a href="https://www.pcrisk.com/removal-guides/11101-btcware-ransomware">BTCware</a> malware family. This ransomware uses two encryption ciphers: AES-256 and RSA-1024, making it more difficult to decipher without sending payment to operators. The encrypted files are in this format: [original filename].[email address].aleta. Distribution is manually executed by compromising Remote desktop protocol (RDP) connections not password protected, or through the fake software, “Rogers Hi-Speed Internet,” used to spread the BTCWare ransomware.</li> <li>Phishing campaign with fake HealthCare invoices.</li> <li>Phishing campaign with fake Google Docs.</li> <li>Phishing targeting Microsoft accounts.</li> <li><strong>Necurs</strong> botnet is known for spreading malware by sending spam e-mails with payloads. These specific campaigns were found by <a href="https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-Ransomware-IOCs-June17.pdf">Flashpoint</a>. (May 2017) These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and the <strong>Jaff</strong> ransomware loader. More on the <a href="https://blog.threatstop.com/jaff-ransomware-is-nothing-to-laugh-about">blog</a>.</li> <li><strong>Vortex</strong> is ransomware crypto virus, seemingly targeting Polish speakers with a Polish ransom note. The encrypted files are changed to show extension: *.aes. This may be related to the algorithm used for encryption, AES encryption algorithm with 256-bit cipher.</li> <li>Malvertising campaign <a href="https://malwarebreakdown.com/2017/05/17/seamless-malvertising-campaign-leads-to-rig-ek-at-185-154-53-33-and-drops-ramnit/"><strong>Seamless</strong></a> leads to the <strong>Rig</strong> <strong>EK</strong> and <strong>Ramnit</strong> <strong>Ramnit</strong> malware family that steals your sensitive information, including bank user names and passwords. It can give a malicious hacker access and control of your PC, as well as stop your security software from running.<strong> Rig Exploit Kit,</strong> discovered in 2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight. These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.</li> <li><strong>KS Clean</strong>, a malicious Android app discovered by researchers at <a href="https://www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads">Zscaler</a>, is delivered via malvertising. Once installed on the user's device, it can't easily be removed, as it removes the app's uninstall button and locks the device (for a couple seconds) if the user tries to remove the app's administrative privileges.</li> <li><strong>RoughTed</strong> is a large <a href="https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/">malvertising</a> operation active for a year, with increased activity in March 2017. This malvertising campaign is diverse and able to target users of any operating system or browser. For each platform, there is a distinct payload, including: Exploit Lits like <strong>Magnitude</strong> and <strong>Rig EK</strong>, Rogue Chrome extensions, PUP for Windows, etc.</li> <li>The <strong>Trojan </strong><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/KOVTER-and-CERBER-on-a-One-Two-Punch-using-Fake-Delivery-Notification/">Kovter</a> surfaced in 2014 as a screen locker and scareware sample masquerading as a law enforcement tool. Since then, it has been used in click-fraud and malvertising campaigns, as data-encrypting ransomware, and a malware installation tool.</li> <li><strong>Cerber</strong> ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. This ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. <strong>Cerber</strong> uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. Read more in our blog post, <a href="https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities">here</a>.</li> <li><strong>BankBot</strong> is a malware targeting android OS, appearing in Google Play in different forms, often impersonating well-known application icons or names. The predecessor of this malware, <a href="https://www.clientsidedetection.com/sophisticated_google_play_bankbot_trojan_campaigns.html"><strong>BankBotAlpha</strong></a>, was first advertised back on December 19, 2016, on a Russian forum as a new initiative to build an Android banker from scratch. This malware achieves device admin privileges from the user and collects information like IMEI, Bank applications present on the device, OS version, presence of root, etc. The communicates to the C&amp;C is by SMS and over HTTP protocol.</li> <li><strong>Bahamut</strong> is a cyber espionage group targeting mostly human rights activists and political figures in the Middle East. In a writeup by <a href="https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/">bellingcat</a>, they described the significant effort put into the spear phishing emails sent to these targets. For example, in emails attempting to harvest Google credentials, the target's redacted phone number would appear within the email as a way to feign legitimacy.</li> <li><strong>The </strong><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><strong>Gamaredon</strong> <strong>Group</strong></a><strong>,</strong> discovered by Palo Alto Networks, has been active since 2013. Although previously using off the shelf products, they are now developing their own tools that can download and execute payloads, capture screenshots, scan network drives for specific data and remotely execute commands on victim computer. They primarily use compromised domains, Russian and Ukrainian country code top-level domains (ccTLDs) and Russian hosting providers to distribute their malware.</li> </ul> <p>&nbsp;<strong style="font-size: 12.1612px; background-color: transparent;"><em>Blog Roundup:</em></strong></p> <p>&nbsp;<a href="https://blog.threatstop.com/new-target-comments-spamming-bots" style="font-size: 12.1612px; background-color: transparent;">New Targets: Comments Spamming Bots</a></p> <p>&nbsp;<strong style="font-size: 12.1612px; background-color: transparent;"><em>New/Updated Targets:</em></strong></p> <ul> <li>New Targets for “Comment Spamming Bots – IPs” are now available and should be used to protect your websites/forums/blogs from automated sources of spam.</li> </ul> <p><span>Don't have ThreatSTOP but want to try it out? Check out our no fuss, quick product demo&nbsp;</span><a href="http://www.threatstop.com/request-demo" target="_blank">here</a><span>.&nbsp;</span></p></span>
![Darkside Ransomware Group domains fotoeuropa[.]ro and catsdegree[.]com](https://www.threatstop.com/hs-fs/hubfs/pipeline.jpg?width=600&name=pipeline.jpg)