4.12 Release Notes

Reporting – The Legacy reporting link has been removed from the portal. All Legacy reporting information is available in the Next-Generation reporting UI.

 12.14 .16 Security Update

Malicious Content Identified & Inserted:

  • IPs – 166
  • Domains – 1288

Target Lists Updated:


Indicators of compromise have been updated for the following:

  • Carbanak\Anunak Malware, which was named after the cyber criminal group related to it. This malware targets POS (point of sale) machines. It was widely reported after in February 2016 it had composed a large campaign on banking targets.
  • Tropic Trooper campaign, which mostly targets Taiwan and the Philippines. This campaign has been related to the use of Yahoyah malware, Poison Ivy RAT and PCShare malware families. It is distributed mainly by spear phishing.
  • The Rig Exploit Kit, which was discovered in mid-2014 and mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight.
  • Sundown Exploit Kit. This kit is composed of a landing page and an additional page on a different domain, containing the payload. Its distribution is by malvertising and compromised sites. It has a relatively large number of domains for communication the first steps of infection, mostly domains obtained by the method of domain shadowing (creating subdomains under a compromised legitimate domains).
  • Remote Access Trojan Hworm, which is attributed to the cyber-criminal persona Houdini. This Trojan’s capabilities include information disclosure, keylogging and enabling webcam and microphone. It’s communication to command and control servers is via Dynamic DNS domains and currently, there are more than 10 known versions of this Trojan. You can read about this more in our blog – https://blog.threatstop.com/2016/12/01/houdinis-rat-is-no-disappearing-act/
  • Cerber Ransomware. This ransomware debuted in late February, 2016, and has already become one of the most prevalent ransomware variants. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files, or Rich Text Documents. Cerber uses a strong, currently unbreakable encryption, and has a number of features that, when combined, make it unique in today’s ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. You can read more about it in our blog post – https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities/
  • Mirai is a Linux malware targeting IoT systems, which are mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, and logging into them in order to infect them. This botnet have been used in the recent large DDoS attacks against computer security journalist Brian Krebs’s web site, and the October 2016 Dyn cyberattack. You can read more in our blog – https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/
  • A new Google Android Trojan named “PluginPhantom” was recently discovered by PaloAltoNetworks research group. it can steal data, act as a key logger, capture screens, record audio, take pictures and manipulate (intercept and send) SMS messages.
  • Nemucod is a JavaScript downloader Trojan that targets users through malware spam campaigns. Nemucod downloads additional malware and executes it without the user’s consent. Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of Nemucod distributing ransomware.
  • A new Android-based malware pretends to be a mobile banking app. Once installed, the malware targets not only banking credentials, but also credentials for Google Play, Facebook, Skype, and Instagram using overlays on top of the legitimate applications.
  • Phishing
  • Sinkholes