<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em><img src="http://info.threatstop.com/hubfs/Cybersecurity-820x400.png" alt="Cybersecurity-820x400.png" width="454" height="221"></em></p> <p>&nbsp;</p> <p><em>Malicious Content Identified and </em><em>Inserted:</em></p> <ul> <li>IPs – 3680</li> <li>Domains – 603</li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking<!--more--></li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li><strong>Nebula Exploit Kit</strong> is a new variant of a known exploit kit, <strong>Sundown</strong>. Mentioned in <a href="http://www.malware-traffic-analysis.net/2017/03/02/index.html">this</a> report by cyber researcher Kafeine, the key difference between the two is Nebula’s internal different TDS. (TDS is a gate that is used to redirect visitors to various content) Recently, it was reported to distribute <strong>DiamondFox</strong> malware, capable of information disclosure (specifically credentials and financial information) and known for point of sale systems attacks.</li> <li><strong>Shamoon</strong> is a wiper malware designed to destroy computer hard drives by wiping the master boot record (MBR) and data <a href="https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/">permanently</a>. There have been two main <a href="https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"></a> of attacks: One in 2012 and a second in 2016-2017. These attacks targeted thousands of computers across government and civil organizations, including Saudi Arabia and the Gulf States.</li> <li>More than 20 apps infected with <strong>HummingBad</strong> were discovered by <a href="http://blog.checkpoint.com/2017/01/23/hummingbad-returns/">Check Point</a>. These apps have been removed from the Google app store, but still may be active on infected devices.</li> <li><strong>Smishing</strong>, or SMS phishing, is when a vector attacker sends SMS messages from supposedly legitimate organizations. This Domain related to an attack in the <a href="http://blog.checkpoint.com/2017/02/09/smishing-threat-unraveling-details-attack/">Czech Republic</a>.</li> <li><strong>Nemucod</strong> is a JavaScript downloader Trojan that targets users through malspam campaigns. <strong>Nemucod</strong> downloads and executes additional malware without the user’s consent. <strong>Nemucod</strong> usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of <strong>Nemucod</strong> distributing ransomware.</li> <li>Since the summer of 2016, the <strong>Chinese APT Group</strong> associated with cyber actor <strong>TA459</strong> started using a new downloader, <strong>ZeroT,</strong> to install the <strong>PlugX remote access Trojan</strong> (RAT). Distributed mainly in spear-phishing emails, this downloader <a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx">targets</a> entities in Russia, Belarus and other countries in Asia.</li> <li><strong>Mirai</strong>, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog - <a href="https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/">https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/</a></li> <li><strong>StoneDrill</strong> is a <a href="https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf">wiper malware</a> that appears to be targeting organizations in Saudi Arabia, found by the researchers of Kaspersky lab. <strong>StoneDrill</strong> was discovered <a href="https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/">during the research</a> of wiper malware <strong>Shamoon</strong>, with differences including techniques allowing for the better evasion of detection.</li> <li><strong>Lurk</strong> is a <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-year-campaign/">cyber group</a> and one of the first to use file less exploit payloads campaigns. There were no traces left on affected systems, apart from files derived from the exploit process, if the target machine wasn’t interesting enough to the Lurk operators.</li> <li>Recently, <a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-google-play-apps-infected-malicious-iframes/">Palo Alto Networks</a> researchers discovered 132 Android apps on Google Play that were infected with tiny, hidden IFrames. These IFrames link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone. The known infected apps were removed from Google Play’s store, but new ones may appear.</li> <li><strong>Neutrino Exploit Kit</strong> is a <a href="https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/">prevalent EK</a> used for the exploitation of numerous vulnerabilities on a victims’ computer, and for downloading malware, including ransomware. <strong>Neutrino</strong> is sold underground and usually infects victims via compromised websites. You can read more about Neutrino in our paper from August 2016 - <a href="https://blog.threatstop.com/2016/08/30/security-report-neutrino-ek/">https://blog.threatstop.com/2016/08/30/security-report-neutrino-ek/</a></li> <li><strong>Hancitor</strong>, also known as <strong>Tordal</strong> and <strong>Chanitor</strong>, is a malware downloader <a href="http://blog.0day.jp/2017/01/ocjp-133-hancitorwordpress.html">known for</a> spreading the <strong>Pony</strong> and <strong>Vawtrak</strong> Trojans, among others. <strong>Hancitor</strong> has recently re-appeared in malware campaigns after disappearing in 2015.</li> <li><strong>Fareit</strong> aka <strong>Pony</strong> is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials, bitcoin-related details and more.</li> <li><strong>Vawtrak</strong> is a banking Trojan that’s been active since 2013, already having made headlines this year for attacks on Japanese banks. The Trojan is spread using exploit kits, or via spam emails with malicious macros. Recently, <strong>Vawtrak</strong> was spotted in a campaign utilizing lawsuit and subpoena-related spam emails to infect victims. Once installed, the Trojan waits until the victim visits a major financial website (such as CapitalOne, Citibank, etc.), both in the U.S. and the U.K., then logs the user’s credentials for these sites. The new version of <strong>Vawtrak</strong> has antivirus evading features: Its target variety has grown over time, making it one of the more advanced baking Trojans today.</li> <li><strong>Snake Wine</strong> is a Chinese <strong>APT</strong> group <a href="https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"></a> targeting Japanese government, education and commerce organizations. The distribution of their campaign was through spear phishing, followed by using <strong>Ham</strong> backdoor and <strong>Tofu</strong> The main target of this campaign is information disclosure.</li> <li><strong>Cerber</strong> <a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-blank-slate-campaign-takes-advantage-hosting-providers-spread-ransomware/">Ransomware</a>. This ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. The ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. <strong>Cerber</strong> uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of the ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. You can read more about it in our blog post - <a href="https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities/">https://blog.threatstop.com/2016/06/17/cerber-ransomware-gets-stronger-adds-ddos-capabilities/</a></li> <li><strong>Locky</strong>, the most prevalent ransomware in the world, encrypts a victim’s data using a strong RSA-2048+AES-128 encryption, then demands between 2-4 bitcoins for the decryption of that data. This ransomware debuted in early 2016 and is currently being distributed in various ways, including spam emails that contain Word and Excel documents with malicious macros, as well as JS scripts. <strong>Locky</strong> is also delivered via popular Exploit Kits, such as Nuclear and Neutrino. <strong>Locky</strong> has a widespread reach, having been used to attack victims in over 100 countries. Read more here - <a href="https://blog.threatstop.com/locky-back-in-action">https://blog.threatstop.com/locky-back-in-action</a> and here -<a href="https://blog.threatstop.com/2016/02/24/locky-not-to-be-confused-with-lucky/">https://blog.threatstop.com/2016/02/24/locky-not-to-be-confused-with-lucky/</a></li> </ul> <p><em>Security Blog Roundup:</em></p> <ul> <li><a href="https://blog.threatstop.com/eitest-the-long-living-campaign">EITEST</a> – the long living campaign</li> <li>3 new <a href="https://blog.threatstop.com/new-drive-by-target">targets</a> protecting against drive-by attacks</li> </ul> <p><em>New/Updated Targets:</em></p> <ul> <li>New in Standard mode: <ul> <li>Driveby Domains</li> </ul> </li> <li>New in Expert model <ul> <li>Driveby Domains (Paranoid)</li> <li>Driveby Domains (Super Paranoid)</li> </ul> </li> </ul></span>
