ThreatSTOP Blog

Bi-Weekly Security Update 5/25/17

Written by Lauren Wilson | May 25, 2017

 

Malicious Content Identified and Inserted:

  • IPs – 2024
  • Domains – 1723

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking
  • TSInbound – NEW!

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • IOCs that were involved in suspicious scanning activities on domains and hosts.
  • IOCs that were involved in Malspam.
  • IOCs that were involved in phishing.
  • IOCs that are related to the DucoSign breach, where phishing emails were utilized to spread malware sent to the Docosign customers’ corporate e-mail addresses.
  • WannaCry is a Ransomware that spread wildly in a short amount of time, detected at May 2017. It infected over 100K victims in over 99 countries, utilizing the MS17-010 Vulnerability in SMBv1 server, also named EternalBlue. This Ransomware has infected large financial and governmental entities. For more information, visit our blog here.
  • Adylkuzz is a cryptocurrency miner, installed using EternalBlue and DoublePulsar, both utilities leaked from NSA disclosure. EternalBlue is an exploit of a vulnerability in Microsoft's SMB servers. This attack shut down SMB networking to prevent further infections with other malware. It can be detected by symptoms of loss of access to shared Windows resources, as well as degradation of PC and server performance. This campaign is estimated to be larger in scope than the Wannacry worm distribution.
  • ZeroT is a downloader used to install the PlugX Remote Access Trojan (RAT) and distributed primarily through spear-phishing emails. This malware targets entities in Russia, Belarus and Asia. ZeroT showed up in the summer of 2016, following its use by the Chinese APT group linked with cyber actor TA459.
  • Mirai, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog, here.
  • A vendor, Rainmaker, is offering a Ransomware named “Philadelphia,” a version of the Stampado Rainmaker also offering other tools, including RATs.
  • Machete is a malware targeting intelligence services, military, embassies and government institutions in South America and Russia. It was first detected by Kaspersky in August 2014. It was found to log keystrokes, capture audio from a computer’s microphone, capture screenshots, capture geolocation data and take photos from a computer’s web camera.
  • BankBot is a malware targeting android OS, appearing in Google Play in various forms, often impersonating well-known application icons or names. The predecessor of this malware, BankBotAlpha, was first advertised back on December 19, 2016, on a Russian forum as a new initiative to build an Android banker from scratch. This malware achieves device admin privileges from the user and collects information like IMEI, Bank applications present on the device, OS version, presence of root, etc. Communication to the C&C is by SMS and over HTTP protocol.
  • Artemis malware effects the work of web browsers. Common signs of infection by the Artemis virus include: Change in browser homepage, search engine queries redirected to advertisement pages, and new, opened browser windows with pop-up ads.
  • Jaff Ransomware was found distributed via Malspam from Necurs. These SPAM emails will have subjects like “Scan_84686473.” As of May 2017, it was determined the Jaff Ransomware is not decryptable
  • Operation Cloud Hopper, uncovered by researchers at BAE Systems and PwC, was a cyber espionage campaign by APT10 (known as Red Apollo and the menuPass Team) that targeted IT MSPs to steal client corporate data. A US-CERT Alert on the subject is available here, with additional info. on our blog here.
  • DarkTrack backdoor was distributed via spear phishing to CERTs in the military domain, as found by NioGuard in May 2017.
  • Astrum is an Exploit Kit found to be used in the AdGholas Malvertising campaign, delivering several types of malware, including Dreambot/Gozi and RAMNIT.
  • Magnitude Exploit Kit is an attack toolkit that infects victims through compromised websites, and uses a variety of exploits to download malware on to the computer. The U.S. is the country with the largest Magnitude EK victims.
  • Cerber Ransomware. This ransomware debuted in late February 2016 and is one of the most prevalent ransomware variants. This ransomware is typically distributed via emails containing macro-enabled Word documents, Windows Script Files or Rich Text Documents. Cerber uses a strong, presently unbreakable encryption, and has a number of features that, when combined, make it unique in today's ransomware landscape. A new development of this ransomware potentially gives it DDOS capabilities. One recent variant of the ransomware has been spotted quietly sending out huge amounts of network traffic from infected machines. You can read more about it in our blog post here.
  • DiamondFox malware is capable of information disclosure (specifically Credentials and financial information), also known for point of sale systems attacks for the same purposes.

 Security Blog Roundup:

 New/Updated Targets:

  • New:
    • BlackHole: BlackHole is a popular and customizable kit designed to exploit a range of client vulnerabilities via the Web. Hackers license the kit (or rent an already exploited site) to cyber criminals. In turn, cyber criminals compromise web pages and embed an invisible iframe. When potential victims visit a compromised Web page, they are redirected to the hosted exploit. If the victim has one of the targeted client vulnerabilities, their device is infected. (Expert)
  • Updated:
    • Anonymous Networks: More resources for anonymous networks were added to the targets, and it was duplicated to appear in both Standard and Expert modes in policy creation.
    • Tor Exit Nodes: Updated with more sources.
    • Driveby, Driveby (paranoid), Driveby (super paranoid): Now updated with the Blackhole data.