Malicious content identified and inserted:

  • IPs – 3967
  • Domains – 391

Target list content updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Indicators of compromise have been updated for the following:

  • Luabot is a Trojan horse for Linux computers that may perform malicious activities, including recruiting them to DDoS botnets
  • Bashlite , also called Remaiten\Gafgyt\ Qbot\ Torlusis, is a Linux malware, targeting IoT systems, that spreads through methods of brute forcing over telnet platform (port 23). In one of the earliest reports by Level 3 researchers, after the attackers gain access to the device, it establishes a shell command to download other malicious binaries on the infected system. This bot has been found to be used for DDoS activity.
  • Magic Hound, as dubbed by researchers at Palo Alto Networks, is a targeted espionage campaign against government, energy, and technology industries with ties to Saudi Arabia. The campaign utilized phishing emails with malicious Word documents that would run scripts to download additional malware onto the victim's computers.
  • Marcher, which targets Android devices, has been seen posing as the popular game Super Mario Run. Because the game is currently iOS exclusive, attackers are able to lure eager gamers into installing malware onto their device. The malware still presents victims with fake overlays on the Google Play Store which ask for credit card information.
  • MacDownloader, a MacOS malware agent, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against human rights advocates. This is attributed to Iranian based group Charming Kitten. MacDownloader attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.
  • Mirai, a Linux malware targeting IoT systems, which is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, then logging into them in order to infect them. This botnet has been used in the recent large DDoS attacks against computer security journalist Brian Krebs' web site, and in the October 2016 Dyn cyber-attack. You can read more in our blog - https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/
  • Fareit aka Pony is a data stealer Trojan which is capable of collecting sensitive user information such as usernames and passwords in certain browsers, stored email credentials, bitcoin-related details, and more. You can read about it more in our blog post - https://blog.threatstop.com/2016/11/30/dont-pony-up-your-data-to-fareit/
  • EITest was first found in 2014 by Malwarebytes as a campaign distributing malware, mainly by Exploit Kits such as Angler and RIG. In recent years this campaign has been used to distribute malware such as Cerber, CryptoMix, Gootkit or the Chthonic banking Trojan.
  • DustySky is a campaign which has been attributed Gaza Cybergang group, a group that targets government interests in the region.

Recently, Palo Alto Networks caught an activity related to DustySky installing the Downeks downloader, which in turn infects the victim’s computer with the Quasar RAT, which is an open-source tool.

  • IRCTelnet Linux malware targets IoT devices. This malware has code taken from several malwares but is mainly the successor of Aidra The attack vector of this malware is detecting IoT devices via Telnet scanning, and brute forcing to them through known vulnerable credentials of these devices. Post infection, this botnet can launch DDoS attacks using UDP floods and TCP floods, along with other techniques, and uses both IPv4 and IPv6 protocols.
  • Indicators related to a suspicious spam text message.
  • IOCs involved in suspicious scanning activities on domains and hosts.
  • The Rig Exploit Kit, which was discovered in mid-2014 and mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight.
  • Fancy Bear, also known as Sofacy and APT28, is an APT group that is known for spear-phishing attacks against government and military organizations. They have been sending Trojans through weaponized documents to conduct cyber espionage, with their latest target being the United States government.
  • Hancitor, also known as Tordal and Chanitor, is a malware downloader that is known for spreading the Pony and Vawtrak Trojans among others. Hancitor has recently re-appeared in malware campaigns after disappearing in 2015.
  • Since the summer of 2016, The a Chinese APT group associated with the cyber actor TA459 and, began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) distributed mainly in spear-phishing emails, Targeting entities in Russia, Belarus and other countries in Asia.