The industry saw lot of phishing and smishing in the second month of 2020. Most of this was related to the coronavirus epidemic. Read some of the most interesting and useful infosec articles from early February.
For more articles, check out our #onpatrol4malware blog.
Fake Interview: The New Activity of Charming Kitten
Source: Certfa
Certfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group who has a close relationship with Iran’s state and Intelligence services. Read more.
Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications
Source: Cofense
The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device. Read more.
Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign
Source: Risk IQ
A recent blog post highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020. Read more.
Living off another land: Ransomware borrows vulnerable driver to remove security software
Source: Sophos
Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers. Read more.
RATs in the Library
Source: Reversing Labs
It was reported that a malicious file was being hosted on archive.org in an encoded format called Base64. The sample was identified as njRAT. This is a known technique used by adversaries to hide payloads on public sites. Read more.
InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
Source: CSIS
Traffic exchange is probably one of the oldest types of grey-hat business on the internet. Different companies compete to buy or sell real traffic for your projects. Read more.
Winnti Group targeting universities in Hong Kong
Source: Secodify
Secodify found a new variant of the ShadowPad backdoor deployed using a new launcher and embedding numerous modules. The Winnti malware was also found at these universities a few weeks prior to ShadowPad. Read more.
Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed
Source: Secodify
Researchers periodically scanned and collected metadata from Docker hosts exposed to the internet and this research reveals some of the tactics and techniques used by attackers in the compromised Docker engines. Read more.
Forging SWIFT MT Payment Messages for fun and pr… research!
Source: F-Secure Labs
F-Secure Labs were able to demonstrate a proof of concept for introducing a fraudulent payment message to move £0.5M from one account to another, by manually forging a raw SWIFT MT103 message. Read more.
Suspected Sapphire Mushroom (APT-C-12) malicious LNK files
Source: bit_of_hex
In July 2018, the Chinese-based research group 360 TIC produced a report Sapphire Mushroom (APT-C-12) Technical Details Revealed. This report analysed a malicious LNK file allegedly used by the APT group “Sapphire Mushroom”. Read more.
Watching you watch: the tracking system of over-the-top TV streaming devices
Source: The Morning Paper
The results from this paper are all too predictable: channels on Over-The-Top (OTT) streaming devices are insecure and riddled with privacy leaks. Read more.
APT review: what the world’s threat actors got up to in 2019
Source: Secure List
Researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the developments behind them. Read more.
“Distinguished Impersonator” Information Operation Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests
Source: Fire Eye
FireEye published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that was organized in support of Iranian political interests. Read more.
Loda RAT Grows Up
Source: Talos
Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT. Read more.
Threat Research Report: The State of Cryptomining
Source: Threat Vector
In this blog, we’ll discuss how cryptomining started, what targets are being mined, and exactly how threat actors are doing this. Read more.
Enterprise Mobile Threat Landscape
Source: Pradeo
Today, employees leverage mobile services to enhance their performance and cybercriminals are well aware of it. To reach companies’ data, hackers have shifted to a data centric approach that extensively targets the mobile workforce. Read more.
LokiBot: dissecting the C&C panel deployments
Source: Virus Bulletin
First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. Read more.
Goblin Panda APT: Recent infrastructure and RAT analysis
Source: MeltXOR Security
Goblin Panda has historically had information theft and espionage related motives that align with Chinese interests. Their targets have primarily been defense, energy, and government organizations located in South/Southeast Asia. Read more.
South Korea sees rise in smishing with coronavirus misinformation
Source: ZDNet
The South Korean government has warned the public of a sharp rise in smishing attempts — scam text messages — that use misinformation about the novel coronavirus outbreak. Read more.
Lookout Phishing AI provides an inside look into a phishing campaign targeting mobile banking users
Source: Lookout
Consumers are increasingly using mobile banking apps as their primary means to manage their finances. It has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector. Read more.
Ransomware Impacting Pipeline Operations
Source: CISA
The CISA encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied. Read more.
What DNS encryption means for enterprise threat hunters
Source: We Live Security
In one way, the proliferation of domain name service (DNS) attacks throughout the world has helped to raise awareness about a deep problem in the “plumbing†of the internet. Read more.
Hamas Android Malware On IDF Soldiers-This is How it Happened
Source: CheckPoint Research
Earlier, IDF’s spokesperson revealed that IDF (Israel Defense Force) and ISA (Israel Security Agency AKA “Shin Betâ€) conducted a joint operation to take down a Hamas operation targeting IDF soldiers, dubbed ‘Rebound’. Read more.
US Gas Pipeline Shut After Ransomware Attack
Source: Info Security
A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed. Read more.
DRBControl Espionage Operation Hits Gambling, Betting Companies
Source: Bleeping Computer
An advanced threat actor has been targeting gambling and betting companies in multiple regions of the globe with malware that links to two Chinese hacker groups. Read more.
Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Source: Bleeping Computer
In 2019, Black Banshee launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations. Read more.
The challenges of cyber research and vulnerability disclosure for connected healthcare devices
Source: HelpNetSecurity
CyberMDX gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. Read more.
Malware Analysis Report (AR20-045G)
MAR-10135536-8.v4 – North Korean Trojan: HOPLIGHT
Source: CISA
Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. Read more.
WordPress botnet deploys anti-adblocker script to make sure its spammy ads are profitable
Source: ZDNet
The threat actor behind the internet’s largest WordPress botnet is using an anti-adblocker script to make sure the ads they inject on hacked sites are showing up in users’ browsers and generating a profit. Read more.
Uncovering New Magecart Implant Attacking eCommerce
Source: Marco Ramilli
Defending our financial assets is always one of the top priorities in the cybersecurity community but it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Read more.
PHP’s Labyrinth – Weaponized WordPress Themes & Plugins
Source: Prevailion
Prevailion’s Tailored Intelligence team has followed an active supply chain attack that has been ongoing since late 2017, we named this campaign “PHPs Labyrinth.†Read more.
44% of Security Threats Start in the Cloud
Source: Dark Reading
Cloud-enabled cyberattacks are ramping up, as indicated in a new Netskope study that found 44% of security threats use cloud services in various stages of the kill chain. Read more.