Anomali Weekly Threat Briefing - November 28, 2016

<p><img alt="" src="https://wwwlegacy.anomali.com/images/uploads/wtb-2016-11-28.png" /></p><h2>Trending Threats</h2><p>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.</p><p><a href="http://blog.talosintel.com/2016/11/fareit-spam-mht.html" target="_blank"><b>Fareit Spam: Rocking Out to a New File Type</b></a> (<i>November 22, 2016</i>)<br /> During a recent Locky vacation Talos noticed an interesting shift in file types being used to distribute another well known malware family, Fareit. The focus of their research is on Fareit but more specifically a new way attackers are working to distribute it via email. The use of various file types such as .js, .wsf, and .hta have been used quite successfully for Locky. We&#39;ve already noted other threats making use of .js for distribution largely due to Locky&#39;s success. Recently we observed another uncommon file type associated with email and decided to dig a little further on the infection chain.<br /> <b>Recommendation:</b> Credential theft malware (aka stealers, dumpers) has become increasingly popular as of late. First and foremost, all endpoints on your network should have some form of anti-virus protection. Taking a defense in depth approach (redundant, layered security controls) will increase the chances of prevention and detection of threats. Since stealers rely on transmitting the credentials and other personal data back to the attacker one way or another, you can often detect malware by monitoring network traffic, or even netflow data using threat intelligence to identify suspicious communications. In the case of Fareit infection, all passwords must be changed immediately. The infected system must be wiped and restored, and all user data should be considered compromised.<br /> <b>Tags:</b> Fareit, malspam</p><p><a href="http://pwc.blogs.com/cyber_security_updates/2016/11/molerats-theres-more-to-the-naked-eye.html" target="_blank"><b>An update on the MoleRats (aka GazaHackersTeam)</b></a> (<i>November 21, 2016</i>)<br /> There has been some recent news regarding the activities of a Middle Eastern threat group known as MoleRats (or Gaza Hackers Team). In the past few days, both Vectra Networks and PaloAlto have released reports relating to new activities carried out by the MoleRats group. PWC cyber researchers&#39; investigation began by analyzing ~20 executable files associated with the attacks. Several of these files opened decoy documents and audio files, which were exclusively in Arabic-language.<br /> <b>Recommendation:</b> The MoleRats campaigns all have similar attack vectors: phishing delivered via email, sms, and other channels. Educate employees on the dangers that can be lurking in their inboxes and social networks, and advise them to always play it safe on the internet: don&#39;t click links to unfamililar websites, nor links from untrusted sources. The best way to prevent snooping and spying is to keep all devices on your network updated with the latest patches, and keep your users on the lookout for threats. In the case of MoleRats infection, the infected devices must be wiped, and the entire network should be assessed for lateral movement of attackers on your network.<br /> <b>Tags:</b> MoleRats, GazaHackersTeam, MiddleEast,</p><p><a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" target="_blank"><b>Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy</b></a> (<i>November 22, 2016</i>)<br /> In early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack towards the Secretary General of Taiwan’s Government office – Executive Yuan. Given the important functions undertaken by the Executive Yuan office, it is not a surprise that they were targeted. The second attack was against an energy sector company also located in Taiwan. The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT. This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.<br /> <b>Recommendation:</b> Though Poison Ivy is dated, this investigation is testament to it&#39;s effectiveness. Endpoint security solutions can provide a good basis for keeping backdoors and other malware off your network, but it is imperative to have a layered, redundant, failsafe security posture (defense in depth), to provide the highest probability of thwarting adversaries across the board. In the case of Poison Ivy infection, all passwords and sensitive credentials from the compromised machine should be immediately changed, and all the accounts should be assessed for compromise. Additionally, the infected machine must be quarantined, wiped, and reformatted to ensure the backdoor has been removed permanently. One of the best ways to prevent credential theft is to deploy multi-factor authentication (MFA), though it is important to emphasize: MFA is not a silver bullet. Sophisticated, highly motivated attackers can find ways around it.<br /> <b>Tags:</b> TropicTrooper, Taiwan, Government, CivilianGovernment, Energy, PoisonIvy</p><p><a href="https://www.zscaler.com/blogs/research/look-recent-stampado-ransomware-variant" target="_blank"><b>A look at Recent Stampado Ransomware</b></a> (<i>November 21, 2016</i>)<br /> In this report, Zscaler researchers provide an analysis of Stampado ransomware - first identified in June 2016 and notorious for being one of the cheapest real ransomware variants on the market. It is capable of encrypting files with more than 1,200 file extensions and contains self-propagating functionality. In addition to the typical ransom demand, this variant threatens to delete a randomly selected file every six hours until payment and, if no payment is received within 96 hours, all files will be permanently deleted.<br /> <b>Recommendation:</b> Ransomware is one of the most pervasive threats on the internet right now, and can be devastating. Report infections to your local CIRT, and avoid paying ransom whenever possible. Researchers have successfully defeated Stampado, and a "decryptor" is available, meaning all files are recoverable without paying the ransom. Machines infected with ransomware must be quarantined, wiped, and reformatted even if the ransom is paid. There is no way to guarentee the malware didn&#39;t leave behind other artifacts which may be harmful.<br /> <b>Tags:</b> Stampado, ransomware</p><p><a href="https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf" target="_blank"><b>Akamai State of the Internet (Security Q3 2016 PDF Report)</b></a> (<i>November 22, 2016</i>)<br /> In their Quarterly report, Akamai provides analysis and research based on data from Akamai’s global infrastructure and routed DDoS solution. Akamai observed a large uptick in DDoS attacks this quarter as compared to Q3 2015. Web application attacks, aside from SQL Injection (SQLi), were down. Two DDoS attacks broke records in terms of power, 623 Gb/s and 555 Gb/s.<br /> <b>Recommendation:</b> DDoS attacks can do irreparable damage to your brand reputation. The rise in DDoS attacks highlights the need for all organizations to have a mitigation strategy in place in case of targeted attack at their infrastructure. IT teams should practice real world scenarios and be trained on how to investigate, triage, and mitigate active DDoS attacks.<br /> <b>Tags:</b> DDoS</p><p><a href="https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/" target="_blank"><b>FlokiBot: A Flock of Bots?</b></a> (<i>November 21, 2016</i>)<br /> In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. As the forum advertisement says, FlokiBot is another Zeus-based banking trojan variant developed on the leaked Zeus 2.0.8.9 source code. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. This post takes a look at Arbor networks analysis of FlokiBot so far.<br /> <b>Recommendation:</b> FlokiBot serves as an example of how successful malware campaigns can be recycled and reused by less skilled attackers, doing substantial damage with little effort. Often small tweaks in the delivery and persistence of malware can be the difference between an easily prevented threat and a devastating compromise. Flokibot is a good reminder that while antivirus is a critical component of corporate security, it is not enough in itself. All infrastructure and networks should be protected by multiple layers of security. In the case of flokibot infection, the compromised device(s) must be taken off the network, wiped, and reformatted to their original state.<br /> <b>Tags:</b> Flokibot, Zeus</p><p><a href="https://bartblaze.blogspot.com/2016/11/nemucod-downloader-spreading-via.html" target="_blank"><b>Nemucod downloader spreading via Facebook</b></a> (<i>November 20, 2016</i>)<br /> In this post, independent security researcher Bartblaze takes a look at a facebook messenger content type bypass and the scam it attempts to make on facebook users. The attack includes an interesting google chrome extension social engineering trick, and leads to a very serious threat: Locky ransomware.<br /> <b>Recommendation:</b> Social Media is seeing a rise in threats targeting users. Organizations that allow their employees to engage in social media from their network should be aware of these threats. Defending against these threats is not strategically different than, it&#39;s just one more way attackers are luring victims.<br /> <b>Tags:</b> SocialMedia, Locky, Nemucod, Facebook-Security-Bypass</p><p><a href="http://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-distributing-malware-images/" target="_blank"><b>ImageGate: A new method for distributing malware through images</b></a> (<i>November 24, 2016</i>)<br /> Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images through social media applications such as Facebook and LinkedIn. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.<br /> <b>Recommendation:</b> ImageGate is a novel attack vector, and exemplifies the value of "zero day" vulnerabilities. Short of blocking all images from loading in your web browser, the best way to stay ahead of the curve on threats like ImageGate is to keep all your software up to date, including operating system, web browser, and all extensions your web browser uses. Flash and Java should be enabled on a per-site basis, rather than enabled for all websites.<br /> <b>Tags:</b> ImageGate, SocialMedia</p><p><a href="http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-25th-2016-locky-decryptors-cerber-open-source-ransomware-sucks-and-more/" target="_blank"><b>Ransomware Roundup</b></a> (<i>November 25, 2016</i>)<br /> This week we have two new decryptors, quite a few new ransomware infections, PadCrypt being hidden inside a fake credit card generator, and a few new variants. The biggest news is two new variants of the Locky ransomware that append the .zzzzz and .aesir extensions for encrypted files.<br /> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. In the case of Locky/PadCrypt infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always keep your important files backed up in order to avoid the financial burden presented by ransomware.<br /> <b>Tags:</b> Ransomware, PadCrypt, Locky</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.</p><p><a href="https://ui.threatstream.com/tip/6699" target="_blank"><b>NJRat Tool TIP</b></a><br /> NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east.<br /> <b>Tags:</b> njrat, Remote Access Tool, RAT</p>