Anomali Weekly Threat Intelligence Briefing - December 12, 2016

December 12, 2016 | Anomali Labs

Trending Threats

This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Floki Bot Strikes (December 7, 2016)
Floki Bot is a new malware variant that Talos Intel discovered for sale on darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. Rather than simply copying the features that were present within the Zeus trojan "as-is", Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. Talos latest post details the mechanics and delivery of the new variant.
Recommendation: The best defense against malware like Flokibot starts with an educated organization that empowers users to use the web safely. Policies should be in place to prevent malicious code from reaching devices, both at the network level as well as on the devices themselves. Multiple overlapping layers of security (defense in depth) should be practiced in order to prevent attacks at all levels. In the case of Flokibot infection, the affected system must be wiped and restored, and all information contained on that device should be considered publicly disclosed. Passwords should be reset, and all accounts should be monitored for fraud.
Tags: FlokiBot, Zeus, cybercrime, botnet

Popcorn Time Ransomware reaches a new low (December 8, 2016)
A new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files. With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key. To make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.
Recommendation: Always run antivirus and endpoint protection software in order to prevent ransomware before it's too late. Keep secure backups of all your important files, to avoid the need to pay ransomware authors. Never open email attachments or software obtained from untrusted sources. Always keep your systems patched with the latest security fixes. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: PopcornTime, ransomware

SamSa Ransomware Attacks: A Year in Review (December 9, 2016)
This year, Unit 42 investigated the SamSa actors that were attacking the healthcare industry with targeted ransomware. With this group being active for roughly one year, they decided to revisit this threat to determine what, if any, changes had been made to their toolset. In doing so, we discovered that it’s been a very profitable year for SamSa, with an estimated $450,000 in ransom payments from samples we have identified. This blog serves to discuss changes made by this group and the SamSa malware family since we last discussed them.
Recommendation: Ransomware can potentially be blocked by using specialized endpoint protection solutions (HIDS) but ransomware authors are constantly evolving to bypass these protections. Always keep your important files backed up in multiple locations. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs.
Tags: Ransomware, SamSa, Healthcare

Ostap Bender: 400 Ways to Make the Population Part With Their Money (December 8, 2016)
In late October, Proofpoint researchers identified and began tracking a financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale (POS) malware AbaddonPOS with its loader, TinyLoader. More significantly, the group also uses a previously undocumented JScript backdoor called “Ostap” and a Delphi dropper they named “MrWhite”. MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads. Adding this extra layer of filtering may help the group focus on targets of interest and evade detection due to use of known malware.
Recommendation: POS/IoT Security relies on the same type of preventative measures as all others, as they are a certain type of computer. In the case of a confirmed ostap infection, the infected device should be taken offline until it can be completely wiped and restored to it's original factory settings.
Tags: Ostap, PoS, MrClean

CNACOM - Open Source Exploitation via Strategic Web Compromise (December 5, 2016)
Since a full proof of concept for CVE-2016-0189 vulnerability was published on GitHub, Zscaler ThreatLabZ has been closely tracking its proliferation. The first copying of the exploit code we spotted was from the Sundown exploit kit (EK), followed closely by Magnitude and a resurgent KaiXin EK. In addition to the commoditized EKs, this exploit code has been leveraged in numerous one-shot and gated web-exploitation campaigns, delivered through a mix of the usual malvertising networks and compromised websites.
Recommendation: Exploitation tactics are constantly improving, and a robust network defense strategy is necessary for high-value target organiations. Defense in depth is the best strategy - implement robust, layered, failsafe security controls so that your organization is not relying upon a single solution to detect all types of threats. Network, and host based security monitoring and prevention tools should be tightly integrated, and IT teams must ensure their entire network is covered, not just the obvious parts. Bringing in penetration testing services can help identify gaps in your security infrastructure, and are a crucial part of locking down your organization. Unlike malware, exploit kits can't be detected by most Antivirus solutions, and rely upon real-time threat detection technologies. Always keep your systems up to date with the latest security patches, as outdated software is a common target for exploit kits. In the case of a confirmed compromise, a digital forensics investigation must take place and a post mortem assessment of the attack should be performed in order to improve organizational security.
Tags: CVE-2016-0189, CVE-2015-0116, CVE-2015-5122, CNACOM

New Flavor of Dirty COW Attack Discovered, Patched (December 6, 2016)
The Dirty COW attack received much attention a few weeks back when it was publicly disclosed as a novel and significant priviledge escalation bug affected Linux systems. Trend Micro has discovered a new variant of the dirty COW bug, and the developers of the Linux OS have released a patch.
Recommendation: Dirty COW is a very serious vulnerability that could lead to significant pain within your organization if exploited. Vulnerability scanning products offer an easy way to identify vulnerabilities, including dirty cow, and vulnerability management platforms can empower your IT organization to keep all bases covered. Of course, vulnerability scanners are not enough alone, but they are a critical piece of a mature network security monitoring (NSM) program.
Tags: DirtyCOW, Linux, CVE-2016-5195

Ransomware Weekly Roundup (December 9, 2016)
Notable updates include the newly discovered Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.
Recommendation: Ransomware is a constantly evolving threat landscape, and the best approach is to educate your organization on the risks posed by this type of malware, and ensuring they know how to get help in the case of an infection. All users should be discouraged from paying ransom, which is much easier if they have an easy to use backup solution in place. In the case of ransomware infection, the affected system must be wiped and reformatted. An incident response investigation should begin to identify the infection vector, followed up with educating the rest of the organization on exactly how the infection happened, and how to prevent int.
Tags: ransomware

ThyssenKrupp Attackers Stole Trade Secrets In Massive Hack (December 8, 2016)
ThyssenKrupp has confirmed that hackers targeted their Industrial Solutions division, specifically the unit that specializes in the construction of large industrial plants. Branches in the U.S., Europe, Asia, and Argentina were all impacted by the breach. The Stack reports that attackers were able to exfiltrate "data records from multiple business units before [their activity] was discovered and stopped." It's believed that the attackers were based in Southeast Asia. ThyssenKrupp has filed a criminal complaint and is working with German authorities to further investigate the attacks.
Recommendation: Breaches such as this are a good reminder that even the best of us can get hacked, and organizations must have a response policy in place to assure customers and avoid harm to business dealings. This means a thorough digital forensic investigation, damage assessment, and PR action in order to respond. Often it is better to disclose the breach to customers or the public as it is much more harmful for them to find out through other channels which you don't control. Put a Incident response policy in place so that it doesn't need to be created in an emergency.
Tags: breach, cybercrime

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.

NJRat Tool TIP
NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east.
Tags: njrat, Remote Access Tool, RAT

Cerber Ransomware Tool Tip
Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.
Tags: cerber, ransomware

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.