This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.
Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Alice: A Lightweight, Compact, No-Nonsense ATM Malware (December 20, 2016)
Trend Micro has discovered a new family of ATM malware called Alice, a lightweight, stripped down ATM malware family. Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs.
Recommendation: Companies operating technology such as Automated Teller Machines should put internal policies in place to safeguard these machines, and an incident response action plan in the case of compromise. Contact the manufacturer for specific information regarding a compromised ATM.
Tags: Alice, ATM, Financial-Services, Retail
The Methbot Operation (December 20, 2016)
Methbot, a variant of adfraud malware, creates 100s of millions of premium video viewing impressions in order to generate revenue for the fraudsters.
Recommendation: Monitor hosts for unwanted programs via an endpoint agent.
Who is Really Behind the Ukrainian Brute Force Attacks? (December 17, 2016)
Wordfence, a security outfit focused on WordPress security, tracked a set of WordPress bruteforce activity to a bulletproof hoster named SKS-Lugan.
Recommendation: Monitoring for traffic to known bulletproof hosting providers can allow organizations to identify malicious activity before it is reported.
Crowdstrike: Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units (December 22, 2016)
An android variant of Fancy Bear's X-Agent malware was spread via trojanized software on Ukrainian military forums. The malicious app was a trojanized variant of a legitimate app built to help military personnel determine the correct targeting parameters for artillery. The X-Agent implant allows for remote access to a compromised host.
Recommendation: Exchange and verify secure identification information (read: cryptographic signatures and checksums) of critical software to prevent the installation of trojanized applications.
Tags: Fancy Bear, X-Agent
OurMine takes over Netflix, Marvel, and Marvel characters Twitter accounts (December 21, 2016)
Mischeif hacking group OurMine was able to brute force the passwords associated with the twitter accounts for Netflix, Marvel, and multiple marvel characters. After taking control of these accounts the OurMine actors posted messages about securing accounts to the profiles.
Recommendation: Use Two-Factor Authentication methods for corporate social media accounts.
Phishing Actors take a queue from Malware Distrobution playbook (December 21, 2016)
Proofpoint researchers have observed phishing campaigns with attached password-protected malicious documents. These documents are primarily used to distribute malware including Cerber ransomware and the Ursnif banking Trojan, with document passwords included in the body of the email. The use of password-protected documents makes them difficult to execute in automated sandbox environments, circumventing a variety of anti-malware products. At the same time, including the password in the email makes it easy for recipients to open the document while password protection adds a sense of legitimacy.
Recommendation: Always consider email, in particular, attachments and urls, as untrusted potentially malicious resources. Educate employees on the risks posed by phishing, as well as malicious documents. Configure antivirus scanning of all incoming emails and attachments.
This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.
NJRat Tool TIP
NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east.
Tags: njrat, Remote Access Tool, RAT