February 14, 2017
Anomali Threat Research

Anomali Weekly Threat Intelligence Briefing - February 14, 2017

<div id="weekly"><p id="intro"><img src="https://cdn.filestackcontent.com/6K7BzKASgqjUEdkJRwcz"/><br/> <b>Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.</p><p><a href="http://www.malware-traffic-analysis.net/2017/02/06/index4.html" target="_blank"><b>Pseudo-Darkleech Exploit Kit Sends Cerber Ransomware</b></a> (<i>February 6, 2017</i>)<br/> Researchers have the discovered that the Darkleech campaign, known for delivering malware via Exploit Kits (EKs), has been observed delivering Cerber ransomware. The current campaign is distributing Cerber by using malicious scripts located on compromised websites. The scripts install the Rig EK which then calls out to a C2 to download the ransomware.<br/> <b>Recommendation:</b> Anti-virus and endpoint protection software should be kept up-to-date to help prevent a ransomware infection before it begins. Additionally, secure backups of important files should be carefully maintained. Emails that refer to financially related topics should be carefully examined to ensure it is from a legitimate source; Word document attachments that claim macros are needed in order to view the document should be avoided. Any system or machine infected with ransomware should be wiped and reformatted, even if the ransom was paid, and other machines on the same network should be properly scanned.<br/> <b>Tags:</b> Darkleech, Cerber</p><p><a href="http://www.securityweek.com/new-york-man-admits-role-cybercrime-operation" target="_blank"><b>New York Man Admits to Role in Cybercrime Operation</b></a> (<i>February 6, 2017</i>)<br/> The Federal Bureau of Investigation (FBI) has arrested an individual operating under the alias, Samuel Gold, for his involvement in multiple cybercrimes. The man behind the alias is Vyacheslav Khaimov, a 55-year-old man residing in Brooklyn, New York. Khaimov was charged with conspiracy to commit wire and bank fraud, bank fraud, money laundering conspiracy and money laundering, and wire fraud. According to the FBI, Khaimov owned and operated a business in which he received over $230,000 stolen from approximately eight compromised financial accounts. The money was sent to Khaimov after being stolen via malware that breached said accounts located mostly in the U.S. After which the funds were sent to Khaimov and others involved in the operation. Over $1.2 million is believed to have been stolen and transferred to co-conspirators by Vyacheslav Khaimov, according to the FBI.<br/> <b>Recommendation:</b> The details of how the bank accounts were compromised, what financial institution they were associated with, and what form of malware was used have not yet been reported. However, it is important that members of the financial industry remain vigilant because they present valuable targets to threat actors and their malware. Files from unverified sources, as well as other common attack vectors such as email attachments and malicious websites, should be properly avoided, and your employees informed of the potential risks they represent.<br/> <b>Tags:</b> New York, Cybercrime</p><p><a href="http://www.securityweek.com/darknet-marketplace-hansa-launches-bug-bounty-program" target="_blank"><b>Underground Market Hansa Announces Bug-bounty Program</b></a> (<i>February 6, 2017</i>)<br/> The underground market called, "Hansa" recently announced that it was launching a bug-bounty program, according to the HansaDarknetMarket Reddit[.]com post. For individuals who discover serious flaws, such as those that could reveal a market user's IP address, the reward could be as high as 10 bitcoins ($10,429), and the reward for less severe bugs could be up to one bitcoin ($1,042). Reddit[.]com users have begun to post that they have submitted reports detailing issues that reveal private messages for Hansa users.<br/> <b>Recommendation:</b> Hansa sells numerous forms of illegal products, ranging from drug paraphernalia, Personally Identifiable Information (PII), to banking information, and this program may make underground market customers feel more secure when buying illicit materials. This in turn may lead cybercriminals to increase their malicious activity to support demand for products from a more secure marketplace. Ensure that web browsers are up to date with the latest patches, and avoid emails (even if they appear to be from an authentic source) requesting that sensitive information needs to be updated.<br/> <b>Tags:</b> Hansa, Reddit</p><p><a href="http://www.malware-traffic-analysis.net/2017/02/07/index.html" target="_blank"><b>Hancitor/Pony Malspam - Subject: You Received a New E-Fax </b></a> (<i>February 7, 2017</i>)<br/> E-Fax email spam is attempting to trick recipients into following a link that leads to a malicious Word document by spoofing the email address, "messaging@efax.com." If the link is followed, and the Word document is downloaded, a window appears that requests the recipient to enable editing and subsequently enable content. If these steps are followed, the Hancitor downloader will be installed followed by the Pony downloader. The Pony downloader will then download and install additional malware from a C2 server.<br/> <b>Recommendation:</b> This story is a reminder of the potential threats that a simple email can represent. Emails leading you to links should be properly vetted to determine their authenticity. Always be on high alert while reading email, particularly when it has attachments or comes with an urgent label or uses poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from unverified senders.<br/> <b>Tags:</b> Phishing, e-fax</p><p><a href="https://blog.sucuri.net/2017/02/wordpress-rest-api-vulnerability-abused-in-defacement-campaigns.html" target="_blank"><b>WordPress REST API Vulnerability Abused in Defacement Campaigns</b></a> (<i>February 6, 2017</i>)<br/> Even as WordPress addressed a severe flaw in its Representational State Transfer (REST) API with its version 4.7.2 released on January 26, 2017, researchers are still observing this vulnerability being exploited in the wild. In total, researchers have identified over 67,500 WordPress websites that have been compromised in four separate defacement campaigns. These defacements could have been avoided if WordPress users stayed up-to-date on their security patches.<br/> <b>Recommendation:</b> Staying current and vigilant on security fixes and updates is important in order to help maintain a website's functionality because websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats.<br/> <b>Tags:</b> WordPress, Defacement</p><p><a href="https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-2c9a2409dd1" target="_blank"><b>76 Popular Apps Confirmed Vulnerable to Silent Interception of TLS-Protected Data</b></a> (<i>February 6, 2017</i>)<br/> Approximately 76 iOS applications are vulnerable to man-in-the-middle (MITM) attack that were using misconfigured Transport Layer Security (TLS). For 33 of these applications the vulnerability was deemed to be low-risk, 24 were assessed as medium-risk, and 19 were considered to be high-risk, according to the application analytics company Apptopia. Applications that have a high-risk assessment will be release to the public in approximately 60 to 90 days if the vulnerability is not properly fixed, according to researchers.<br/> <b>Recommendation:</b> Mobile devices should always be fully patched with the latest security updates, and only official application providers (such as the Google Play Store and Apple App Store) should be used to install software. Additionally, mobile application users should monitor the articles mentioned above to identify applications with MITM vulnerabilities that may be in use.<br/> <b>Tags:</b> Mobile, iOS, MITM</p><p><a href="http://blog.talosintel.com/2017/02/athena-go.html" target="_blank"><b>AthenaGo RAT Targets Portugal</b></a> (<i>February 8, 2017</i>)<br/> A new Remote Access Trojan (RAT) written in the Go programming language dubbed, "AthenaGo," has been identified to be targeting individuals in Portugal, according to Talos researchers. AthenaGo is capable of downloading software when instructed by an attacker by using Tor2Web proxies for communication. The malware is distributed via phishing emails that attempt to lure the user into opening a Word document attachment. The Word document requests that macros be enabled (if they are not already) in order to properly view the document, but actually download the malware.<br/> <b>Recommendation:</b> Once again the potential dangers of phishing emails are reiterated in this story. Ensure that Microsoft Word settings have macros disabled (typically macros are disabled by default), and educate your employees to be on the lookout for phishing attempts. Also, having employees use other ways to send documents, such as Dropbox or sharing via Google Drive, can assist in avoiding possible malicious attachments.<br/> <b>Tags:</b> Phishing, AthenaGo, Portugal</p><p><a href="https://iranthreats.github.io/resources/macdownloader-macos-malware/" target="_blank"><b>iKittens: Iranian Actor Resurfaces with Malware for Mac</b></a> (<i>February 6, 2017</i>)<br/> A malware agent called "MacDownloader," by discovering researchers, is currently targeting the defense industry and an unnamed human rights community focused in Iran. MacDownloader masquerades itself as Adobe Flash and Bitdefender Adware Removal Tool installers in its attempts to infiltrate OS X keychain databases. This malware was also identified to be impersonating the aerospace firm, "United Technologies Corporation," in order to launch spear phishing attacks against defense industry employees by claiming to offer courses and programs tailored to the industry. Upon visiting the website, the malware agent will launch its download scheme by posing as Adobe Flash and Bitdefender Adware Removal Tool installers.<br/> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>Tags:</b> iKittens, Malware agent</p><p><a href="https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/" target="_blank"><b>Fileless Attacks Against Enterperise Networks</b></a> (<i>February 8, 2017</i>)<br/> Kaspersky Lab’s Global Research and Analysis Team identified malicious activity that appears to align with the Tactics, Techniques and Procedures (TTPs) from the Advanced Persistent Threat (APT) groups "Carbanak" and "GCMAN." An unnamed bank's security team discovered this campaign after Meterpreter (a tool packaged in the Metasploit framework that does not create any files on the hard-disk, but instead resides in memory and attaches itself to a process) code was identified in the memory of a domain controller. At the time of this writing, this campaign has targeted approximately 140 entities around the globe consisting of banks, telecommunication companies, and government organizations.<br/> <b>Recommendation:</b> Ensure that endpoints are secure with updated patches; also make sure users have only standard user accounts and not privileged ones, and use endpoint antimalware tools to protect the devices. These steps should be completed using a defense-in-depth approach by scanning network connections and email for malware. This will help reduce the chance that the malware will be able to get on the endpoint and execute.<br/> <b>Tags:</b> Carbanak, GCMAN, APT</p><p><a href="https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/" target="_blank"><b>Fast Food Chain Arby's Acknowledges Breach</b></a> (<i>February 9, 2017</i>)<br/> Approximately six financial institutions contacted security researcher Brian Krebs regarding rumors about a potential data breach at Arby's Restaurant Group locations. The banks and credit unions first indicator occurred when they received an alert from the Pacific Service Credit Union (PSCU). The alert stated that a breach had occurred at an unnamed retailer that compromised approximately 355,000 PSCU credit and debit cards. After an inquiry, KrebsOnSecurity received a statement from Arby's in which the company confirmed that they were conducting an investigation of their payment card systems with the assistance of security experts. The fast-food chain has not specified how many stores were affected, or how long malware was stealing information. The PSCU notice purports that the breach took place between October 25, 2016, and January 19, 2017.<br/> <b>Recommendation:</b> Point of Sale (POS) security relies on the same type of preventative measures as all others, because they are a specific type of computer. In the case of a confirmed infection, the POS system should be taken offline until it can be completely wiped and restored to its original factory settings.<br/> <b>Tags:</b> Arby's, POS</p><p><a href="http://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0" target="_blank"><b>Attackers Target Dozens of Global Banks with New Malware </b></a> (<i>February 12, 2017</i>)<br/> Symantec researchers have discovered new information related to the security incident, first reported earlier this month, that affected approximately 20 unnamed Polish banks. Said incident is now believed to part of a campaign that has targeted approximately 104 entities (mostly banks, as well as internet providers, and telecommunications companies) in 31 countries since October 2016. The attacks were first identified when threat actors used a compromised Polish financial website to redirect users to a custom Exploit Kit (EK). The EK attempts to install malware if a user falls into specified IP addresses of the targeted companies. Analysis of the malware (which is still ongoing) has led researchers to believe that the Lazarus Group may be behind these attacks because of similarities in the malicious code to malware previously used by the group.<br/> <b>Recommendation:</b> Defending against Advanced Persistent Threat (APT) groups requires an equally advanced and persistent strategy. Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place.<br/> <b>Tags:</b> Lazarus Group, APT</p></div><div id="observed-threats"><h1 id="observedthreats">Observed Threats</h1><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.</p><p><a href="https://ui.threatstream.com/tip/7064" target="_blank"><b>Locky Tool Tip</b></a><br/> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.<br/> <b>Tags:</b> Locky, Ransomware</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.