January 24, 2017
-
Anomali Threat Research
,

Anomali Weekly Threat Intelligence Briefing - January 23, 2017

<p><b>Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><h2>Trending Threats</h2><p><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/" target="_blank"><b>Uncovering the Inner Workings of EyePyramid</b></a> (<i>January 18, 2016</i>)<br/> In a follow up to their initial post the week before, TrendLabs Research team uncovered some new details about EyePyramid, as well as a fun story of evasion and deflection. In their post, they provide details about new samples identified and high level TTPs used by the criminals.<br/> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>Tags:</b> Italy, Europe, EyePyramid, Spear-Phishing</p><p><a href="http://blog.talosintel.com/2017/01/locky-struggles.html" target="_blank"><b>Without Necurs, Locky struggles</b></a> (<i>January 18, 2016</i>)<br/> Locky has been a devastating force for the last year in the spam and ransomware landscape. The main driver behind this traffic is the Necurs botnet. This botnet is responsible for the majority of Locky and Dridex activity. Periodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically. Since late December Talos has not seen the typical volume of Locky. However, a couple of days ago they started seeing some spam campaigns start delivering Locky again. Talos typically sees hundreds of thousands of Locky spam messages, but are currently seeing campaigns with less than a thousand messages. Talos found a couple of low volume campaigns that are delivering Locky via the typical means of scripting files with a couple of new twists.<br/> <b>Recommendation:</b> Always run antivirus and endpoint protection software in order to prevent ransomware before it's too late. Keep secure backups of all your important files, to avoid the need to pay ransomware authors. Never open email attachments or software obtained from untrusted sources. Always keep your systems patched with the latest security fixes. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br/> <b>Tags:</b> Locky, Malspam, Necurs, Ransomware, Botnet</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-reveal-possible-new-tactic/" target="_blank"><b>Second Wave of Shamoon 2 Attacks Reveal Possible New Tactic</b></a> (<i>January 16, 2016</i>)<br/> The second wave of Shamoon 2 attacks utilize the Disttrack wiper malware, which is optimized to destroy systems by targeting their hard drives and to spread as widely as possible throughout a network it’s infiltrated. And once again, the Disttrack malware was configured to operate without any command and control (C2) servers, essentially optimized for a one-way mission of data destruction. But this second wave of Shamoon 2 attacks show evidence of potential new tactic. Unit 42 analysis shows that the latest sample contains credentials for virtual desktop infrastructure (VDI) solutions, such as Huawei’s FusionCloud. VDI solutions can provide protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems to recover from a wiper attack. The presence of these credentials in the sample may suggest that attackers intended to increase the impact of their attack by not only wiping systems but also carrying out destructive activities against the VDI deployment, as well as any snapshots.<br/> <b>Recommendation:</b> In order to secure your infrastructure, first you must be aware of what your assets are, which are publicly facing, and which are the most important to protect. To protect against these attacks, deploy Host and Network based intrusion detections systems (IDS) throughout your entire network. Integrate these systems using a SIEM or other security manager. In the case of a compromised system, it must be wiped and restored before being reintroduced to your environment.<br/> <b>Tags:</b> Shamoon-2, Wiper, Disttrack</p><p><a href="https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme" target="_blank"><b>EITest Nabbing Google Chrome Users with a "Chrome Font" Social Engineering Attack</b></a> (<i>January 17, 2016</i>)<br/> In December, Proofpoint researchers discovered a compromised website dropping Chrome_Font.exe. Upon replay, we found that the website was EITest-compromised but could not trigger that binary drop even with the mentioned browser. A more recent report led us to look more closely at EITest filtering mechanisms to understand how the attack was triggered.<br/> <b>Recommendation:</b> Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. In the case of EITest infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.<br/> <b>Tags:</b> EITest, Exploit-Kit, Social-Engineering</p><p><a href="https://blog.fortinet.com/2017/01/20/linux-gafgyt-b-tr-exploits-netcore-vulnerability" target="_blank"><b>Linux Gafgyt.B!tr Exploits Netcore Vulnerability</b></a> (<i>January 20, 2016</i>)<br/> Researchers have discovered a version of the Linux Gafgyt malware targeting Netcore Netis routers which contain an easily exploitable backdoor. In their latest post, Fortinet takes a deep dive into the inner workings of this malware and how it is being used to exploit the Netcore vulnerability.<br/> <b>Recommendation:</b> The Gafgyt malware takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames / passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.<br/> <b>Tags:</b> IoT, Netcore-backdoor, Botnet, Mirai, Linux-Gafgyt</p><p><a href="https://blog.fortinet.com/2017/01/16/android-locker-malware-uses-google-cloud-messaging-service" target="_blank"><b>Android Locker Malware uses Google Cloud Messaging Service</b></a> (<i>January 16, 2016</i>)<br/> Last month, we found a new android locker malware that launches ransomware, displays a locker screen on the device, and extorts the user to submit their bankcard info to unblock the device. The interesting twist on this ransomware variant is that it leverages the Google Cloud Messaging (GCM) platform, a push notification service for sending messages to registered clients, as part of its C2 infrastructure. It also uses AES encryption in the communication between the infected device and the C2 server.<br/> <b>Recommendation:</b> Android malware is on the rise. Protect your network by defining a Bring Your Own Device (BYOD) policy, and have a well segmented network to keep unpredictable devices far away from your most important assets and services. In the case of Android Locker infection, the infected device must be fully wiped and restored before returning to your network.<br/> <b>Tags:</b> Android-Malware, Ransomware</p><p><a href="https://www.bleepingcomputer.com/news/security/android-banking-trojan-source-code-leaked-online-leads-to-new-variation-right-away/" target="_blank"><b>Android Banking Trojan Source Code Leaked Online, Leads to New Variation Right Away</b></a> (<i>January 21, 2016</i>)<br/> The source code of an unnamed Android banking trojan has been recently leaked online via an underground hacking forum, say researchers from the Russian antivirus firm Dr.Web. Dr.Web says the leaked source code appears to be a high-quality product and the security firm is positive this will attract the attention of many cyber-criminals looking for a base to develop and deploy their own mobile malware. Android banking trojans are usually sold for thousands of dollars, or rented for similar high fees. The easily availability of this trojan might lead to a surge in banking trojans targeting Android devices. One known variant has already been discovered and named Android.BankBot.<br/> <b>Recommendation:</b> As we saw with the release of the Mirai source code, less than professional hackers depend on these releases in order to carry out their crimes. In the case of a confirmed Bankbot infection, the infected device must be fully wiped and restored to its original factory settings.<br/> <b>Tags:</b> Android-Malware, Hackforums, BankBot</p><p><a href="https://blog.opendns.com/2017/01/18/finding-the-rats-nest/" target="_blank"><b>Finding the RATs Nest</b></a> (<i>January 18, 2016</i>)<br/> OpenDNS researchers spotted a novel Remote Access Trojan (RAT). In their blog post, they examine some malicious infrastructure that we’ve found by pivoting through domains delivering and communicating with the RAT.<br/> <b>Recommendation:</b> Remote Access Trojans (RATs) are often easy to detect on the network. They rely upon outbound communication to deliver keystrokes and other exfiltrated data. Network Intrusion Detection solutions can typically detect this traffic. As always, don't rely upon a single security control. Instead, practice defense in depth and use multiple overlapping security controls.<br/> <b>Tags:</b> Backdoor.LuminosityLink, RAT, Keylogger</p><p><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Operation-Grand-Mars--a-comprehensive-profile-of-Carbanak-activity-in-2016/17/" target="_blank"><b>Operation Grand Mars: a comprehensive profile of Carbanak activity</b></a> (<i>January 18, 2016</i>)<br/> Trustwave has tracked Carbanak activity in the latter half of 2016 and found them to be targeting hospitality and retail victims in Europe and North America, specifically targeting their internal corporate secrets and protected payment card data. Trustwave recently released the complete malicious campaign profile in a 45-page Advanced Threat Report.<br/> <b>Recommendation:</b> Attacks such as those utilized by Grand Mars APT are among the most professional attacks facing the modern organization. Zero days based attacks can be detected by advanced (next-gen) solutions, such as behavioral analysis, heuristics and machine learning based detection systems. These attacks are originate with spearphishing, which can be addressed effectively through employee education and prevent these attacks before they can attempt exploitation. All users should be aware of the threats they face when doing something as simple as checking their email. In the case of compromise, the entire network must be assessed to identify the initial infection, and all affected systems must be fully wiped and reformatted to ensure the network is fully restored to a safe state. It is notable that though no longer zero day exploits, Pawn Storm continued to use these exploits after they were patched. Put policies in place to ensure all employees install patches as soon as they are available.<br/> <b>Tags:</b> Grand-Mars-APT, Carbanak, Anunak</p><p><a href="https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/" target="_blank"><b>Ransomware Roundup - Week of January 20</b></a> (<i>January 20, 2016</i>)<br/> This week we continue to see more ransomware being released as well as changes in the distribution of the larger ransomware infections. For example, Locky has had a very low distribution lately since the holidays, but now it is starting to pick up again. We also seeing the Spora ransomware being thrown into the mix, where malware distribution sites that typically were pushing Cerber, started to push Locky and Spora.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>Tags:</b> Locky, Spora, Ransomware</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.</p><p><a href="https://ui.threatstream.com/tip/8281" target="_blank"><b>NetWire RAT (Windows) Tool Tip</b></a><br/> Netwire is a Remote Access Trojan primarily used for data theft. However, the authors behind NetWire claim it's legitimacy as an espionage tool. The analyzed sample in this case masquerades as a directory, but is actually an executable (.exe) file.<br/> <b>Tags:</b> NetWire, RAT, Windows-Malware</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.