Anomali Weekly Threat Intelligence Briefing - January 30, 2017

<p><b>Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><h2>Trending Threats</h2><p><a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-underground-part-3-rat-nest/" target="_blank"><b>Into The RATs Nest - Part 3</b></a> (<i>January 26, 2016</i>)<br/> In part 3 of their expansive RAT writeup, Unit 42 researchers began with data from a real attack in the wild, and use that evidence to make a connection back to underground forums and the actors who are using them.<br/> <b>Recommendation:</b> RATs are often detectable from host based artifacts the RAT leaves behind, as well as the network traffic necessary for the attacker to exfiltrate data. Both devices as well as networks should be secured with detection and prevention measures. In the case of HWorm infection, the affected device should be wiped and reformatted, and all devices across the network should be assessed for similar compromise.<br/> <b>Tags:</b> RAT-C2, DarkComet, DarkTrack, NJRat, NetWire</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-farming-malicious-documents-unravel-ransomware/" target="_blank"><b>Farming Malicious Documents to Unravel Ransomware</b></a> (<i>January 27, 2016</i>)<br/> While analyzing a recent malicious Microsoft Word document, Unit 42 noticed that it downloaded a ransomware variant, SAGE 2.0 (Sage Locker), which is a spin-off from CryLocker. This ransomware has been slowly making the rounds lately; most notably because a number of these campaigns have been seen delivering both Sage and Cerber ransomware families from the same download locations, sometimes changing between the two periodically throughout the day.<br/> <b>Recommendation:</b> The best defense against malware starts with an educated organization that empowers users to use the web safely. Policies should be in place to prevent malicious code from reaching devices, both at the network level as well as on the devices themselves. Multiple overlapping layers of security (defense in depth) should be practiced in order to prevent attacks at all levels.<br/> <b>Tags:</b> Ransomware, Sage-Ransomware, MSWord, NATO</p><p><a href="http://blog.talosintel.com/2017/01/matryoshka-doll.html" target="_blank"><b>Unraveling a Nested Microsoft Word Doc</b></a> (<i>January 27, 2016</i>)<br/> Talos has identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded Flash payload. This document targeted NATO members in a campaign during the Christmas and New Year holiday. Due to the file name, Talos researchers assume that the document targeted NATO members governments. This attack is also notable because the payload was swapped out with a large amount of junk data which was designed to create resource issues for some simplistic security devices.<br/> <b>Recommendation:</b> Always keep your operating system and important software up to date, including web browser, browser add-ons, and microsoft office. Employ network as well as host based detection and prevention systems where possible. In the case of infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.<br/> <b>Tags:</b> MSWord, Malicious-RTF</p><p><a href="http://blog.checkpoint.com/2017/01/24/charger-malware/" target="_blank"><b>Charger Malware Calls and Raises the Risk on Google Play</b></a> (<i>January 24, 2016</i>)<br/> Several weeks ago, Check Point detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “Charger.” This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks.<br/> <b>Recommendation:</b> Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and never install software from unverified sources.<br/> <b>Tags:</b> Android-Malware, Ransomware</p><p><a href="https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer" target="_blank"><b>Deep Analysis of Android Rootnik Malware</b></a> (<i>January 26, 2016</i>)<br/> Recently, Fortinet found a new Android rootnik malware which uses open-sourced Android root exploit tools to gain root access on an Android device. The malware disguises itself as a file helper app and then uses very advanced anti-debug and anti-hook techniques to prevent it from being reverse engineered. It also uses a multidex scheme to load a secondary dex file. After successfully gaining root privileges on the device, the rootnik malware can perform several malicious behaviors, including app and ad promotion, pushing porn, creating shortcuts on the home screen, silent app installation, pushing notification, etc. In this blog, I’ll provide a deep analysis of this malware.<br/> <b>Recommendation:</b> Compromised machines must be wiped and restored to factory settings. Complex attacks such as the rootnik malware can be targeted or spread generically, and a formal incident response process should be initiated to identify the root cause and how to prevent it from happening in the future.<br/> <b>Tags:</b> Android-Malware, Rootnik</p><p><a href="https://www.bleepingcomputer.com/news/security/russia-arrests-top-kaspersky-lab-security-researcher-on-charges-of-treason/" target="_blank"><b>Russia Arrests Top Kaspersky Researcher on Charges of Treason</b></a> (<i>January 25, 2016</i>)<br/> Russian authorities arrested Ruslan Stoyanov, one of Kaspersky Lab's top-ranked security researchers, under article 275 of the Russian criminal code, which refers to treason. According to Russian newspaper Kommersant, who broke the story today, Stoyanov was arrested in December, together with the head of the Russian Secret Service (FSB) information security department Sergei Mikhailov.<br/> <b>Recommendation:</b> Russia's Spy Agencies continue to make unpredictable moves, its wise to steer clear of interacting with such actors.<br/> <b>Tags:</b> Russia, Hacking, Treason</p><p><a href="https://www.bleepingcomputer.com/news/security/police-department-loses-years-worth-of-evidence-in-ransomware-incident/" target="_blank"><b>Police Department Loses a Year Worth of Evidence Due to Ransomware</b></a> (<i>January 26, 2016</i>)<br/> Police in Cockrell Hill, Texas admitted yesterday in a press release that they lost years worth of evidence after the department's server was infected with ransomware. Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>Tags:</b> Ransomware, Extortion</p><p><a href="https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-27th-2017-potato-spora-goes-global-and-sage-2-0/" target="_blank"><b>Ransomware Roundup</b></a> (<i>January 27, 2016</i>)<br/> This week we continue to see lots of little ransomware being developed and new variants of existing ones. The big news is Spora and Sage 2.0 now being distributed by actors that normally distribute Locky and Cerber. This has caused a greater distribution of both of these ransomware infections. Furthermore, when Spora was first released it was initially only targeting Russian victims. This may have been a test run as we are now seeing world wide distribution of Spora. Last, but not least, it appears that ransomware developers are running out of names to call their ransomware. To illustrate this, we have a ransomware this week called Potato. I wonder if next week we will have one named Broccoli?<br/> <b>Recommendation:</b> Always run antivirus and endpoint protection software in order to prevent ransomware before it's too late. Keep secure backups of all your important files, to avoid the need to pay ransomware authors. Never open email attachments or software obtained from untrusted sources. Always keep your systems patched with the latest security fixes. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br/> <b>Tags:</b> Ransomware, Sage2.0, Spora</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.</p><p><a href="https://ui.threatstream.com/tip/8281" target="_blank"><b>NetWire RAT (Windows) Tool Tip</b></a><br/> Netwire is a Remote Access Trojan primarily used for data theft. However, the authors behind NetWire claim it's legitimacy as an espionage tool. The analyzed sample in this case masquerades as a directory, but is actually an executable (.exe) file.<br/> <b>Tags:</b> NetWire, RAT, Windows-Malware</p>