Anomali Weekly Threat Intelligence Briefing - March 14, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="http://www.malware-traffic-analysis.net/2017/03/06/index2.html" target="_blank">Hancitor Malspam - Fake Delta Airlines Emails</a> (March 6, 2017) A new malicious spam (malspam) campaign has been discovered to be impersonating several different companies, including Delta Airlines, USPS, and ADP. The malspam emails often claim that the recipient's credit card has been changed, and is instructed to follow a link to download various attachments. If the link is followed, a Word document is downloaded causing any Windows user to then be infected with Hancitor malware. Hancitor will then reach out to a C2 to download an additional malware payload as instructed such as the information stealer called "Pony." Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Tags: Malspam, Hancitor<a href="http://www.malware-traffic-analysis.net/2017/03/06/index.html" target="_blank">Eitest Hoeflertext Chrome Popup Leads to Spora Ransomware</a> (March 6, 2017) Threat actors are once again compromising legitimate websites and altering them in order to display malicious pop-ups to Google Chrome users. The pop-ups are using previously observed techniques to trick Google Chrome users into downloading malware by claiming that the "Hoeflertext" font is missing. The pop-up states that Chrome requires an update in order to view it. If the download is completed the user will be infected with Spora ransomware. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: EITest, Spora, Ransomware<a href="https://threatpost.com/dahua-patching-backdoor-in-dvrs-ip-cameras/124119/" target="_blank">Chinese Technology Firm Dahua is Patching Backdoors in DVRs, IP Cameras</a> (March 7, 2017) A proof of concept code has been released by an independent researcher called Bashis, which he believes is a backdoor located in Dahua Technology DVRs, CCTVs, and IP cameras. Dahua then contacted Bashis and requested that the proof of concept be removed, to which the researcher complied. The vulnerability, classified as a backdoor, allows remote access for an attacker to manipulate administrator credentials and download a configuration file. Dahua has since released firmware updates for three DVRs and eight IP cameras. Recommendation: Your company should maintain alerts on organizations whose products are in use to assist in ensuring that the latest and most secure versions are implemented. Tags: Backdoor, Zero day<a href="https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/" target="_blank">Payments Giant Verifone Investigating Breach</a> (March 7, 2017) According to researchers, the largest credit card terminal manufacturing company in the U.S. called "Verifone" had its corporate network breached. On January 23, 2017, the company sent out an internal email telling its employees and contractors that they had 24 hours to change their passwords. Verifone stated that "the cyber attempt limited to controllers at approximately two dozen gas stations, and occurred over a short time frame." Recommendation: POS networks should carefully monitored for unusual activity, thus keeping logs of what typical network activity looks like is very important. In the case of strange activity, taking POS systems offline and repopulating them is a safe mediation step. This can assist in avoiding possible loss of reputation, or lawsuit by individuals who had their credit card information stolen, and possibly used by cybercriminals. Tags: POS, Malware, Breach<a href="https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" target="_blank">FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings</a> (March 7, 2017) FireEye researchers have discovered a spear phishing campaign that is targeting employees of the United States Securities and Exchange Commission (SEC). FireEye identifies the group responsible for this campaign as "FIN7," and the group is spoofing SEC email addresses to distribute malicious document attachments. The documents will drop a malicious Visual Basic script that installs a PowerShell backdoor, which is believed to be a newly identified malware family that has been dubbed "Powersource." At the time of this writing, FIN7's objective in this campaign is unknown, however the group has been known to steal financial information. Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Tags: APT, Spear Phishing<a href="https://www.cylance.com/en_us/blog/rawpos-malware.html" target="_blank">RawPOS Malware Rides Again</a> (March 8, 2017) Cylance researchers have discovered a new variant of the RawPOS malware, which was first identified in 2008, that scrapes memory to steal financial data. Interestingly, three previously observed functions in RawPOS were found to be missing, and two new functions were added. Other functions were also moved to different locations. These actions taken by threat actors appear to be attempts to avoid antivirus detection. Recommendation: While the specific target countries and entities have not been mentioned, this story does serve as a reminder that actors are consistently looking for new ways for their malware to avoid detection. Therefore, it is crucial for that all POS networks to be copiously monitored for unusual activity. In the case of RawPOS infection, the affected networks should be repopulated, in addition to customers being notified and potentially being offered fraud protection to avoid negative media coverage. Tags: POS, Malware<a href="http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" target="_blank">Crypt0l0cker (TorrentLocker): Old Dog, New Tricks</a> (March 8, 2017) The threat actors behind the Cryptolocker ransomware have updated their malware with new features, according to Cisco researchers. Cryptolocker is now using Tor2Web gateways to make it easier for its victims to pay the ransom in Bitcoins, and it now relies on Tor servers as backups in case the SSL servers are unreachable. Additionally, this new campaign has increased its efforts to display its ransom notes and payments instructions in a more "user friendly" format. The ransomware requests 0.976023 Bitcoins ($1,188) to decrypt files that have been encrypted with the AES-CBC algorithm. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Tags: CryptoLocker, Ransomware<a href="http://www.javelin-networks.com/samas-ransomworm-next-gen-ransomware-stole-450000/" target="_blank">Samas RansomWorm: The Next-Gen Ransomware That Stole $450,000</a> (March 9, 2017) The Samas ransomware has been upgraded by its creators, according to researchers. This new variant acts like a worm and moves laterally across a network to target all connected machines for encryption. The attackers first target front-facing servers with known vulnerabilities such as CVE-2010-0739. Next Samas will compromise one machine and then attempt to steal administrator credentials using the tool Mimikatz as well as Bladabindi, and Derusbi trojans. Once administrator credentials have been stolen, Samas queries the Active Directory to further propagate itself on a network. Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Tags: Samas, Ransomware<a href="http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" target="_blank">Preinstalled Malware Targeting Mobile Users</a> (March 10, 2017) Approximately 38 Android devices belonging to an unnamed telecommunications and technology company were identified to have malware installed on them, according to Check Point researchers. Interestingly, it was discovered that the malware was not downloaded on to the mobile devices, rather the malware had always been present. In some instances, researchers found the information stealing Loki malware, and Slocker ransomware on the affected devices. Recommendation: The threat of pre-installed malware has the possibility of hiding from even the most cautious of users; if the devices listed here are being used by your company they should be properly wiped and restored. Additionally, it is important that mobile devices connecting to corporate and personal networks have trusted antivirus software installed that it always kept up-to-date. Tags: Malware, Android<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.<a href="https://ui.threatstream.com/tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware