Anomali Weekly Threat Intelligence Briefing - March 7, 2017

March 7, 2017 | Gage Mele

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

RATANKBA: Delving into Large-scale Watering Holes against Enterprises (February 27, 2017)
Back in early February, Polish banks were being targeted with a new strain of malware that was named "Ratankba," as well as financial institutions in Mexico and the U.K. Now Trend Micro researchers have identified that this campaign is not limited to financial entities as the malware has also been seen targeting organizations involved in aviation, education, information technology, insurance, management counseling, and telecommunications in Asia-Pacific countries (China, Hong Kong, and Taiwan). The attacks are conducted via watering hole attacks that attempt to compromise websites most visited by its targets and infect them with malware by redirecting visitors to exploit kits.
Recommendation: Security and system/IT administrators must practice due diligence in protecting their websites and web-based applications from threats that can undermine their security, and hijack them to do the bad guys' bidding-delivering malware to their victims. Malicious web injections, for instance, leverage exploits that enable attackers to gain footholds into the system. An organization's best defense is to regularly apply the latest patches, as well as routinely scan and examine traffic that goes through the enterprise's network, which enables prompt incident response and remediation.
Tags: malware, watering hole, phishing

Google Discloses Another "High Severity" Microsoft Bug (February 27, 2017)
Researchers at Google have discovered another high-severity Microsoft Windows bug, this time in Microsoft's flagship Edge and Internet Explorer browser. The vulnerability was identified by Ivan Fratric, with Google Project Zero, who disclosed it to Microsoft on Nov. 25. Potentially allowing remote code execution, this bug adds to the currently growing list of high-profile issues Microsoft has yet to deal with, notably skipping last month's usual patch release.
Recommendation: Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. Be sure to apply patches in as timely a manner as possible.
Tags: zero day, microsoft, edge, internet explorer

ESET Antivirus Opens Macs to Remote Code Execution (February 27, 2017)
The Google Security Team has discovered two vulnerabilities in ESET antivirus for macOS, one of which could allow attackers to remotely execute code via malformed XML content. The first vulnerability is "CVE-2016-9892" which is located in the "esets_daemon" is statically linked with an outdated version of the POCO XML parser library. The Poco version that was being used (2.0.1) contains the publicly known XML parsing vulnerability "CVE-2016-0718" that allows for the aforementioned remote code execution via malformed XML content.
Recommendation: Always keep your software up-to-date with the latest versions because all software has the potential to be exploited by attackers and therefore must be maintained as well as possible.
Tags: antivirus, macOS

The Gamaredon Group Toolset Evolution (February 27, 2017)
A new threat group dubbed the "Gamaredon Group" is distributing new, custom malware and is also believed to be behind the campaign targeting Ukrainian military and national security called "Operation Armageddon", according to Unit 42 researchers. The detection of new tools and malware indicates a growth in sophistication of the group, which has been active since at least 2013. This new campaign is targeting individuals with fake documents in phishing attacks regarding Ukrainian topics such as the Anti-Terrorist Zone, national security and defense, patriotism, and the presidential administration as subjects.
Recommendation: Organizations should ensure all employees are trained to identify phishing attacks and should consistently monitor for malicious activity on their networks. Keeping antivirus software up-to-date and utilizing the latest threat intelligence will assist in making threats easier to remediate, and therefore less likely to cause harm, by being able to identify new Tactics, Techniques, and Procedures (TTPs) used by threat actors.
Tags: threat group, malware, exploit kit

Severe SQL Injection Flaw Discovered in WordPress Plugin with Over 1 Million Installs (February 28, 2017)
There is a vulnerability in the popular WordPress plugin "NextGEN Gallery" that could allow an attacker to steal data from a website, according to researchers. A SQL injection vulnerability is present in two different configuration settings. The first is if NextGen Basic TagCloud Gallery is activated, and the second is if the website is open for blog post submissions. WordPress does offer a patch to fix these issues, but the patch was not described as being important and was labeled simply as "Changed: Tag display adjustment" in V2 - 02.20.2017
Recommendation: Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: WordPress, SQL injection, defacement

Dridex's Cold War: Enter AtomBombing (February 28, 2017)
The notorious Dridex banking trojan has underwent a significant upgrade and is currently targeting banks in Europe, according to IBM researchers. This new version is dubbed Dridex V4, and is mostly targeting banks in the U.K. Dridex has the capability to conduct atombomb attacks which uses the Windows atom table and the native API NTQueueAPCThread to copy a payload into a read-write memory space in the target process. After using a return-oriented programming chain that allocates memory, the payload is copied and then executed.
Recommendation: The best defense against malware like Dridex starts with an educated organization that empowers users to use the web safely. Policies should be in place to prevent malicious code from reaching devices, both at the network level as well as on the devices themselves. Multiple overlapping layers of security (defense in depth) should be practiced in order to prevent attacks at all levels. In the case of Dridex infection, the affected system must be wiped and restored, and all information contained on that device should be considered publicly disclosed. Passwords should be reset, and all accounts should be monitored for fraud.
Tags: malware, dridex, atombombing

Google Play Apps Infected with Malicious Iframes (March 1, 2017)
According to researchers, approximately 132 applications in the Google Play store have been discovered to be malicious. The applications, which Google has since removed, contained hidden IFrames that linked to malicious domains in their HTML pages. One of the most popular applications was observed to have been downloaded more than 10,000 times. Researchers contend that it may not have been the application developer who created malicious components, but rather the development platforms used by the developers was infected.
Recommendation: Sometimes organizations overlook mobile devices as a potential actor vector that can be exploited by cybercriminals. With mobile malware continually evolving, it is important that your employees are educated on the risks associated with mobile devices on corporate networks. Education and up-to-date anti-virus software are necessary steps in securing the internet of things.
Tags: Mobile, malware, Android

CryptoLocker Ransomware is Back with Campaigns Targeting Europe (March 1, 2017)
The CryptoLocker malware has made a resurgence after having been relatively quiet since the middle of 2015. The ransomware is now largely targeting European countries, with a specific focus on Italy. CryptoLocker is distributed via spam/phishing emails that use Italy's Posta Elettronica Certificata, which has the same legal value as a registered letter, and masquerades as an invoice with a .js file attachment.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, and how to identify such attempts and inform the appropriate personnel when they are identified. In the case of CryptoLocker infection, the affected system should be wiped and reformatted; avoiding paying the cyber criminals is paramount. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: CryptoLocker, ransomware, malware

Online Shops Plundered by Bank Card-Stealing Malware After Backend Aptos Hacked (March 1, 2017)
Customers of the commerce cloud platform provided by Aptos, a company based in Atlanta, GA, began reaching out to researchers after they identified that their websites were infected with malware. This incident began when Aptos' retail services servers were infected with malware from February to December of 2016. The malware was capable of stealing credit card data such as card numbers, card expiration dates, home addresses, email addresses, full names, phone numbers, and email addresses. Aptos claims that the delay in informing its customers of the breach was done upon the request of the federal law enforcement.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere.
Tags: ecommerce, card fraud

Dot Ransomware: Yet Another Commission-Based Ransomware-as-a-Service (March 2, 2017)
A new ransomware service called "Dot" is being advertised on underground markets, according to Fortinet researchers. The Ransomware-as-a-Service (RaaS) can be downloaded for free, with the caveat that all ransoms are split 50/50 with the developers. The actors even provide instructions on how to set up and build the ransomware, as well as how to create a Bitcoin wallet for the illicitly gained funds.
Recommendation: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
Tags: Ransomware, malware

DDoS Attack Pummels Luxembourg State Servers (March 2, 2017)
The government of Luxembourg has been targeted with a significant distributed denial-of-service (DDoS) attack beginning on February 27, 2017. Over 100 government servers were affected by the attack that lasted over 24 hours. At the time of this writing, it is unknown who is behind the attack, or what the attackers' possible motivations could be.
Recommendation: Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation techniques can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be blocked, or at least rate limited.
Tags: DDoS, government

Bye Empire, Hello Nebula Exploit Kit (March 2, 2017)
Researchers have discovered cyber criminals advertising a new exploit kit called "Nebula" on underground marketplaces. The exploit kit is advertised as having multiple features such as automatic domain scanning and generating, multiple payload file types, and remote file support, among others. The exploit is subscription based with three types available, 24 hours for $100, seven days for $600, and 31 days for $2,000.
Recommendation: Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. In the case of Nebula infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.
Tags: Nebula, exploit kit, malware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.