Anomali Detect

September 20 - 22, 2017

Anomali Weekly Threat Intelligence Briefing - May 2, 2017

May 2, 2017 | Gage Mele

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Online Pet Retailer Leaked 110k+ Credit Card Details Months After Being Notified by Security Researchers (April 28, 2017)
Kromtech Security Researchers have published their findings regarding publicly available data belonging to customers of FuturePets. Overall, the exposed database contains sensitive information belonging to over 190,000 customers consisting of: credit and debit card data (approximately 110,000 customers), email addresses, full names, home addresses, phone numbers, and plain text passwords. Kromtech informed the company in November 2016, however, as of this writing, they have not yet fixed the insecure database. The cause of the leaked data is due to the Rsync protocol set to stream data without any password protection.
Recommendation: Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data. Additionally, always use two-factor authentication when the feature is available.
Tags: Data leak, Insecure database

Banking Trojan Malspam – Subject: UPS Tracking Number for Shipment H6902644376 (April 28, 2017)
A malspam campaign has been identified to be masquerading as an email from the United Parcel Service (UPS). The message claims that a package was not delivered because nobody was present at the shipping address. Additionally, the email purports that further information about the delivery can be found in the .rar attachment provided. The attachment contains a .js downloader that will install a banking trojan.
Recommendation: Malspam is a constant threat used by malicious actors who are consistently changing the themes of the messages to trick unsuspecting recipients. Anti-spam and antivirus applications provided from trusted vendors should always be used in addition to caution while reading emails.
Tags: Malspam

TrickBot Is Hand-Picking Private Banks for Targets – With Redirection Attacks in Tow (April 27, 2017)
Actors behind the Trickbot banking trojan, which was first identified in the summer of 2016, have updated their malicious activity to include new redirection attacks, according to X-Force researchers. TrickBot is currently targeting private banks, private investment banking, and private wealth management firms in addition to a retirement insurance and annuity company located mostly in Australia and the U.K. TrickBot is using redirection attacks targeting customers of specific targets, leading them to a fake web page in order to steal financial information.
Recommendation: Malware authors are always implementing different methods of communicating back to the control servers and information theft. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Tags: Malware, Trojan

OS X Malware is Catching Up, and It Wants to Read Your HTTPS Traffic (April 27, 2017)
A new strain of Mac OS X malware has been identified to be capable of conducting Man in The Middle (MiTM) attacks, according to Check Point researchers. The malware, dubbed "OSX/Dok," is being distributed via a phishing campaign that is primarily targeting Mac users located in European countries. The phishing messages have been observed in English and German languages, and attempt to trick recipients by claiming that their are issues with their tax returns. The message directs the recipient to a zip file attachment which, if opened, will begin the execution process of the malware.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient open a file attachment should also be avoided.
Tags: Mac OS X, Malware

Over 85,000 Hacked RDP Servers Still Available for Sale on xDedic Marketplace (April 27, 2017)
The underground market called "xDedic," first uncovered by Kaspersky researchers in June 2016, has been observed to be selling access to approximately 85,000 compromised servers. Most of the servers were compromised via Remote Desktop Protocol (RDP) connections and are primarily located in Germany, Ukraine, and the United States, according to Flashpoint researchers.
Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Underground markets, Server Vulnerability

USPS-Themed Malspam Pushes Mole Ransomware and Kovter (April 26, 2017)
A malspam campaign has been identified to be impersonating the United States Postal Service via spoofed email addresses. The body of the messages claim that the recipient's package has been delayed and provides a link to view the status and location of the package. The link directs the user to a Word document which requests that a plugin be downloaded to properly view the document. The malicious plugin will proceed to download malware onto the recipient machine.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Ransomware

Former Expedia IT Support Worker Gets Prison Time for Hacking Exec's Emails, Insider Trading (April 26, 2017)
Jonathan Ty, a former Senior IT Technician for Expedia, has been sentenced to 15 months in prison in addition to three years of supervised release for securities fraud. Ty used his access to Expedia executives' emails via the network privileges that came with the position to leverage trades in Expedia stocks. Ty continued his illegal activities even after he left the company in 2015 by keeping an Expedia issued laptop, and making it appear that it was current employees who were accessing company devices.
Recommendation: Policies should be in place to monitor accounts that have privileges within your company's network, and only trusted individuals should have access to such accounts. This story also serves as a reminder that any company issued computer or device needs to be returned after end of employment, or have access rights for that device shut off immediately.
Tags: Insider threat

Auto Lender Exposes Load Data for Up to 1 Million Applicants (April 26, 2017)
Researchers have discovered that misconfigured Amazon AWS S3 buckets have left Personally Identifiable Information (PII) associated with automobile dealership customers around the U.S. publicly accessible. The files apparently belong to the automobile financing company "Alliance Direct Lending Corporation" and consists of: credit scores, full names, home addresses, and other purchase information such as the make, model, and year of the automobile. Additionally, researchers discovered that some of the leaked information contained audio confirmations for load applicants in which the individuals confirmed their date of birth, name, phone numbers, and social security numbers. Overall, the leaked data includes 124 files, with each file containing five to ten thousand records. The approximated total amount of affected individuals falls between the range of 550 thousand to one million.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Furthermore, always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Data leak, Misconfigured server

"Good Man" Campaign Rig EK Sends Latenbot (April 25, 2017)
Researchers have identified a malspam campaign called "Good Man" that is distributing Latenbot malware. Latenbot uses several layers of obfuscation such as hiding applications on a different desktop, and removing decrypted strings after use. Its primary objective is to steal information from an affected host.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Additionally, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management. Anti-spam and antivirus applications provided from trusted vendors should also be employed.
Tags: Malspam

New IoT Botnet Rises Feeding on Vulnerable Security Cameras (April 25, 2017)
Qihoo 360 researchers have discovered a new Internet-of-Things (IoT) botnet that is actively adding exposed webcams and IP cameras to its surging amount of compromised devices. The scans used by this botnet were first identified by SANS researchers on April 16, but at the time they had not discovered the cause of the scans. These scans began soon after researcher Pierre Kim revealed a vulnerability that affects approximately 1,250 camera types. The actors behind this botnet first used their compromised devices to launch a Distributed Denial-of-Service attack against the Russian bank RRDB on April 23.
Recommendation: This botnet takes advantage of internet connected devices which have been misconfigured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Tags: IoT, Vulnerabilities, Botnet

FalseGuide Misleads Users on Google Play (April 24, 2017)
A new strain of malware has been identified to have spread through numerous applications in the Google Play Store, according to Check Point researchers. The researchers dubbed the malware "FalseGuide" which appears to be attempting to create a mobile botnet. It is believed that that malicious applications in the Google Play Store have been downloaded approximately two million times by users (Google has since removed the malicious applications). The malware masquerades as guides for other mobile applications.
Recommendation: The list of affected applications is available online, and if any of them have been downloaded since November 2016 they should be removed as soon as possible.
Tags: Mobile, Malicious applications

Hancitor Malspam – Subject: RE: RE: Wrong Amount for Invoice (April 24, 2017)
A new malspam campaign has been identified using Rich Text Format (RTF) file attachments that exploit the Windows vulnerability CVE-2017-0199. This vulnerability is capable of infecting email recipients with Hancitor as soon as they open the document without macros being enabled. The Hancitor malware is capable of downloading additional malware of the actors choosing after infection.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam

Atlassian's HipChat Hacked, User Data and Private Messages Compromised (April 24, 2017)
The chat platform "HipChat" stated in a security notice that a "popular third-party" software library used by the service was breached by unknown actors. The actors were able to breach a HipChat server and steal customer account information. The stolen data consists of customer names, email addresses, and hashed passwords. It may have also been possible for actors to have stolen metadata associated with group chat rooms. At the time of this writing, it does not appear that any financial information has been stolen. Atlassian developers are currently working on an update for HipChat Server, as well as working with law enforcement to further investigate this incident.
Recommendation: Atlassian has reached out and informed users of accounts that may have been affected by this incident. It is advised for all HipChat users to change their passwords as soon as possible.
Tags: Breach

Blowout Card Notifies Customer After Card Fraud Reports Roll In (April 24, 2017)
On April 19, users began posting threads on a Blowout Cards forum regarding fraudulent charges that were occurring on their credit and debit cards. On April 24, Blowout Cards issued a statement that acknowledged that customers who used their shopping cart with credit and debit cards between January and April 20, 2017 are at risk of having their card data and Personally Identifiable Information (PII) stolen. The stolen information consists of credit and debit card numbers, card expiration dates, card verification codes, email addresses, and home addresses.
Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-sales (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: Credit card theft

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

DIAMONDFOX Tool Tip
The DIAMONDFOX [aka GORYNYCH] Backdoor is a fully-featured and highly modular botnet client. It possesses a wide array of capabilities in addition to those common to most botnets and notably includes the capability to perform credit card harvesting from Point-of-Sale (POS) devices. DIAMONDFOX is readily available commodity crimeware and is sold on many underground forums. It was introduced in April 2015 and continues to be used in both targeted and opportunistic fashions.
Tags: DIAMONDFOX, Gorynych

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.