Anomali Weekly Threat Intelligence Briefing - May 9, 2017

May 9, 2017 | Gage Mele

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Malware Warning for Mac Users, after HandBrake Mirror Download Server Hacked (May 8, 2017)
Researchers have discovered that the video transcoder application for macOS called "HandBrake," has been compromised. Users may be infected with the "Proton" malware if the application was downloaded between May 2 and May 6, 2017. Proton is capable of keylogging, stealing files, and taking screenshots. The compromised HandBrake application will request additional access via display boxes for the user to authenticate by providing a password.
Recommendation: HandBrake is advising its users to check the SHA checksum when new versions are downloaded from their mirror website to see if the compromised version was installed. As this story shows, it is important to understand what permissions an application will request from its users because strange behavior can potentially indicate malicious activity.
Tags: Compromise

Hackers Use Flaws in Telephony Core Protocol to Bypass 2FA on Bank Accounts (May 5, 2017)
The German newspaper, "Süddeutsche Zeitung," published an article discussing how threat actors exploited vulnerabilities in mobile network protocol Signaling System No. 7 (SS7). SS7 was first developed in 1975, and is used to route phone calls between different mobile providers. Cybercriminals were identified to be exploiting the protocol by using a SS7 hacking rig to interact with other telephony providers in order to intercept SMS messages. The intercepted messages were used to steal money from individual’s bank accounts.
Recommendation: Accounts that are protected with SMS based authentication systems, even two-factor authentication, are potentially at risk of being intercepted by actors using this method. Therefore, taking the necessary steps to implement new authentication policies that do not use text-based messages such as an Authenticator mobile application provided by a trusted vendor could be used to avoid this vulnerability.
Tags: Vulnerability, Mobile

New Fatboy Ransomware-as-a-Service Advertised on Russian Hacking Forum (May 5, 2017)
A ransomware called "Fatboy" has been identified being advertised on Russian-speaking forums as a Ransomware-as-a-Service (RaaS). Interestingly, the RaaS calculates the payment for the decryption key by using the Big Mac Index (McDonald's Index) combined with the victim IP address and country of origin. Fatboy uses AES 256 to encrypt all files on a Windows machine with individual keys, and then encrypts each key with RSA 2048.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Ransomware, RaaS

Dridex and Locky Return Via PDF Attachments in Latest Campaigns (May 4, 2017)
The Dridex banking trojan and Locky ransomware have resumed their large-scale spam distribution campaigns after declining in late 2016, according to FireEye researchers. Both malware families are being distributed via malspam emails that contain a PDF file purporting to be a payment receipt and are primarily targeting the insurance sector in the U.S. A second malspam campaign was also identified to be distributing Dridex and Locky using PDF attachments claiming to be a printer alert for a scanned document. This campaign primarily targets government entities in Japan, the Middle East, and the U.S.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Malware

WordPress Admins Take Note: RCE and Password Reset Vulnerabilities Revealed (May 4, 2017)
Security researcher Dawid Golunksi has published his findings regarding two vulnerabilities that affect WordPress websites. One of the vulnerabilities, CVE-2016-10033, can be exploited to allow remote code execution. The second vulnerability, CVE-2017-8295, can be exploited to reset passwords of the WordPress account. At the time of this writing, WordPress has not confirmed that CVE-2017-8295 has been patched.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Vulnerability, Website

Positive Technologies Discovers Vulnerability in ATM Security Software (May 3, 2017)
A vulnerability has been identified in the technology company GMV's Check ATM security software, according to Positive Technologies researchers. The vulnerability can be exploited by actors posing as the ATM's control server, which could be accomplished via ARP packet poisoning. Then during the ATM's process of generating a public key for traffic encryption, an attacker can cause a buffer overflow that could allow full remote control over the ATM.
Recommendation: ATM Security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation. Additionally, the latest security patches should be applied as soon as they become available.
Tags: Vulnerability, ATM

All Your Googles are Belong to Us: Look Out for the Google Docs Phishing Worm (May 3, 2017)
A well circulated email claiming to be inviting the recipient to share in access to a Google Docs document had been identified to be distributing a worm. The phishing attack directs the recipient to a fake web page impersonating Google sign-in. If a user enters their credentials, the worm will steal all of the contacts and send phishing emails to them as well. Google has since shut down the domains associated with this phishing campaign.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified.
Tags: Phishing

SuperCMD RAT (May 3, 2017)
RSA researchers have discovered a new Remote Access Trojan (RAT) dubbed "SuperCMD," that is capable of installing legitimate Novell Client drivers onto a Windows Kernel. The RAT does so by first installing said drivers in the the "C:\Windows\System32\" directory, and then using a privilege escalation vulnerability, CVE-2013-3956, that is contained in the drivers to gain more control to an infected machine. The drivers act as a rootkit that filter out TCP/IP connection data in order to remain hidden and download additional malware based on the affected machine’s operating system version to steal information.
Recommendation: Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: Malware, RAT

WhatsApp Malspam – Subject Missed Voice Message (May 3, 2017)
A new malspam campaign has been discovered to be impersonating alerts from the message application "WhatsApp." The email purports that a voicemail has been missed and provides a link to a zip file to play the message. If the zip file is downloaded, malware will be installed on to the recipient's machine.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient open a file attachment should also be avoided.
Tags: Malspam

Konni: A Malware Under the Radar for Years (May 3, 2017)
Talos researchers have discovered a previously unknown Remote Administration Tool (RAT) that is believed to have been in use for over three years. During those years, the actors have continually updated the malware. Konni's capabilities consist of: arbitrary code execution, keylogger functionality, stealing information, and taking screenshots. Konni has been observed to be distributed primarily via phishing emails that trick recipients into opening a .src file and displaying a fake document while the malware executes in the background.
Recommendation: All employees should be educated on the risks of phishing, and how to identify such attempts. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or dropbox.
Tags: Phishing, Malware

Breach at Sabre Corp.'s Hospitality Unit (May 2, 2017)
The travel technology company Sabre Corporation has stated they have identified unauthorized access to payment and customer data associated with lodging establishments. The breached system is reported to be Sabre's Hospitality Solutions SynXis Reservation system, advertised as a Software-as-a-Service, which is used by approximately 32,000 companies. Sabre stated that they employed the security firm Mandiant to assist in their investigation and that they succeeded in shutting off the unauthorized access. A significant amount of individuals may be at risk of credit card and identity theft because of the large amount of potentially affected companies. As of this writing, it is unknown how many companies and individuals may be affected.
Recommendation: POS networks should carefully monitored for unusual activity, thus keeping logs of what typical network activity looks like is very important. In the case of strange activity, taking POS systems offline and repopulating them is a safe mediation step in order to avoid possible loss of reputation, or lawsuit by individuals who had their credit card information stolen, and possibly used by cybercriminals.
Tags: Breach

Hancitor Malspam – Subject: Your Online Bill is Available (May 2, 2017)
Researchers have identified that actors behind Hancitor malspam campaigns have begun to impersonate Verizon Wireless. The email purports that a bill is now available to be paid and provides a link for the recipient to follow to make the payment. The link directs a recipient to a Word document that requests macros be enabled to properly view the document but will instead execute a process to download malware.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam

DDoS Attacks: $100,00 per Hour is at Risk During Peak Revenue Generation Periods (May 2, 2017)
Neustar security researchers and the market research company, Harris Interactive, have conducted a study on Distributed Denial-of-Service (DDoS) attacks. They concluded that overall, the scale of DDoS attacks are increasing with 45% of the attacks being more than 10 gigabits per second (Gbps), and 15% at approximately 50 Gbps in 2016. Additionally, it was discovered that 43% of companies that stated to have been targeted with DDoS attacks reported an hourly revenue loss to be approximately $250,000. Furthermore, 51% of the company's average a three-hour response time to such attacks.
Recommendation: Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October 2016, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be block, or at least rate limited.
Tags: DDoS

New Version of the CryptoMix Ransomware Using the Wallet Extension (May 1, 2017)
Security researcher Robert Rosenborg has discovered a new variant of the CryptoMix ransomware dubbed "Wallet." At the time of this writing, it is unknown how the malware is being distributed, however, researchers did identify that this variant is using the ".WALLET" extension to encrypt files. CryptoMix will also search unmapped network shares for additional files to encrypt with AES. The ransomware launches its encryption processes if a user clicks the "OK" button on a fake alert text box that claims memory could not be read.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: Ransomware

Malware Author Inflates Backdoor Trojan with Junk Data Hoping to Avoid Detection (May 1, 2017)
An actor called "123," believed to have been active since 2015, has been identified to be injecting megabytes of junk data inside malicious payloads in an attempt to avoid detection. Researchers believe that this actor has created three malware families called "XXMM," "ShadowWali," and "Wali." This actor and the associated malware has been used to primarily target Japanese companies.
Recommendation: Threat actors are always innovating new methods of distributing their malware and communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Tags: Malware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.