Weekly Threat Briefing: Google Researchers Discover Malicious Websites Hacking iPhones for Years

The intelligence in this week’s iteration discuss the following threats: CamScanner, Data Breaches, FIN6, iPhone Hacking, Quasar RAT, Retadup Botnet, REvil Ransomware, TA505, and TrickBot. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

The financially-motivated threat group called, “TA505,” was first reported on by Proofpoint researchers in December 2017. Malicious activity attributed to the Russian-speaking group dates back to at least 2014, and the campaigns conducted by TA505 have targeted entities and individuals around the world. The group distributes a variety of malware, both well-known strains (Dridex banking trojan, Locky ransomware), custom-created (Jaff ransomware, tRAT), and variants of legitimate remote access tools (Remote Manipulator System). The group primarily distributes malware and tools via large scale and indiscriminately-distributed malspam campaigns, often through the “Necurs” botnet, with malicious attachments or links. Incorporation of new malware, creating custom malware and the use of advanced tactics, such as the removal of malware artifacts, indicate that this group is a sophisticated threat and likely well-funded. The group is innovative and shows the flexibility to pivot to other techniques and malware trends on a global scale. 
FIN6 is a financially motivated threat actor shown active as early as 2014. Public information on this group is limited, but reports from FireEye contend that FIN6 is focused on theft of credit card data that is then offered for sale on underground marketplaces. Researchers report that the group has successfully stolen payment data from more than 10 million credit cards. Public visibility of FIN6 intrusions is limited, thus the group’s initial attack vectors are largely unknown. FireEye researchers believe that the group purchases previously stolen account credentials and access to compromised victim systems on underground forums. Otherwise, like many other threat actors, the group may employ typical phishing schemes to harvest credentials and deploy malware.

Subscribe to the Anomali Newsletter

Get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now