Weekly Threat Briefing: IRS Alerts Taxpayers to New Email Scam

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Adware, Data theft, Impersonation Phishing, Ransomware, Targeted attacks, </strong>and<strong> Vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.darkreading.com/risk/irs-alerts-taxpayers-to-new-email-scam/d/d-id/1335642" target="_blank"><b>IRS Alerts Taxpayers to New Email Scam</b></a> (<i>August 26, 2019</i>)<br/> The US Internal Revenue Service (IRS) has issued an alert regarding an active phishing campaign from unknown threat actors. The actors are impersonating the IRS in emails that utilize subject lines such as “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder.” The emails contain attachments that have temporary or one-time passwords to “access the files to submit the refund.” The objective of this campaign appears to be to infect users with keylogger malware.<br/> <a href="https://forum.anomali.com/t/irs-alerts-taxpayers-to-new-email-scam/4121" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/" target="_blank"><b>Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities</b></a> (<i>August 23, 2019</i>)<br/> Exploiting old vulnerabilities in Microsoft Office, and Adobe, threat actors are utilizing a variant of the “Asruex” malware as an infector. The vulnerabilities, CVE-2012-0158 and CVE-2010-2883, allow for remote execution of arbitrary code via a Word document, and PDF document. Asruex, a malware with backdoor capabilities, infects through a shortcut file with a PowerShell download script, spreading through phishing emails. Once executed the malware performs checks to determine whether a sandbox is being used. If the system passes the checks, it will exploit the vulnerabilities and enable remote attackers to execute arbitrary code.<br/> <a href="https://forum.anomali.com/t/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnearbilities/4122" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a></p><p><a href="https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/" target="_blank"><b>First-of-Its-Kind Spyware Sneaks Into Google Play</b></a> (<i>August 22, 2019</i>)<br/> ESET researchers have identified a malicious Android application that was able to get into the Google Play store two times. The application, called “Radio Balouch,” has fully functioning music-streaming capabilities for Balochi music fans, however, the primary objective of the application is to steal Personally Identifiable Information (PII). The actors behind Radio Balouch utilized the open-source Remote Access Tool (RAT) code of “AhMyth” for their app’s data-stealing functionalities. At the time of this writing, Radio Balouch has been removed from Google Play, for the second time, but is still available on an associated Instagram account, third-party stores, and a website. The malicious application is capable of stealing contacts and device-stored information, as well as sending SMS messages from the infected device.<br/> <a href="https://forum.anomali.com/t/first-of-its-kind-spyware-sneaks-into-google-play/4123" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260117">[MITRE MOBILE-ATT&amp;CK] Standard Application Layer Protocol - T1437</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&amp;CK] Access Contact List - T1432</a> | <a href="https://ui.threatstream.com/ttp/1260053">[MITRE MOBILE-ATT&amp;CK] Access Sensitive Data in Device Logs - T1413</a> | <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&amp;CK] Access Sensitive Data or Credentials in Files - T1409</a></p><p><a href="https://www.zdnet.com/article/uk-cybersecurity-agency-warns-devs-to-drop-python-2-due-to-looming-eol-security-risks/" target="_blank"><b>UK Cybersecurity Agency Warns Devs to Drop Python 2 Due to Looming EOL Security Risks</b></a> (<i>August 22, 2019</i>)<br/> The UK National Cyber Security Center (NCSC) has issued a warning to developers to migrate to Python 3 if they are still using Python 2. As one of the most popular programming languages, Python 2 still remains popular among developers and therefore it is important that companies and individuals update if they have not already. With support for Python 2 ending January 1, 2020, vulnerabilities will remain unpatched and could leave an organization open to potential attacks.<br/> <a href="https://forum.anomali.com/t/uk-cybersecurity-agency-warns-devs-to-drop-python-2-due-to-looming-eol-security-risks/4124" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/2402693">[MITRE PRE-ATT&amp;CK] Identify vulnerabilities in third-party software libraries - T1389</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a></p><p><a href="https://www.bleepingcomputer.com/news/security/pokertrackercom-hacked-to-inject-payment-card-stealing-script/" target="_blank"><b>PokerTracker.com Hacked to Inject Payment Card Stealing Script</b></a> (<i>August 21, 2019</i>)<br/> An attack by the financially-motivated threat groups referred to by the umbrella term “Magecart,” was identified and subsequently blocked, according to a user on Malwarebytes’ forum. Malwarebytes researchers analyzed the the submitted log file and found the blocked domain was hosting a credit card skimmer believed to be associated Magecart. The poker software, which users use to improve their odds, connects to a subdomain of PokerTracker, where the Magecart injected their script, into and users’ payment details copied. Due to PokerTracker using an outdated version of Drupal, the compromise was able to occur.<br/> <a href="https://forum.anomali.com/t/pokertracker-com-hacked-to-inject-payment-card-stealing-script/4125" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/phishing-attacks-scrape-branded-microsoft-365-login-pages/" target="_blank"><b>Phishing Attacks Scrape Branded Microsoft 365 Login Pages</b></a> (<i>August 21, 2019</i>)<br/> A new phishing campaign is targeting victims using their company-branded Microsoft 365 login pages. To further increase the appearance of legitimacy, the actors use Microsoft Azure Blob Storage and Azure Web Sites cloud storage, as they will sign the user in with an SSL certificate from Microsoft. The threat actors check their email addresses against lists of validated email addresses scraping the targets’ into the phishing landing page to get the target’s company-branded login form. The campaign, apparently still active, is targeting users from multiple sectors including finance, energy, insurance, medical, and telecommunications.<br/> <a href="https://forum.anomali.com/t/phishing-attacks-scrape-branded-microsoft-365-login-pages/4126" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service - T1194</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a></p><p><a href="https://www.bleepingcomputer.com/news/security/second-steam-zero-day-impacts-over-96-million-windows-users/" target="_blank"><b>Second Steam Zero-Day Impacts Over 96 Million Windows Users</b></a> (<i>August 21, 2019</i>)<br/> Russian security researcher, Vasily Kravets, has identified a second zero-day vulnerability in the Steam Windows client. The vulnerability is a privilege escalation that could allow an attacker to use Bait-and-Switch, a technique for attackers to run executables with limited rights, compromising the system and running a malicious payload. With a user-base of over 100 million, approximately 96 million users are affected by this vulnerability. Kravets reported the vulnerability to Valve, who banned him from their HackerOne bug bounty program. In responding to the vulnerability, Valve recognized they had made a mistake in turning away Kravets.<br/> <a href="https://forum.anomali.com/t/second-steam-zero-day-impacts-over-96-million-windows-users/4127" target="_blank">Click here for Anomali recommendation</a>.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a></p><p><a href="https://www.infosecurity-magazine.com/news/adware-google-apps-downloaded/" target="_blank"><b>Adware-Laden Google Play Apps Downloaded Eight Million Times</b></a> (<i>August 20, 2019</i>)<br/> Google has removed 85 apps that were distributing adware on the Google Play Store. The apps, which had over either million downloads contained adware that evades detection using Java reflection, enabling the runtime behaviours to be modified and encoding the API strings in base64. The applications had regular functionalities of the applications portrayed, but with advertisements being forced upon the user before the app could be closed. Apps that were infected with the adware include: Beautiful House, Blur Photo Editor, Magic Camera, One Stroke Line Puzzle, and Toy Smash.<br/> <a href="https://forum.anomali.com/t/adware-laden-google-play-apps-downloaded-eight-million-times/4128" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a></p><p><a href="https://www.cyren.com/blog/articles/open-source-ransomware-targets-fortnite-users" target="_blank"><b>Open Source Ransomware Targets Fortnite Users</b></a> (<i>August 20, 2019</i>)<br/> A new ransomware targeting Fortnite users has been discovered on the gaming forums. Named “Syrk”, the ransomware masquerading as a Fortnite cheat to allow players to increase accuracy and know the location of other users. Once the user downloads the file, the ransomware begins encrypting their files, deleting files every two hours in an attempt to create an urgency for the victim. An alert appears on the infected machine informing them that the only way the retrieve their encrypted files is to pay the ransom, however, the files can be decrypted without paying the ransom. The Syrk ransomware is the same as the Hidden-Cry ransomware, an older ransomware which has already been analyzed, with methods for recovery and decryption of files already existing.<br/> <a href="https://forum.anomali.com/t/open-source-ransomware-targets-fortnite-users/4129" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&amp;CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a></p><p><a href="https://www.nytimes.com/2019/08/20/us/texas-ransomware.html" target="_blank"><b>Ransomware Attack Hits 22 Texas Towns, Authorities Say</b></a> (<i>August 20, 2019</i>)<br/> On August 16, systems of 22 Texas towns were hit by a ransomware attack. The threat actors were able to block access to the data on the town’s systems until a ransom is paid. Without stating whether the ransom was paid, the systems were recovered with the Governor designating the attack as a Level 2 Escalated Response. Little has been released about the attack, however officials state it was one single threat actor. In the days following the attack, the attackers demanded $2.5 million to provide the keys needed to decrypt the files. Other states are taking precautions in the event they are targeted to.<br/> <a href="https://forum.anomali.com/t/ransomware-attack-hits-22-texas-towns-authorities-say/4130" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a></p><p><a href="https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/" target="_blank"><b>Backdoor found in Webmin, a popular web-based utility for managing Unix servers</b></a> (<i>August 20, 2019</i>)<br/> A backdoor with the potential to allow remote code execution with root privileges on machines running Webmin, a remote Unix management application. The vulnerability, “CVE-2019-15107,” discovered by researcher Özkan Mustafa Akku? was thought to allow unauthenticated code execution, however after DEF CON, the cyber security conference, further research indicates a serious security flaw. Using a password expiration policy, an attacker can add shell commands inside an HTTP request to send the Webmin server, taking over a Webmin install. Webmin claims the vulnerability was malicious code injected into the infrastructure and that only packages downloaded from SourceForge are affected, with GitHub downloads unaffected.<br/> <a href="https://forum.anomali.com/t/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/4131" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a></p><p><a href="https://cofense.com/new-phishing-campaign-bypasses-microsoft-atp-deliver-adwind-utilities-industry/" target="_blank"><b>New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry</b></a> (<i>August 19, 2019</i>)<br/> A new phishing campaign has been identified by Cofense that delivers the Adwind malware, a cross-platform malware program. Using an attachment, the phishing campaign has been targeting national grid utilities infrastructure with and email informing the user they need to sign and return a copy of the remittance advice. While the file appears as a PDF, it is a jpeg file with an embedded hyperlink that leads the victim to the infection URL and the payload is downloaded. In an attempt to avoid detection, the malware disables analysis tools and antivirus software. The malware has the ability to access the webcam, capture audio, capture system data, harvest credentials, key log and take screen shots.<br/> <a href="https://forum.anomali.com/t/new-phishing-campaign-bypasses-microsoft-atp-to-deliver-adwind-to-utilities-industry/4132" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p></div><div id="observed-threats"><h2>Observed Threats</h2></div><div id="threat_model"><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a></p><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/21764" target="_blank">MageCart</a><p>The term, “MageCart,” first emerged in 2015, according to RiskIQ and Flashpoint researchers. The umbrella term, MageCart, refers to groups that target online commercial websites and injects payment skimming scripts to illicitly obtain credit card credentials. The group is suspected to be several groups under the umbrella of MageCart, the name given to keep track of these financially-motivated groups and their malicious activity. RiskIQ and Flashpoint suggest that there are approximately six to seven groups with each group acting slightly different in their targeting, skimmer functionality, and infrastructure.</p></div></div></div></div>