Weekly Threat Briefing: No Summer Break for Magecart as Web Skimming Intensifies

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: Android Ransomware, Hexane Group, LookBack Malware, MageCart, and TrickBot. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/" target="_blank">Latest TrickBot Campaign Delivered via Highly Obfuscated JS File</a> (August 5, 2019) Another TrickBot variant has been identified by TrendMicro, spreading through spam. TrickBot has the ability to delete files located in removable and network drives, along with stealing information on the CPU, installed programs and services, IP configuration, memory information, network information, operating system, and user accounts. The trojan is spread through spam email prompting the user to open the attached Word document which contains a Javascript script disguised by using the same font colour as the background. Once running, the Javascript file checks the number of running processes, and continues only if there are enough running processes for evasion. <a href="https://forum.anomali.com/t/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/4041" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947082">[MITRE ATT&CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://blog.malwarebytes.com/web-threats/2019/08/no-summer-break-for-magecart-as-web-skimming-intensifies/" target="_blank">No Summer Break for Magecart as Web Skimming Intensifies</a> (August 1, 2019) Research published from Malwarebytes shows an increase in attacks that are attributed to the financially-motivated threat actors referred to by the umbrella term “Magecart.” The approximately 12 groups that Magecart consists of have continued their attacks throughout the summer with the objective of stealing financial data and Personally Identifiable Information (PII). multiple groups who targets online commercial websites and use skimmers to obtain credit card credentials. Over 65,000 attempts to steal credit card numbers were identified in July by Malwarebytes. With the increase spread of Magecart attacks, more are using forms of obstruction, such as encrypting their traffic to attempt to make it more difficult to detect skimmers. <a href="https://forum.anomali.com/t/no-summer-break-for-magecart-as-web-skimming-intensifies/4042" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a><a href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank">LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards</a> (August 1, 2019) A phishing campaign has been identified by researchers at Proofpoint targeting utility companies. Occurring between July 19 and July 25, 2019, emails were sent to the utility companies impersonating the US National Council of Examiners for Engineering and Surveying.. The emails contained a malicious Word document that uses macros to run malware named “LookBack”, a Remote Access Trojan (RAT). LookBack has the ability to delete files, delete itself, execute commands, move and click the mouse, reboot the system, screen capture, and view processes and system data. Proofpoint researchers contend that this campaign is likely being conducted by a state-sponsored, Advanced Persistent Threat (APT) actor. <a href="https://forum.anomali.com/t/lookback-malware-targets-the-united-states-utilities-sector-with-phishing-attacks-impersonating-engineering-licensing-boards/4043" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://www.bleepingcomputer.com/news/security/new-hexane-group-targets-oil-and-gas-telco-providers/" target="_blank">New Hexane Group Targets Oil and Gas, Telco Providers</a> (August 1, 2019) A new threat group has been identified by researchers at Dragos Inc, targeting the oil and gas industry and telecommunication providers. Named “Hexane”, the group has been active since at least 2018, and has been increasing activity thus far in 2019. The group is reported to primarily target Middle Eastern countries, specifically Kuwait, the attacks coincide with increased tension in the Middle East. While Dragos are not releasing specifics, they have assessed that Hexane do not possess the capability to carry out an attack on critical infrastructure. Attacking telecommunications providers is a tactic observed as a means to breach the target’s network. The initial infection vector of Hexane includes malicious documents that drop malware to targeted environments. <a href="https://forum.anomali.com/t/new-hexane-group-targets-oil-and-gas-telco-providers/4044" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><a href="https://www.cabarruscounty.us/news/cabarrus-county-targeted-in-social-engineering-scam" target="_blank">Cabarrus County Government Targeted in Social Engineering Scam</a> (July 29, 2019) The Cabarrus County government in North Carolina, US have announced they got caught in a social engineering scam. Pretending to be representatives of Branch and Associates, a contractor for the County, the actors sent emails to employees requesting new banking changes. The scammers sent documents and contracts, appearing to be the legitimate company, requesting $2.5 million, which the Cabarrus County paid. After the legitimate Branch and Associates contacted Cabarrus County about missed payments, the County was alerted to an issue contacting Bank of America who froze $776,518 of the payment. However, the remaining $1.7 million has not been recovered, as of this writing. <a href="https://forum.anomali.com/t/cabarrus-county-government-targeted-in-social-engineering-scam/4045" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="https://www.bleepingcomputer.com/news/security/unsecured-database-exposes-security-risks-in-hondas-network/" target="_blank">Unsecured Database Exposes Security Risks in Honda's Network</a> (July 31, 2019) A database containing 40 GB of information associated with approximately 300,000 Honda employees was left publicly accessible. The information included 134 million documents consisting of: hostname, IP address, MAC address, operating system, which patches had been applied, and the status of Honda’s endpoint security software; along with Honda employee information including email addresses, endpoint security vendor information, hostnames, last login, name, operating systems, and patch status. The database even included information on Honda’s CEO such as account name, email, IP, MAC address, patch status, and security status. Hosted on ElasticSearch, the misconfigured database was left open for six days between June 25 and July 1, before Honda secured the database and thanked the researcher who identified the misconfiguration. <a href="https://forum.anomali.com/t/unsecured-database-exposes-security-risks-in-hondas-network/4046" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://www.zdnet.com/article/iot-home-security-camera-allows-hackers-to-listen-in-over-http/" target="_blank">IoT Home Security Camera Allows Hackers to Listen In Over HTTP</a> (July 31, 2019) Researchers at Tenable have identified a vulnerability in the Amcrest IP2M-841B camera, a camera used for home security. The vulnerability, assigned “CVE-2019-3948,” can allow for unauthenticated remote listening to the camera’s feed. Using a script, a threat actor can extract the audio from the camera feed. The camera, currently for sale on Amazon, has around 12,000 customer reviews and can be used with a smartphone, with the footage being sent to the cloud. <a href="https://forum.anomali.com/t/iot-home-security-camera-allows-hackers-to-listen-in-over-http/4047" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><a href="https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/" target="_blank">New TrickBot Version Focuses on Microsoft's Windows Defender</a> (July 30, 2019) A new TrickBot has been identified by researchers at MalwareHunterTeam, targeting Windows Defender. TrickBot, is a trojan that steals browser information, credentials, cryptocurrency, and online banking credentials. The new version specifically targets Microsoft’s Windows Defender for removal, in order to go undetected. The loader disables processes utilized by Windows Defender, along with disabling Windows Security notifications and the program itself. This new version of TrickBot has added more methods to further disable processes related to Windows Defender. <a href="https://forum.anomali.com/t/new-trickbot-version-focuses-on-microsofts-windows-defender/4048" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&CK] Disabling Security Tools - T1089</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.bleepingcomputer.com/news/security/apple-imessage-flaw-lets-remote-attackers-read-files-on-iphones/" target="_blank">Apple iMessage Flaw Lets Remote Attackers Read Files on iPhone</a> (July 29, 2019) A vulnerability affecting Apple iMessage has been identified by Google’s Project Zero researchers. The vulnerability, registered as, “CVE-2019-8646” could allow attackers to remotely read the contents of files stored on iOS devices. A security update was issued on July 22, along with patches for a memory vulnerability, “CVE-2019-8660” and “CVE-2019-8647” that could allow remote code execution on various iOS devices. <a href="https://forum.anomali.com/t/apple-imessage-flaw-lets-remote-attackers-read-files-on-iphone/4049" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a><a href="https://www.welivesecurity.com/2019/07/29/android-ransomware-back/" target="_blank">Android Ransomware is Back</a> (July 29, 2019) A new type of Android ransomware has been identified by ESET Mobile Security as “Android/Filecoder.C”. The ransomware has been active since at least July 12, 2019, and is distributed using Reddit and XDA Developers, typically posting adult-related content as bait. Active since at least July 12, 2019, the ransomware sends SMS messages to the victim’s contacts with malicious links, encrypting the user files and sending a ransom. The ransomware is distributed using Reddit and XDA Developers, typically posting porn-related content as bait. With the ability to send SMS messages, the ransomware will send potential victims a links to the malicious application, a sex simulating game that is used for Command and Control (C2) communications. After encrypting the users’ files, a request for bitcoins is made; which if made, the user is sent the private key to decrypt the files. <a href="https://forum.anomali.com/t/android-ransomware-is-back/4050" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a><a href="https://www.bloomberg.com/news/articles/2019-07-29/capital-one-data-systems-breached-by-seattle-woman-u-s-says" target="_blank">Capitol One Says Breach Hit 100 Million Individuals in U.S</a> (July 29, 2019) The Personally Identifiable Information (PII) of approximately 100 million people was breached according to Capital One Financial Corp. The information was stored in an Amazon S3 system, with the theft occurring between March 12 and July 17. Appearing in federal court on Monday, July 29, a former Amazon employee was accused of breaking into Capital One’s server and stealing data. The stolen information included credit scores, dates of birth, home addresses, names, phone numbers, transaction history along with 140,000 Social Security numbers, and 80,000 bank account numbers. The employee accused of accessing the data faces a federal charge of computer fraud, which includes a maximum sentence of five years with a $250,000 fine. <a href="https://forum.anomali.com/t/capitol-one-says-breach-hit-100-million-individuals-in-u-s/4051" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a></div></div>