November 6, 2018
-
Anomali Threat Research
,

Weekly Threat Briefing: Scammers Ride on Popular Vote411 Voter Info Site to Push Scareware Alerts

<div id="weekly"><p id="intro">The intelligence in this week's iteration discuss the following threats:<b> Backdoors, CommonRansomware, Data breaches, Magecart, Malware, Phishing, Ransomware, Stuxnet, Trickbot, Typosquatting, </b>and<b> Vulnerabilities. </b>The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/scammers-ride-on-popular-vote411-voter-info-site-to-push-scareware-alerts/" target="_blank"><b>Scammers Ride on Popular Vote411 Voter Info Site to Push Scareware Alerts</b></a> (<i>November 5, 2018</i>)<br/> Following the public promotion of the site "VOTE411[.]org" by comedian John Oliver in the lead-up to the US midterm elections, threat actors have exploited the site's increase in visits by typosquatting the Top-Level Domain (TLD) name to conduct a technical support scam. The threat actors changed the domain name to end with a "[.]com" instead of the official "[.]org" and victims that went to the typosquatted site were given a pop-up image. The pop-up stated their iOS device was infected with "Pegasus" spyware and needed to phone a particular number to pay for a removal process. The typosquatted domain sends the user through multiple redirects and ultimately does not attempt to deliver a malicious binary, but instead leads users to either a text message subscription or enter credit card information to remediate the purported Pegasus infection.<br/> <a href="https://forum.anomali.com/t/scammers-ride-on-popular-vote411-voter-info-site-to-push-scareware-alerts/3152" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/scammers-ride-on-popular-vote411-voter-info-site-to-push-scareware-alerts/3152" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/scammers-ride-on-popular-vote411-voter-info-site-to-push-scareware-alerts/3152" target="_blank"> recommendation</a></p><p><a href="https://labsblog.f-secure.com/2018/11/02/spam-campaign-targets-exodus-mac-users/" target="_blank"><b>Spam Campaign Targets Exodus Mac Users </b></a> (<i>November 2, 2018</i>)<br/> A phishing email campaign targeting Mac users has been observed by researchers at F-Secure that targets Exodus, a multi-cryptocurrency wallet. The phishing email appears to be an update for Exodus, containing an "Exodus-MacOS-1.64.1-update.zip" attachment. This fake update is attempting to update the user's version to 1.64.1 (the most recent legitimate version of Exodus is 1.63.1). If the user extracts the attached .zip file and runs the extracted application, it installs a type of spyware onto the infected machine. The spyware appears to originate from "realtime-spy-mac[.]com" which is a cloud-based surveillance and remote spy tool that allows for the threat actor to view images and data uploaded from the infected machine, as well as allows for keylogging abilities. It is unclear the scale of this campaign or if it was targeted in any way.<br/> <a href="https://forum.anomali.com/t/spam-campaign-targets-exodus-mac-users/3153" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/spam-campaign-targets-exodus-mac-users/3153" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/spam-campaign-targets-exodus-mac-users/3153" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-ransomware-using-diskcryptor-with-custom-ransom-message/" target="_blank"><b>New Ransomware Using DiskCryptor with Custom Ransom Message </b></a> (<i>November 2, 2018</i>)<br/> Independent researchers by the Twitter handle "MalwareHunterTeam" discovered a new ransomware campaign that installs the "DiskCryptor" encryption service onto the infected machine and restarts the computer. A ransom note is then shown following the reboot, giving the victim instructions on how to retrieve their files. The threat actors behind this new campaign are suspected to possibly be compromising a target machine's Remote Desktop Services (RDS) to install the ransomware manually. During the ransomware's installation process, a log in the machine's Public files shows the current stage of the encryption process. Once the machine has been fully encrypted, it will initiate a reboot that then shows the ransom note with the instructions for payment. The instructions indicate that the email "mcrypt2018@yandex[.]com" be contacted to receive the decryption password as well as find out the cost of the ransom and make the payment. It is unclear the initial attack vector of the ransomware.<br/> <a href="https://forum.anomali.com/t/new-ransomware-using-diskcryptor-with-custom-ransom-message/3154" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-ransomware-using-diskcryptor-with-custom-ransom-message/3154" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-ransomware-using-diskcryptor-with-custom-ransom-message/3154" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&amp;CK] Remote Desktop Protocol (T1076)</a></p><p><a href="https://www.zdnet.com/article/magecart-claims-fresh-victim-in-kitronik/" target="_blank"><b>Magecart Claims Fresh Victim in Electronics Kit Seller Kitronik </b></a> (<i>November 2, 2018</i>)<br/> Electronic kit seller, Kitronik, disclosed that they are the most recent victim of the payment skimming threat group, "Magecart." The company released a statement that they suffered a data breach that impacts their online customers who utilised their site to purchase items between August 2018 and September 2018. Magecart's payment skimming malware was detected on their online checkout page following an investigation that was triggered by a notification from Kitronik's payment gateway provider regarding a higher than normal amount of fraud on their site. According to Kitronik, the data stolen by Magecart includes: bank card numbers, CVV numbers, email addresses, names, and post addresses. Customers who created accounts before August 2018 are believed to not have their addresses compromised because only details entered at the checkout stage on the site between those dates might have been stolen. How Magecart compromised the website is currently unclear.<br/> <a href="https://forum.anomali.com/t/magecart-claims-fresh-victim-in-electronics-kit-seller-kitronik/3155" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/magecart-claims-fresh-victim-in-electronics-kit-seller-kitronik/3155" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/magecart-claims-fresh-victim-in-electronics-kit-seller-kitronik/3155" target="_blank"> recommendation</a></p><p><a href="https://latesthackingnews.com/2018/11/02/systemd-vulnerability-in-linux-could-trigger-remote-attacks-and-system-crashes/" target="_blank"><b>Systemd Vulnerability in Linux Could Trigger Remote Attacks and System Crashes</b></a> (<i>November 2, 2018</i>)<br/> A flaw in "Systemd" in Linux operating systems that could allow for remote execution has been discovered by a researcher from Google. The flaw is located in the Systemd suite's written-from-scratch DHCPv6 client. The client can be initiated automatically when receiving IPv6 router advertisements, if IPv6 support is enabled. The vulnerability is registered as "CVE-2018-15688" and is an out-of-bounds write that can allow a threat actor to execute arbitrary code or cause a Denial-of-Service (DoS) due to a heap-based buffer overflow. The caveat to this vulnerability, however, requires a threat actor to have access to a rogue DHCPv6 server that is on the same network of the target DHCPv6 server. Creators of Systemd have released a patch for all Linux distributions that utilise this.<br/> <a href="https://forum.anomali.com/t/systemd-vulnerability-in-linux-could-trigger-remote-attacks-and-system-crashes/3156" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/systemd-vulnerability-in-linux-could-trigger-remote-attacks-and-system-crashes/3156" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/systemd-vulnerability-in-linux-could-trigger-remote-attacks-and-system-crashes/3156" target="_blank"> recommendation</a></p><p><a href="https://www.zdnet.com/article/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/" target="_blank"><b>Cisco Zero-day Exploited in the Wild to Crash and Reload Devices </b></a> (<i>November 1, 2018</i>)<br/> Cisco Talos researchers has reported that a zero-day vulnerability in the Session Initiation Protocol (SIP) inspection engine has been observed affecting their products that run "Adaptive Security Appliance" (ASA) and "Firepower Threat Defence" (FTD) software. This vulnerability, registered as "CVE-2018-15454," allows for an unauthenticated user to remotely force a device to reload or trigger high CPU, resulting in a Denial-of-Service (DoS) condition. Several Cisco devices have been seen to be affected by this vulnerability, mainly products that run ASA 9.4 and later versions or FTD 6.0 and later versions. This vulnerability has already been observed to have been exploited in the wild in a limited number of attacks. At the time of this writing, there has yet to be a security patch released.<br/> <a href="https://forum.anomali.com/t/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/3157" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/3157" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/3157" target="_blank"> recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/" target="_blank"><b>Perl-Based Shellbot Looks to Target Organizations via C&amp;C </b></a> (<i>November 1, 2018</i>)<br/> Trend Micro researchers have discovered a new campaign targeting various organisations through a command injection vulnerability in Internet-of-Things (IoT) devices and Linux servers. The threat group behind the attacks have been dubbed "Outlaw" and utilises a variant of "Perl Shellbot" for various malicious purposes. The threat group has been observed targeting organisations in Japan and Bangladesh, thus far, through compromised File Transfer Protocol (FTP) servers. The botnet first runs a command on a target IoT device to verify that the host accepts commands from the command-line interface (CLI) and then, if the command runs successfully, a payload (n3 file) will download onto the machine that runs with a Perl interpreter. Interestingly, this n3 file is removed at the final stages of the attack so there is no traceable activity left on the infected system. Once this botnet is installed onto the machine, it connects to the threat actor's Command and Control (C2) server. Following the initial infection, the bot modifies the Domain Name System (DNS) settings to confirm that the target is not a honeypot and has connectivity to the internet. The network communication appears to send out an "XMR rig" Monero mining monitoring tool output.<br/> <a href="https://forum.anomali.com/t/perl-based-shellbot-looks-to-target-organizations-via-c-c/3158" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/perl-based-shellbot-looks-to-target-organizations-via-c-c/3158" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/perl-based-shellbot-looks-to-target-organizations-via-c-c/3158" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface (T1059)</a></p><p><a href="https://armis.com/bleedingbit/" target="_blank"><b>BleedingBit Exposes Enterprise Access Points and Unmanaged Devices to Undetectable Chip Level Attack</b></a> (<i>November 1, 2018</i>)<br/> Two Bluetooth Low Energy (BLE) vulnerabilities have been discovered, dubbed "BLEEDINGBIT," that affect the access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki, and Aruba, according to researchers at Armis. The vulnerabilities are registered as "CVE-2018-16986" and "CVE-2018-7080." These two vulnerabilities allow an unauthenticated threat actor remote access to enterprise networks without detection by granting initial access via the unsecured access points. A threat actor would then be able to move laterally between network segments and could bridge them together. The BLE chips are becoming increasingly utilised by a variety of industries which are supposed to help create close-knit networks and enable the use of Internet-of-Things (IoT) devices by enterprises.<br/> <a href="https://forum.anomali.com/t/bleedingbit-exposes-enterprise-access-points-and-unmanaged-devices-to-undetectable-chip-level-attack/3159" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/bleedingbit-exposes-enterprise-access-points-and-unmanaged-devices-to-undetectable-chip-level-attack/3159" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/bleedingbit-exposes-enterprise-access-points-and-unmanaged-devices-to-undetectable-chip-level-attack/3159" target="_blank"> recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/" target="_blank"><b>Trickbot Shows Off New Trick: Password Grabber Module </b></a> (<i>November 1, 2018</i>)<br/> Trend Micro researchers have identified that threat actors utilising the "Trickbot" banking trojan have added a new feature to the malware to include a password-stealing module. The new module is capable of stealing passwords from multiple applications such as Microsoft Outlook, Filezilla, and WinSCP as well as passwords in web browsers including Chrome, Edge, Firefox, and Internet Explorer. The data that can be stolen includes: autofills, browsing history, HTTP posts, internet cookies, and usernames and passwords. The Trickbot version that contains this new module is primarily targeting individuals in Canada, the Philippines, and the US. Furthermore, this variant has also been observed to contain an auto-start service that allows the malware to run every time an infected machine is started as well as a "shareDll32" module to propagate itself throughout a network. As of this writing, the distribution method for this Trickbot variant has not yet been reported.<br/> <a href="https://forum.anomali.com/t/trickbot-shows-off-new-trick-password-grabber-module/3160" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/trickbot-shows-off-new-trick-password-grabber-module/3160" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/trickbot-shows-off-new-trick-password-grabber-module/3160" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947098">[MITRE ATT&amp;CK] Email Collection (T1114)</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture (T1056)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-stuxnet-variant-allegedly-struck-iran/" target="_blank"><b>New Stuxnet Variant Allegedly Struck Iran</b></a> (<i>October 31, 2018</i>)<br/> A more aggressive and sophisticated variant of Stuxnet has been recently observed targeting infrastructure and strategic networks in Iran. There is little information at the time of the publication of the article; however, General Gholamreza Jalali, the head of Iran's Passive Defence Organisation, stated that they had discovered and neutralised a new generation of Stuxnet that contained several parts attempting to breach various Iranian systems. A variant of Stuxnet is likely to emerge in a non-recognisable form, since there has been so much news attention and cyber security research on that specific malware.<br/> <a href="https://forum.anomali.com/t/new-stuxnet-variant-allegedly-struck-iran/3161" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-stuxnet-variant-allegedly-struck-iran/3161" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-stuxnet-variant-allegedly-struck-iran/3161" target="_blank"> recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/" target="_blank"><b>CommonRansom Ransomware Demands RDP Access to Decrypt Files </b></a> (<i>October 30, 2018</i>)<br/> A researcher named Michael Gillespie has identified a new ransomware dubbed "CommonRansomware" that stands out from other malware with similar functionalities in that it makes an unusual request of the victim to decrypt their files. To note, the initial infection vector for CommonRansomware has not yet been reported at the time of this writing. Once a machine has been infected, the ransom note appears that requests 0.1 bitcoins (approximately $633.42 USD). The strange factor of this malware comes with another request in which the note asks to send an email to "old@nuke[.]africa" with various forms of information including: IP address and RDP port number, username and password of administrator account, time when Bitcoin payment was made, and victim ID number.<br/> <a href="https://forum.anomali.com/t/commonransom-ransomware-demands-rdp-access-to-decrypt-files/3162" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/commonransom-ransomware-demands-rdp-access-to-decrypt-files/3162" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/commonransom-ransomware-demands-rdp-access-to-decrypt-files/3162" target="_blank"> recommendation</a></p><p><a href="https://threatpost.com/girl-scouts-issues-data-breach-warning-to-2800-members/138640/" target="_blank"><b>Girl Scout Issues Data Breach Warning to 2,800 Members </b></a> (<i>October 29, 2018</i>)<br/> The Girl Scouts of America branch in Orange County, California issued a statement on October 22, 2018 in which it confirmed that it had suffered a data breach. The breach was conducted by an unknown threat actor(s) who was able to gain illicit access to an email account used by the Girl Scouts of Orange County (GSOC). The compromised email address was likely then used by threat actors to distribute phishing emails, however, GSOC did not specify what kind of emails were sent from its email address. The compromised email account was used by GSCO to organise travel for its members so it is possible that Personally Identifiable Information (PII) associated with approximately 2,800 girls and their families was compromised. Information contained in the email account consists of date of birth, full name, health history, home address, and insurance policy numbers.<br/> <a href="http://https://forum.anomali.com/t/girl-scout-issues-data-breach-warning-to-2-800-members/3163" target="_blank">Click here for </a><a href="http://https://forum.anomali.com/t/girl-scout-issues-data-breach-warning-to-2-800-members/3163" target="_blank">Anomali</a><a href="http://https://forum.anomali.com/t/girl-scout-issues-data-breach-warning-to-2-800-members/3163" target="_blank"> recommendation</a></p><p><a href="https://blog.talosintelligence.com/2018/10/gplayerbanker.html" target="_blank"><b>GPlayed's Younger Brother is a Banker - and It's After Russian Banks</b></a> (<i>October 29, 2018</i>)<br/> A new version of the "GPlayed" Android banking trojan, first reported on in early October 2018, has been identified impersonating the Google Play Store application, according to Cisco Talos researchers. This variant, dubbed "GPlayed Banking," specifically targets "SherBank AutoPay" users while the previous version targeted banking information in general. SherBank AutoPay is a service offered by SherBank, which is a Russian state-owned bank. GPlayed Banking is distributed by posing as the Google Play Store application with the labelled "Play Google Market and, once downloaded, asks the user to change settings to grant the application administrator privileges. Interestingly, the application does not need administrator privileges to conduct its malicious activity that consists of stealing SMS messages and sending SMS messages to SherBank to determine an account balance. If the balance is lower than $3,000 the trojan stops, if larger than 68,000 the malware requests a value of 66,000, otherwise, the total amount minus 1,000 is requested.<br/> <a href="https://forum.anomali.com/t/gplayeds-younger-brother-is-a-banker-and-its-after-russian-banks/3164" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/gplayeds-younger-brother-is-a-banker-and-its-after-russian-banks/3164" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/gplayeds-younger-brother-is-a-banker-and-its-after-russian-banks/3164" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&amp;CK] Trusted Relationship (T1199)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/mac-cryptocurrency-price-tracker-caught-installing-backdoors/" target="_blank"><b>Mac CryptoCurrency Ticker App Installs Backdoors</b></a> (<i>October 29, 2018</i>)<br/> A MalwareBytes forum user informed the researchers of a malicious macOS application he/she discovered that is masquerading as a cryptocurrency price-checker. The application, called "CoinTicker," does function by showing the current prices of various cryptocurrencies, but it also attempts to install two different backdoors onto the machine running the application. Upon launching on a machine it was downloaded on, CoinTicker subsequently downloads and installs two publicly available backdoors called "EggShell" and "EvilOSX." Both backdoors are relatively flexible in their capabilities because they are open source and therefore could be modified by threat actors.<br/> <a href="https://forum.anomali.com/t/mac-cryptocurrency-ticker-app-installs-backdoors/3165" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/mac-cryptocurrency-ticker-app-installs-backdoors/3165" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/mac-cryptocurrency-ticker-app-installs-backdoors/3165" target="_blank"> recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&amp;CK] Trusted Relationship (T1199)</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.