Weekly Threat Briefing: Spam Campaign Uses Recent Boeing 737 Max Crashes to Push Malware

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, Data breach, Malspam, Malware, Phishing, Point-of-Sale, Ransomware, RAT, Supply chain, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats </h2><a href="https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/spam-campaign-uses-recent-boeing-737-max-crashes-to-push-malware/" target="_blank">Spam Campaign Uses Recent Boeing 737 Max Crashes to Push Malware</a> (March 18, 2019) 360 Threat Intelligence Center researchers have observed a spam campaign that is attempting to take advantage of the two crashes of the Boeing 737 Max aircraft. The threat actors behind this campaign are distributing emails with the account “info@isgec[.]com” with the subject line “Fwd: Airlines plane crash Boeing 737 Max 8.” The emails purport to have been written by a private investigator named “Joshua Berlinger” and attempt to convince the recipient into opening an attached JAR file. Researchers identified that the objective of this campaign is to drop the “H-WORM” Remote Access Trojan (RAT” onto the recipient’s machine via the malicious JAR file attachment. <a href="https://forum.anomali.com/t/spam-campaign-uses-recent-boeing-737-max-crashes-to-push-malware/3643" target="_blank">Click here for Anomali recommendation</a><a href="https://www.us-cert.gov/ncas/current-activity/2019/03/15/Intel-Releases-Security-Advisories-Multiple-Products" target="_blank">Intel Releases Security Advisories on Multiple Products</a> (March 15, 2019) The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory regarding vulnerabilities in multiple products created by the semiconductor manufacturing company, “Intel.” Intel has released security advisories to address vulnerabilities in multiple products including: Accelerated Storage manager in RSTE, USB 3.0 Creator Utility, Software Guard Extensions SDK, and Matrix Storage Manager. Some of the vulnerabilities could be exploited by a threat actor to take control of an affected system, according to the US-CERT. <a href="https://forum.anomali.com/t/intel-releases-security-advisories-on-multiple-products/3644" target="_blank">Click here for Anomali recommendation</a><a href="https://www.helpnetsecurity.com/2019/03/15/gearbest-data-exposure/" target="_blank">Unsecured Gearbest Server Exposes Millions of Shoppers and Their Orders</a> (March 15, 2019) “Gearbest,” a Chinese e-commerce company, exposed over 1.5 million customers’ information and orders due to an unsecured Elasticsearch server. According to researcher Noam Rotem, the server was not password-protected and was publicly accessible. Information that was publicly visible include Personally Identifiable Information (PII): account passwords, address, date of birth, email addresses, IP address, name, national ID and passport information, order number, payment information, payment type, phone number, postcode, and products purchased. <a href="https://forum.anomali.com/t/unsecured-gearbest-server-exposes-millions-of-shoppers-and-their-orders/3645" target="_blank">Click here for Anomali recommendation</a><a href="https://www.infosecurity-magazine.com/news/kathmandu-investigates-card-1/" target="_blank">Kathmandu Probes Possible Card Skimming Breach</a> (March 15, 2019) New Zealand-based outdoor clothing store, “Kathmandu,” is investigating a possible data breach where customer’s credit card credentials were harvested from their website. Between January 8, 2019 and February 12, 2019, an unauthorised third-party gained access to the retailer’s website and stole customers’ personal information and payment details. An investigation is ongoing to determine what happened fully, but it is hypothesised it could be a recent MageCart attack, though that is unconfirmed. <a href="https://forum.anomali.com/t/kathmandu-probes-possible-card-skimming-breach/3646" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html" target="_blank">GlitchPOS: New PoS Malware for Sale</a> (March 13, 2019) Cisco Talos researchers discovered a new malware, dubbed “GlitchPOS,” that is being sold on crimeware sites by actors suspected to be behind the “DiamondFox L!NK” botnet. The Point-of-Sale (POS) malware is disguised as a fake game and displays a variety of pictures of cats upon deployment, whilst the malware payload is decoded in the background. The GlitchPOS malware only has a small number of functions including: clean itself off the system, exfiltrate credit card numbers from the memory of the infected system, receive tasks from the Command and Control (C2) server, register the infected systems, update the "encryption" key, update the exclusion list of scanned processes, and update the User Agent. The objective of the malware is to steal credit card numbers from the memory of an infected system. <a href="https://forum.anomali.com/t/glitchpos-new-pos-malware-for-sale/3647" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" target="_blank">‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses</a> (March 13, 2019) Researchers from Flashpoint reported on a Point-of-Sale (POS) malware called “DMSniff” that utilises Domain Generation Algorithms (DGA) to create lists of Command and Control (C2) on an ad hoc basis to avoid C2 domains being removed by ISPs or law authorities. This malware has reportedly been active since at least 2016, and is targeting small to medium-sized businesses such as restaurants and theaters. It is believed that threat actors are able to gain initial access to devices by brute-forcing SSH connections or using known vulnerabilities in the devices. To steal data, the bot will loop to find credit card numbers and packages that information and sends it to the C2. The data will then be exfiltrated somewhere else to either store or sell onwards. <a href="https://forum.anomali.com/t/dmsniff-pos-malware-actively-leveraged-to-target-small-medium-sized-businesses/3648" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&CK] Custom Command and Control Protocol (T1094)</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a><a href="https://krebsonsecurity.com/2019/03/patch-tuesday-march-2019-edition/" target="_blank">Patch Tuesday, March 2019 Edition</a> (March 13, 2019) Microsoft’s March “Patch Tuesday” addressed over five dozen security vulnerabilities were fixed in Windows OS, Internet Explorer, Edge, Office, and Sharepoint. Two major vulnerabilities patched were “CVE-2019-0797” and “CVE-2019-0808.” CVE-2019-0797 is a zero-day vulnerability that can allow for privilege escalation and deploy arbitrary code in kernel mode that has been observed to be exploited in the wild. CVE-2019-0808 is another zero-day privilege escalation vulnerability in Windows 7 and Windows Server 2008 that has been seen to be exploited in the wild in conjunction with the Google Chrome browser vulnerability “CVE-2019-5786.” <a href="https://forum.anomali.com/t/patch-tuesday-march-2019-edition/3649" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/yatron-ransomware-plans-to-spread-using-eternalblue-nsa-exploits/" target="_blank">Yatron Ransomware Plans to Spread Using EternalBlue NSA Exploits </a> (March 13, 2019) “Yatron,” a new Ransomware-as-a-Service (RaaS), is being promoted for sale on Twitter by the actor behind the malware. The ransomware reportedly uses the “EternalBlue” and ”DoublePulsar” exploits to propagate within a network, and the ransomware will attempt to delete encrypted files if a user does not pay the ransom after 72 hours. Yatron is based off another ransomware, “HiddenTear,” but is modified so it cannot be decrypted for free using current methods available. According to Bleeping Computer, the “exploits are incomplete and the ransomware does not currently include the Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executables that it relies on” so it is not fully effective in utilising those vulnerabilities. Yatron can also spread within a network via Peer-to-Peer (P2P), USB, and LAN. <a href="https://forum.anomali.com/t/yatron-ransomware-plans-to-spread-using-eternalblue-nsa-exploits/3650" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947238">[MITRE ATT&CK] Forced Authentication (T1187)</a><a href="https://www.zdnet.com/article/wordpress-shopping-sites-under-attack/" target="_blank">WordPress Shopping Sites Under Attack </a> (March 12, 2019) WordPress-based shopping sites have been found to be vulnerable to threat actors exploiting a cross-site scripting (XSS) vulnerability in a shopping cart plug-in to drop backdoors and compromise sites. Threat actors appear to be exploiting sites that use “Abandoned Cart Lite for WooCommerce," which is on over 20,000 WordPress sites. According to “Defiant,” the company who created WordFence, this benign XSS flaw is weaponised by “automating operations against WordPress WooCommerce-based stores to generate shopping carts that contain products with malformed names. They add exploit code in one of the shopping cart's fields, then leave the site, an action that ensures the exploit code gets stored in the shop's database. When an admin accesses the shop's backend to view a list of abandoned carts, the hackers' exploit code is executed as soon as a particular backend page is loaded on the user's screen.” It is unclear what the end-goal of the threat actors is by installing these backdoors into the sites. <a href="https://forum.anomali.com/t/wordpress-shopping-sites-under-attack/3651" target="_blank">Click here for Anomali recommendation</a><a href="https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" target="_blank">New Ursnif Variant Targets Japan Packed with New Features</a> (March 12, 2019) Japan has been observed to be one of the top countries affected in recent years by the information-stealing malware, “Ursnif,” in conjunction with the “Bebloh” malware, according to Cybereason. Bebloh acts as a downloader that runs tests to find out if it is running in a sandbox or Virtual Machine (VM), and if it determines neither is the case, it then downloads Ursnif onto the infected machine. The malware is initially sent via phishing emails containing a malicious attachment that requests macros to be enabled. If macros are enabled, the malware will determine whether the machine is located in Japan, and if it is, it will download a PowerShell payload that appears as an image. Embedded in the image is another PowerShell code that, once decrypted, will install Bebloh, which subsequently downloads Ursnif. This variant of Ursnif has new features such as a new persistence mechanism, revamped and new stealer modules, cryptocurrency and disk encryption software module, and an Anti-PhishWall module to counteract “PhishWall,” a Japanese security product. <a href="https://forum.anomali.com/t/new-ursnif-variant-targets-japan-packed-with-new-features/3652" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/" target="_blank">Gaming Industry Still in the Scope of Attackers in Asia</a> (March 11, 2019) Researchers from ESET discovered a supply-chain attack that has been compromising game developers to drop a backdoor into video games’ build environment and have the malware distributed as legitimate software. The attacks appear to be highly targeted at the Asia gaming industry, specifically (ordered by highest amount of infections to least) Thailand, Philippines, Taiwan, Hong Kong, Indonesia, and Vietnam. The same backdoor was found on three different software products. The backdoor is launched in-memory before normal execution of the video game, and connects to a Command and Control (C2) server that is hosted at a domain that masquerades as a legitimate site related to the game or developer. The malware will stop running if it detects the system language is Chinese or Russian. The backdoor only has four commands that can be used by the threat actors: “DownUrlFile,” “DownRunUrlFile,” “RunUrlBinInMem,” and “UnInstall.” <a href="https://forum.anomali.com/t/gaming-industry-still-in-the-scope-of-attackers-in-asia/3653" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947155">[MITRE ATT&CK] Binary Padding (T1009)</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port (T1043)</a> | <a href="https://ui.threatstream.com/ttp/947150">[MITRE ATT&CK] Standard Cryptographic Protocol (T1032)</a> | <a href="https://ui.threatstream.com/ttp/947140">[MITRE ATT&CK] Multilayer Encryption (T1079)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a> | <a href="https://ui.threatstream.com/ttp/947148">[MITRE ATT&CK] New Service (T1050)</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise (T1195)</a><a href="https://www.adversis.io/research/pandorasbox" target="_blank">Pandora's Box: Another New Way to Leak All Your Sensitive Data</a> (March 11, 2019) The cloud-based content management platform, “Box,” was discovered to be publicly accessible and thus leaking companies share files and folders if a user guessed an organisation’s unique subdomain URL, according to Adversis. Accessible data included: archives of years of internal meetings, customer lists, Employees lists, Financial data, High profile technology prototype and design files, internal issue trackers, invoices, IT data, network diagrams, passport photos, Social Security and bank account numbers, and VPN configurations. According to security researchers, this feature in Box has been reported on before since June 2017, though no changes have been made on Box’s side. <a href="https://forum.anomali.com/t/pandoras-box-another-new-way-to-leak-all-your-sensitive-data/3654" target="_blank">Click here for Anomali recommendation</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial</a>.<a href="https://ui.threatstream.com/actor/827" target="_blank">Lazarus Group</a> The Chinese APT group called “Winnti” (also known as Threat Group-3279) has been active since at least 2009, and is known to attack gaming companies to steal digital certificates and source code. Winnti was discovered in 2011 when researchers put together clues as to why an unspecified amount of computers had been infected with a new trojan. The clue led researchers to identify that all the infect machines shared on similarity in that they all played a well-known online game. It was then determined that the game users had been infected by receiving updates from a compromised server that belonged to the company.</div>