Anomali Weekly Threat Intelligence Briefing - March 28, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="http://thehackernews.com/2017/03/GiftGhostBot-gift-cards.html" target="_blank">Fraudsters Using GiftGhostBot Botnet to Steal Gift Card Balances</a> (March 25, 2017) Researchers have identified a new botnet named GiftGhostBot, that has been targeting ecommerce gift card systems since at least late February 2017. Retail company websites around the globe are actively being attacked by this sophisticated botnet. Actors are using automation to check various account numbers against retail websites to discern if they exist. If the account number exists, the attacker can use it to purchase goods, or sell the account information on underground markets. Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users search for alternative. Tags: Botnet, GiftGhostBot, eCommerce<a href="https://blog.malwarebytes.com/cybercrime/2017/03/advanis-tech-support-screenlocker/" target="_blank">Advanis Tech Support Screenlocker</a> (March 24, 2017) A new tech support scam, and possibly the actor behind the scam, has been identified to be targeting Windows machines. The scam is distributed when a user visits a malicious domain. First an installer will attempt lock the screen with an executable called MT. The screen will then display an image which purports that the PC/Device needs to be repaired because a component of the operating system has expired. A number is provided to contact a cybercriminal that assists the caller in installing malicious programs on their machine. Recommendation: Technical support scams are common threats facing individuals and companies alike. Any image that appears that requests a phone number be called in order to receive assistance in repairing a machine is likely fake. Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. Policies should also be in place to educate your employees on the proper steps to avoid these scams, and who to inform if such an instance occurs. Tags: Tech support scam<a href="https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" target="_blank">New Targeted Attack Against Saudi Arabia Government</a> (March 23, 2017) A new spear phishing campaign has been identified to be targeting Saudi Arabia governmental organizations. This campaign requires macros in Word document attachments to execute malicious code. The unique characteristic of this campaign is that after infection, the malware will distribute itself to every contact located in an Outbox inbox. Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Tags: Spear phishing<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/third-party-app-stores-delivered-via-ios-app-store/" target="_blank">Third-Party App Stores Delivered via the iOS App Store</a> (March 23, 2017) Malicious applications have again made it into the Apple App Store, one of which leads users to a third-party application store, according to Trend Micro researchers. The application appears to be Japanese and translates to "Household Accounts App." The third-party application store is contained inside the Household Accounts applications. The third-party store contains several malicious applications that were identified to be harvesting AppleID credentials and other information stored on the device. Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store/Apple App Store to obtain your software, and never install software from unverified sources. Furthermore, it is important to research an application before downloading and do not trust the software based on ratings alone. Tags: Mobile, Apps<a href="http://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows" target="_blank">Microsoft Word File Spreads Malware Targeting Both Apple Mac OS X and Microsoft Windows </a> (March 22, 2017) Fortinet researchers have discovered a malicious Word document in the wild that targets both Windows and macOS systems. The Word document spreads malware by executing Visual Basic for Applications (VBA) code after macros have been enabled by a user. Researchers believe that malware affecting macOS and Windows operating systems may be a new trend among threat actors. Recommendation: At the time of this writing, the distribution method for the malicious Word document has not been reported, however, it does serve as a reminder to avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security. Tags: Malicious Word, Malware, macOS, Windows<a href="https://www.theguardian.com/technology/2017/mar/22/phishing-scam-us-tech-companies-tricked-100-million-lithuanian-man" target="_blank">Lithuanian Man's Phishing Tricked US tech Companies Into Wiring Over $100m</a> (March 22, 2017) A man named Evaldas Rimasuaskas has been arrested in Lithuania by authorities for charges related to a fraudulent email compromise campaign. Rimasuaskas and his accomplices impersonated a computer manufacturing company, and used phishing emails to trick two major U.S. companies into wiring them approximately $100 million over two years. The FBI was able to work with the unnamed affected companies and Lithuanian law enforcement to recover "much of the stolen funds." Recommendation: It is important to educate your employees on the risk that phishing attacks represent because these kind of schemes are a constant threat. One employee who falls victim to a phishing attack could potentially infect an entire company's network, or result in employee credentials being stolen that could lead to further theft of sensitive information. Additionally, policies should be in place for employees regarding who to notify when phishing attempts are identified. Tags: Phishing, Fraud<a href="https://www.helpnetsecurity.com/2017/03/22/lastpass-extensions-flaw/" target="_blank">LastPass Extensions Can Be Made to Cough Up Passwords, Deliver Malware</a> (March 22, 2017) Google researcher Tavis Ormandy has discovered that the password manager "LastPass" has vulnerable extensions for Chrome and Firefox web browsers. A malicious website is potentially able to exploit a flaw in the LastPass Remote Procedure Call (RPC) that could grant full control of the extension to an attacker. Additionally, if the binary component is installed in Chrome, a malicious website would be capable of executing a script to download malware onto the machine visiting the website. Recommendation: Web browser extensions are useful applications in everyday activities, however, using them should be done so with caution and updates should always be applied as soon as they are offered. While LastPass has offered a small fix addressing one of the vulnerabilities, this story serves as a reminder that it may be best for your company to turn off extensions until all of the flaws have been addressed. Additionally, policies should be in place regarding the proper use and downloading of extensions that have been vetted by the appropriate personnel. Tags: Vulnerable extensions<a href="http://thehackernews.com/2017/03/hacking-apple-icloud-account.html" target="_blank">Hackers Threaten to Remotely Wipe 300 Million iPhones Unless Apple Pays Ransom</a> (March 21, 2017) A threat group calling themselves the "Turkish Crime Family" has claimed to have access to over 300 million iCloud accounts. The group is demanding that Apple pay them $75,000 in Bitcoin or Ethereum, or $100,000 in iTunes gift cards. The group has been unclear in the amount of accounts they purport to have access to; the amount has ranged from 200 to 559 million. The group claims that they will erase the data on the accounts on April 7 if they have not received payment by that time. At the time of this writing, it is unclear if the Turkish Crime Family actually has access to any iCloud accounts. Recommendation: Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication, and frequent password changes can help protect trade secrets and other forms of sensitive data. Tags: Threat group, iCloud<a href="https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2017/03/canada-u-k-hit-ramnit-trojan-new-malvertising-campaign/" target="_blank">Canada and the U.K. Hit by Ramnit Trojan in New Malvertising Campaign</a> (March 21, 2017) Researchers at Malwarebytes Labs have discovered a new malicious advertising (malvertising) campaign targeting users via pop-under advertisements. The pop-under advertisements appear in a new web browser and are primarily targeting users in Canada and the U.K. If the malvertisement is followed, a user will be infected with the information stealing malware "Ramnit." Ramnit is capable of stealing banking and file transfer protocol credentials. Recommendation: Malvertising techniques are constantly being improved by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Tags: Malvertising, Ramnit trojan, Malware<a href="https://nakedsecurity.sophos.com/2017/03/21/global-spam-volume-goes-back-up-to-deliver-huge-pump-and-dump-scam/" target="_blank">Global Spam Volume Goes Back Up to Deliver Huge Pump-and-Dump Scam</a> (March 21, 2017) The actors behind the notorious Necurs botnet have begun to increase their infected machines' activity, according to researchers. The activity is in the form of malicious spam (malspam) advertising a supposed opportunity to purchase shares that are purported to increase in value 10 times its current price. This tactic is a stark change from typical Necurs activity, which usually conducts its spam attempts to direct recipients to malicious links that aim to distribute ransomware. Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Tags: Malspam, Necurs<a href="http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/" target="_blank">Swearing Trojan Continues to Rage, Even After Authors' Arrest</a> (March 21, 2017) Tencent Security researchers have disclosed information on a new Android malware dubbed "Swearing Trojan." The trojan received its name due to Chinese curses identified within its source code. The malware targets banking credentials and is capable of bypassing two-factor authentication. The trojan is distributed by hiding in infected applications that infect a user after download, and phishing conducted via SMS messages. Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Tags: Mobile, Swearing trojan, Malware, Phishing<a href="https://www.bleepingcomputer.com/news/security/big-surprise-chinese-pups-deliver-backdoored-drivers/" target="_blank">Big Surprise: Chinese PUPs Deliver Backdoored Drivers</a> (March 20, 2017) Researchers have discovered that multiple Potentially Unwanted Programs (PUPs) secretly install drivers that contain backdoors. The drivers contain malicious code that is capable of bypassing Windows security features and escalating privileges by running code with kernel-level access. The backdoored driver has been distributed since at least 2013, and is located in the following Chinese applications: Android rooting toolkit, Calendar application, driver updater, USB drive helper utility, and a WiFi hotspot location. Recommendation: The threat of preinstalled malware has the possibility of hiding from even the most cautious of users; if the devices listed here are being used by your company they should be properly wiped and restored. Additionally, it is important that mobile devices connecting to corporate and personal networks have trusted antivirus software installed that it always kept up-to-date. Tags: Mobile, PUP, Backdoor, Malware<a href="http://www.securityweek.com/serious-flaws-found-moodle-learning-platform" target="_blank">Serious Flaws Found in Moodle Learning Platform</a> (March 20, 2017) The open source Moodle learning platform, which is used by teachers and professors around the globe, has been identified to contain a vulnerability registered as "CVE-2017-2641." The vulnerability can be exploited by an authenticated Moodle user via an SQL injection attack to add a new administrator on the system. With an administrator account, an attacker can execute malicious PHP code by "uploading a new plugin or a template to the server." Recommendation: Maintaining policies that require software and applications are always running the latest version is paramount. Threat actors will often use vulnerabilities that have been discussed in open sources after patches have been released because sometimes proof-of-concept is also provided. Thus giving less sophisticated actors an opportunity to use the instructions that are provided. Tags: CVE<a href="https://blogs.technet.microsoft.com/mmpc/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/" target="_blank">Tax-themed Phishing and Malware Attacks Proliferate During the Tax Filing Season </a> (March 20, 2017) As tax season progresses, threat actors continue to use tax-themed attacks in attempts to steal sensitive information. Researchers have identified a phishing attack that claims that email recipients are eligible for a tax refund from senders pretending to be HM Revenue and Customs, the tax collection body in the U.K. Other phishing methods include actors sending a fake receipt for taxes that have already been filed. Other phishing attempts include subject lines claiming that taxes are overdue, a subpoena from IRS, or titled "I need a CPA." Malicious attachments in the emails have been identified to contain information stealing Trojans. Recommendation: Education is the best defense against phishing attacks. Poor grammar and urgent subject lines are often signs of phishing attempts. Employees should be aware of whom to contact when they suspect they are the target of a possible phishing attack. Tags: Phishing<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.<a href="https://ui.threatstream.com/tip/7453" target="_blank">EITest Tool Tip</a> The EITest gate or Traffic Direction System (TDS) is a service used by criminals to direct web traffic to Exploit Kits (EKs) to install malware on victim’s computers. In the past EITest has been observed directing traffic to Angler, Neutrino, and the Rig EK. Tags: EITest-gate, EITest