SPECIAL HOLIDAY OFFER: Custom Recon Report with free Anomali Enterprise Trial   Sign Up Now

WTB: Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks

November 21, 2017 | Gage Mele

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: APT, Brute force attacks, Holiday scams, Malspam, Phishing, Preinstalled features, Ransomware, Targeted attacks, Threat group, and Vulnerabilites. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks (November 20, 2017)
The financially motivated Advanced Persistent Threat (APT) group “Cobalt,” is behind a new spear phishing campaign targeting European financial organizations, according to Trend Micro researchers. The group tailors their spear phishing emails for different target banks. Researchers note that Cobalt previously used spam emails to target banking customers and these new spear phishing emails represents a change in tactics. The emails were observed to exploit a code injection/remote code execution vulnerability, registered as “CVE-2017-8759,” located in Microsoft’s .NET Framework. The RTF file attachment requires a user to enable macros to run a PowerShell command that will eventually download and execute a backdoor from a remote server.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Threat group, Cobalt, Spear phishing, Targeted attacks, Financial institutions

0000 Cryptomix Ransomware Variant Released (November 17, 2017)
The Security researcher, known as “MalwareHunterTeam,” has discovered a new variant of the “Cryptomix” ransomware. The new variant is dubbed “0000” because of the extension added to encrypted files. As of this writing, researchers have not published the distribution method used by the actors behind this ransomware, however, they do note that users should be cautious when opening attachments from unverified senders.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Ransomware, Cryptomix variant, 0000

Holiday Scams and Malware Campaigns (November 16, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert to remind user to be vigilant while shopping online this holiday season. The US-CERT warns that threats will come in various forms such as emails and ecards that may contain malicious links, and fake advertisements or shipping notifications that may have attachments infected with malware. In addition, spoofed emails addresses and fake social media posts are also expected to be present during the upcoming holiday season.
Recommendation: Users should be aware that the holiday season represents the potential for threat actors to generate illicit revenue because of the significant increase in online shopping. The threats mentioned by the US-CERT can result in sensitive data theft, such as Personally Identifiable Information (PII) and credit card information, as well as identity theft and security breaches. Users should avoid following links or downloading attachments from unknown sources and make note of known email addresses if they begin sending messages or attachments that does not align with typical behavior.
Tags: Alert, Holiday scams, Malware, US-CERT

Ransomware-Spreading Hackers Sneak in Through RDP (November 15, 2017)
Sophos researchers have discovered that threat actors are exploiting weak passwords for Microsoft Windows machine’s Remote Desktop Protocol (RDP) feature to install ransomware. RDP is often used by IT staff because they are often an outsourced part of a company. Threat actors are using a tool called “NLBrute” to try numerous passwords against an RDP account in a brute-force attack. Actors could also use social media to find out common password combinations such as a birthday or a pet’s name.
Recommendation: Compromised RDP accounts is by no means a new tactic used by threat actors. Therefore, it is crucial that RDP accounts have strong passwords and use of the accounts should be restricted via firewalls and network level authentication.
Tags: Ransomware, Brute force attacks, Microsoft RDP

New Emotet Hijacks a Windows API, Evades Sandbox and Analysis (November 15, 2017)
A new variant of the banking trojan “Emotet” is being distributed by threat actors via phishing emails, according to Trend Micro researchers. The phishing emails attempt to trick the recipient into following a provided link which leads to a document with a malicious macro. If macros are enabled, a user will begin the infection process for Emotet. Researchers note that this Emotet variant also includes an anti-analysis technique includes checking when an analysis platform scans for malicious activity to avoid detection.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Phishing, Trojan, Emotet

Muddying the Water: Targeted Attacks in the Middle East (November 14, 2017)
A new campaign has been found to be targeting Middle Eastern countries, according to Unit 42 researchers. The malicious activity is attributed to a new threat group dubbed “MuddyWater.” While researchers found that Middle Eastern nations were primarily targeted, other countries such as India and the U.S. were also identified to be targeted. Researchers discovered that the group’s initial infection vector is a Powershell-based first stage backdoor dubbed “PowerStats” that is delivered via malicious documents. The documents vary depending on which country is being targeted to include images that would be familiar to the recipient such as government branches which may entice a recipient to be more willing to enable macros.
Recommendation: The impersonation of government agencies continues to be an effective malware distribution tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. In the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Targeted Attacks, Threat group, MuddyWater

17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction (November 14, 2017)
Researchers are warning Microsoft Office users to be extra cautious when opening Office file attachments because of a 17-year-old vulnerability. Specifically, the vulnerability is a memory corruption flaw, registered as “CVE-2017-11882,” that resides in ”EQNEDT32.exe” located in all versions of Windows Office and the Windows operating system released in the past 17 years. EQNEDT32.exe is a Microsoft component responsible for the insertion of equations (OLE objects) in documents. Threat actors can exploit this vulnerability to remotely install malware on target machines without any user interaction required, such as enabling macros.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Vulnerability, Microsoft office

Microsoft November Patch Tuesday Fixes 53 Security Issues (November 14, 2017)
Microsoft has issued security updates as part of its November Patch Tuesday that affects the following products: ASP.NET Core, ChakraCore, Internet Explorer, Microsoft Edge, .NET Core, several Office offerings, and the Windows operating system. Researchers note two vulnerabilities, registered as “CVE-2017-11830” and “CVE-2017-11887,” that stand out in this month’s Patch Tuesday. CVE-2017-11830 can be exploited to allow an actor to bypass Windows Device Guard, and CVE-2017-11887 can be exploited to bypass macro execution protection in Microsoft Excel. The latter is expected to be exploited by actors in the near future because of the frequency of malicious macro documents used in phishing attacks.
Recommendation: Your company should have policies in place to prepare for Patch Tuesday every month because as this iteration portrays, sometimes the patched vulnerabilities will be used in common attack vectors.
Tags: Vulnerabilities, Patch Tuesday, Microsoft

Adobe Patches Security Bugs in Flash Player and Eight Other Products (November 14, 2017)
Adobe has released its monthly security updates for November that affect nine products. Overall, Adobe issued patches for 85 vulnerabilities, multiple of which could be exploited to allow remote code execution. The affected products are Adobe Acrobat and Reader, Adobe Connect, Adobe DNG Converter, Adobe Digital Editions, Adobe Experience Manager, Adobe Flash Player, Adobe InDesign, Adobe Photoshop CC, and Adobe Shockwave Player.
Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In Adobe's case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Patch Tuesday, Adobe

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (November 14, 2017)
A mobile security researcher, known by the alias “Elliot Alderson,” discovered an application located on some, if not all, “OnePlus” devices. The application, called “EngineerMode,” is reported to be vulnerable to exploitation by threat actors in a way that could result in the application to function as a backdoor. Researchers believe that the features located in EngineerMode are the same features one would find in a diagnosis application engineers use to test phones prior to shipping them out. An actor with physical access to a OnePlus device could run a command to take full control of the device. In addition, researchers say that this is the first batch of information regarding OnePlus devices and more information will be released in the near future.
Recommendation: The threat of preinstalled features has the ability to hide from even the most cautious of users. If the devices affected by this feature are being used by your company, they should be properly inspected and the unwanted feature removed.
Tags: Mobile, Presinstalled threat, OnePlus

XZZX Cryptomix Ransomware Variant Released (November 13, 2017)
A new variant of the “XZZX Cryptomix,” dubbed so because of the file appending to encrypted files, has been identified in the wild, according to Bleeping Computer researchers. In addition to the change in file extensions added to encrypted files, this variant has also been updated in regards to actor email addresses used to contact for payment information. The ransomware is able to function with no network communication because it contains 11 public RSA-1024 encryption keys that are used to then encrypt the AES key used to encrypt a user’s files.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Furthermore, your company should have a business continuity policy in place in the case of a ransomware infection.
Tags: Ransomware, Cryptomix variant, XZZX

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.