July 2, 2018
Anomali Threat Research

WTB: MacOS Malware Targets Crypto Community On Slack, Discord

<p>The intelligence in this week’s iteration discuss the following threats: <b>Breaches</b>, <b>Kardon Loader</b>, <b>OSX.Dummy</b>, <b>PBot Phishing</b>, <b>PROPagate</b>, <b>RANCOR</b>, <b>RAMpage</b> and <b>Spamdexing</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://threatpost.com/macos-malware-targets-crypto-community-on-slack-discord/133254/" target="_blank"><b>MacOS Malware Targets Crypto Community On Slack, Discord</b></a> (<i>July 1, 2018</i>)<br /> Hackers are using macOS malware, "OSX.Dummy," targeting cryptocurrency investors that use the communication applications: Slack and Discord. The threat actors impersonate administrators or key individuals and send small snippets, which if opened, download and execute a malicious binary. This malware is able to bypass the macOS Gatekeeper security software because it runs directly via terminal commands. If the malware is able to connect to the threat actor&#39;s command and control server, they will gain control of the targeted system. Patrick Wardle, the researcher who discovered the malware, has called it "OSX.Dummy" because the actor vector is unsophisticated.<br /> <a href="https://forum.anomali.com/t/macos-malware-targets-crypto-community-on-slack-discord/2639" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced" target="_blank"><b>Phishing Alert: Fake Trezor Wallet website</b></a> (<i>July 1, 2018</i>)<br /> "TREZOR" is a hardware wallet sold by "Satoshi Labs" intended to secure storage of cryptocurrency, such as Bitcoin. On the 30th of June, the Czech-Republic based vendor&#39;s subdomain (wallet.trezor.io) was hit by a phishing scam, that was the result of suspected DNS poisoning or BGP hijacking. Customers were first alerted to the attack after receiving an error message from their web browser of an invalid TLS certificate used to authenticate a secure connection to the vendor&#39;s website. The second was a message from the fake site warning that the hardware wallet was damaged, and required the user enter their recovery seed, which SatoshiLabs would never request.<br /> <a href="https://forum.anomali.com/t/phishing-alert-fake-trezor-wallet-website/2640" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/adidas-announces-data-breach/" target="_blank"><b>Adidas Announces Data Breach</b></a> (<i>June 29, 2018</i>)<br /> The sportswear brand "Adidas" announced a data breach on June 28 affecting customers who used the United States version of its website. The breach compromised contact information, usernames, and encrypted passwords of shoppers. Adidas claims that no credit card or fitness information of consumers where taken. As of this writing, the number of customers affected by the breach is unknown, but estimates from other news networks estimate that "a few million" customers may have been affected.<br /> <a href="https://forum.anomali.com/t/adidas-announces-data-breach/2641" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://cyware.com/news/rampage-nearly-every-android-device-released-since-2012-likely-impacted-by-new-vulnerability-b9a2abbb" target="_blank"><b>RAMpage: Nearly Every Android Device Released Since 2012 Likely Impacted By New Vulnerability</b></a> (<i>June 29, 2018</i>)<br /> A new Android vulnerability has been uncovered that is believed to affect nearly every Android device manufactured since 2012. This vulnerability is exploited via a Rowhammer bug called RAMpage, which targets an Android memory subsystem called ION. RAMpage allows threat actors complete administrative control over a device, giving them access to passwords, emails, photos, messages, and business documents. RAMpage targets the ION memory system which manages communication between apps and the OS, and means they can then gain full control over a device. This vulnerability can also be used to target Apple devices and personal computers. Researchers stated that any device with a LPDDR2, LPDDR3, or LPDDR4 memory is vulnerable. It is unclear whether RAMpage has been utilized in the wild yet, and so far, no patches have been deployed to counteract RAMpage. However, the researchers who uncovered the RAMpage vulnerability have developed a tool called GuardION which is supposed to act as a guard to the vulnerable systems and protect against RAMpage.<br /> <a href="https://forum.anomali.com/t/rampage-nearly-every-android-device-released-since-2012-likely-impacted-by-new-vulnerability/2642" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2018/06/gentoo-linux-github.html" target="_blank"><b>Github Account Of Gentoo Linux Hacked, Code Replaced With Malware</b></a> (<i>June 28, 2018</i>)<br /> Gentoo&#39;s GitHub was overtaken by threat actors on June 28, 2018, at 20:20 UTC. The actors modified the content of its repositories and pages there. The threat actors replaced the "portage" and "musl-dev" trees with malicious versions that are supposed to delete all of a user&#39;s files. This incident reportedly only impacted the code accessed from the mirror hosted at Github and not the code from the official Gentoo site.<br /> <a href="https://forum.anomali.com/t/github-account-of-gentoo-linux-hacked-code-replaced-with-malware/2643" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors/" target="_blank"><b>The New Face Of Necurs: Noteworthy Changes To Necurs&#39; Behaviors</b></a> (<i>June 28, 2018</i>)<br /> The malware, Necurs, has changed its methods for utilizing its infected hosts (bots), researchers at Trend Micro have discovered. Recently, Necurs has begun installing XMRig, a Monero Miner, on its infected machines, gaining at least $1,200 USD in 24 hours. It has also started pushing the Remote Access Trojan (RAT), FlawedAmmyy, to its bots which utilizes the same functionalities of the remote access tool, Ammyy Admin, which gives the botmaster remote access to the machine, file system management, proxy support, and audio chat. Depending on if particular criteria are met, Necurs will push different modules through command and control (C2) commands to then installs the FlawedAmmyy RAT. Necurs has also begun pushing modules to extract emails, specifically Outlook, to drop the RAT. Necurs also appears to have changed its tactics for spamming. Necurs now uses a .NET module that can send emails and steal credentials via Internet Explorer, Chrome, and Firefox. Researchers have pieced together that threat actors are interested in government, financial institutions, tourism and food industries, and real estate companies. It is possible that this evolution of Tactics, Techniques, and Procedures (TTPs) for Necurs is leading up to future campaigns.<br /> <a href="https://forum.anomali.com/t/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors/2644" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html" target="_blank"><b>RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique</b></a> (<i>June 28, 2018</i>)<br /> FireEye researchers have observed the RIG Exploit Kit (EK) delivering a dropper that leverages the recently discovered "PROPagate" injection technique. The injected code downloads and executes a Monero cryptominer. The infection begins by a user visiting a compromised website with an injected iframe. The iframe loads the RIG EK landing page that uses three different vulnerabilities (CVE-2015-2419, CVE-2016-0189, CVE-2018-4878) in attempts to drop a Nullsoft Scriptable Install System (NSIS) loader. The loader uses the PROPagate technique to inject shellcode into "explorer.exe." The shellcode downloads and installs a Monero miner.<br /> <a href="https://forum.anomali.com/t/rig-exploit-kit-delivering-monero-miner-via-propagate-injection-technique/2645" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/ticketmaster-announces-data-breach-affecting-5-percent-of-all-users/" target="_blank"><b>Ticketmaster Announces Data Breach Affecting 5% of All Users</b></a> (<i>June 27, 2018</i>)<br /> The ticketing provider "Ticketmaster" announced on the June 27 that a data breach incident had occurred that affected approximately 5% of their customer base. The breach resulted in the theft of customer data, login information, and payment details. The breach did not occur at Ticketmaster itself but at "Inbenta," a AI-powered live chat widget provider that Ticketmaster was deploying. According to Ticketmaster, they discovered the breach on the June 23 when the widget was delivering malicious software to Ticketmaster users that was logging and exfiltrating customer details. Ticketmaster disabled the widget on all of its sites on the day it was discovered.<br /> <a href="https://forum.anomali.com/t/ticketmaster-announces-data-breach-affecting-5-of-all-users/2646" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.malwarebytes.com/cybercrime/2018/06/red-hen-website-suffers-seo-spam-compromise/" target="_blank"><b>Red Hen website suffers SEO spam compromise</b></a> (<i>June 27, 2018</i>)<br /> The Red Hen restaurant in Lexington, has fallen victim to the old technique of Search Engine Optimisation (SEO) compromise. Upon visiting the homepage of the website. Everything appears to be normal, but when turning off JavaScript, spam text is visible at the top of the website. The text is hoping to give an SEO boost to the links contained in the spam text, thus giving higher search index results to spam sites, in order to gain higher traffic. The technique is also known as "Spamdexing."<br /> <a href="https://forum.anomali.com/t/red-hen-website-suffers-seo-spam-compromise/2647" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html" target="_blank"><b>Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor</b></a> (<i>June 26, 2018</i>)<br /> Researchers from Cisco Talos have released a new decryption tool for the "Thanatos" ransomware. Thanatos has been distributed via multiple malware campaigns over recent months and remains an active threat that is being deployed by multiple actors. Instead of demanding payment in Bitcoin, as is common with most other ransomwares, Thanatos has been observed demanding payments in Bitcoin Cash (BCH), Zcash (ZEC), and Ethereum (ETH). The authors are unable to restore encrypted files, due to issues in the encryption process used by the malware, even if the ransom is paid. Talos researchers believe that is may be intentional in the part of the distributor in some cases.<br /> <a href="https://forum.anomali.com/t/files-cannot-be-decrypted-challenge-accepted-talos-releases-thanatosdecryptor/2648" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/" target="_blank"><b>WARNING: WordPress File Delete to Code Execution</b></a> (<i>June 26, 2018</i>)<br /> A new vulnerability in the "Wordpress" Content Management System (CMS) has been discovered by researchers at RIPS Technologies. The arbitrary file deletion vulnerability allows as low as an "Author" level account to possibly gain elevated privileges. The actor must compromise an account beforehand. The vulnerability occurs when unsanitized user input is passed into the file deletion function which can affect the parameter representing the file to be deleted. Thus, an attacker can delete critical files handling security constraints which can lead to arbitrary code execution and creating an administrator account.<br /> <a href="https://forum.anomali.com/t/warning-wordpress-file-delete-to-code-execution/2649" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://securelist.com/pbot-evolving-adware/86242/" target="_blank"><b>PBot: evolving adware</b></a> (<i>June 26, 2018</i>)<br /> Kaspersky Labs researchers have released information on the constantly evolving advertising malware (adware) dubbed "PBot" (PythonBot). The number of infections from PBot is increasing, with the majority of targets located in Kazakhstan, Russia, and Ukraine. PBot is distributed through partner sites who use scripts to redirect users to sponsored links. Once the target visits a PBot download page, an HTML Application (HTA) file is downloaded and when run downloads the PBot installer. The malware maintains persistence via scheduled tasks. The bot redirects users to advertising sites when browsing the internet and downloads extensions.<br /> <a href="https://forum.anomali.com/t/pbot-evolving-adware/2650" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/hundreds-of-hotels-affected-by-data-breach-at-hotel-booking-software-provider/" target="_blank"><b>Hundreds of Hotels Affected by Data Breach at Hotel Booking Software Provider</b></a> (<i>June 26, 2018</i>)<br /> A data breach has occurred that affected the hotel booking software company "FastBooking" that has resulted in the theft of Personally Identifiable Information (PII) of guests from hundreds of hotels. The exact number of breach hotels is not currently known. FastBooking sent out an email to affected hotels detailing that a vulnerability in an application hosted on its server was leveraged to install information-stealing malware. The stolen data, depending on the hotel, included hotel guests names, address, email, and hotel booking information. In some cases card payment data was also stolen. FastBooking is providing hotels with templates to email their affected customers. The first hotel chain to inform their customers was "Prince Hotels & Resorts" located in Japan, which affected 124,963 guests who stayed at 82 of its hotels.<br /> <a href="https://forum.anomali.com/t/hundreds-of-hotels-affected-by-data-breach-at-hotel-booking-software-provider/2651" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PaloAltoNetworks+%28Palo+Alto+Networks+Research+Center%29" target="_blank"><b>RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families</b></a> (<i>June 26, 2018</i>)<br /> Palo Alto Networks researchers have been observing a series of highly targeted attacks in South East Asia conducted by a previously unidentified group now dubbed as "RANCOR." The group uses two primary malware families called "DDKONG" and "PLAINTEE." The malwares are delivered in multiple ways including malicious macros in decoy documents, HTML Application (HTA) loaders, and DLL Loaders. Decoy documents used include public news articles focused that are primarily on political news and events, leading the researchers to conclude that political entities are being targeted. The PLAINTEE malware appears to be exclusively used by RANCOR and very few samples have been observed. This adds to the evidence of the malware being highly targeted as there is less likely to be detection signatures for uncommon malware.<br /> <a href="https://forum.anomali.com/t/rancor-targeted-attacks-in-south-east-asia-using-plaintee-and-ddkong-malware-families/2652" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.theregister.co.uk/2018/06/25/java_web_server_jolokia_insecure/" target="_blank"><b>Misconfiguration of Java web server component Jolokia puts orgs at risk</b></a> (<i>June 25, 2018</i>)<br /> According to security researcher Mat Mannion, a misconfiguration of a commonly used Java web server component leaves websites vulnerable to attack. The vulnerability lies in Jolokia&#39;s "Java Management Extensions" (JMX), which can lead to information disclosure or Denial-of-Service (DoS). The distribution is insecure by default according to Mannion but notes that it is not a bug.<br /> <a href="https://forum.anomali.com/t/misconfiguration-of-java-web-server-component-jolokia-puts-orgs-at-risk/2653" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.scmagazine.com/50-kardon-beta-malware-allows-customers-to-build-own-botnets/article/776002/" target="_blank"><b>$50 Kardon beta malware allows customers to build own botnets</b></a> (<i>June 25, 2018</i>)<br /> A new downloader malware, dubbed "Kardon Loader," is being sold on underground forums for $50 USD, according to NetScout Arbor ASERT researchers. The malware appears to be a rebrand of the "ZeroCool" botnet malware. The malware authors are looking for beta testers to infect victims and report back to a Command and Control (C2) server. The malware has a large range of features but some of the capabilities appear to be exaggerated. The authors claim the malware has Tor integration and rootkit functionality, but researchers have found no evidence of these capabilities in the samples analysed.<br /> <a href="https://forum.anomali.com/t/50-kardon-beta-malware-allows-customers-to-build-own-botnets/2654" target="_blank">Click here for Anomali recommendation</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.