Weekly Threat Briefing: Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain

The intelligence in this week’s iteration discuss the following threats: 419 Scams, Cobalt Gang, GhostMiner, Guccifer 2.0, Orbitz Breach and TeleRat. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" target="_blank">Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested In Spain</a> (March 26, 2018) The leader of the group behind the "Carbanak" and "Cobalt" malware attacks has been arrested in Alicante, Spain. The arrest took place after a joint investigation was carried out by the Spanish National Police in conjunction with Europol, the United States FBI, authorities from Romanian, Belarus, and Taiwan, as well as private security companies. The group has been conducting operations since 2013, striking banks in more than 40 countries, resulting in cumulative losses of over one billion Euro for the financial industry. The group would typically target banking employees with spear phishing emails in attempts to gain access to the network. <a href="https://forum.anomali.com/t/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain/2217" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.malwarebytes.com/cybercrime/2018/03/celebrating-stephen-hawking-with-a-419-scam/" target="_blank">"Celebrating Stephen Hawking" with a 419 scam</a> (March 23, 2018) A new "419" scam is using the subject line "Celebrating Stephen Hawking," in an attempt to make some quick money. 419 scams, which refers to the section of Nigerian criminal code dealing with fraud, promise the target a large sum of money in return for a small advance fee, in this case, the fraudster was promising an $8 million USD prize for answering three questions about Stephen Hawking. When you send an email with the correct answers, the scammer asks for personal details including cell phone number, date of birth, and pictures of government-issued ID cards. <a href="https://forum.anomali.com/t/celebrating-stephen-hawking-with-a-419-scam/2218" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" target="_blank">GhostMiner: Cryptomining Malware Goes Fileless</a> (March 22, 2018) Minerva Labs researchers have conducted an analysis on "GhostMiner;" a cryptocurrency miner that is using fileless techniques in order to increase it's stealth capabilities. The miner spreads by exploiting vulnerable servers running Oracle WebLogic, MSSQL, and phpMyAdmin. The mining component, a modified "XMRig" miner, is launched directly from memory after stopping other miners running on the system by using PowerShell's "Stop-Process -force" command on blacklisted miners from a hardcoded list. <a href="https://forum.anomali.com/t/ghostminer-cryptomining-malware-goes-fileless/2219" target="_blank">Click here for Anomali recommendation</a><a href="https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer?ref=home" target="_blank">Lone DNC Hacker' Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer</a> (March 22, 2018) The "lone hacker" who took credit for passing stolen emails from the Democratic National Committee (DNC) to WikiLeaks has been exposed as an officer for the GRU, Russia's military intelligence directorate. The "Guccifer 2.0" persona was first reported on by Crowdstrike in 2016. Guccifer 2.0 built up an image as an independent Romanian hacktivist. On one occasion Guccifer 2.0 forgot to activate his VPN client which left the real Moscow-based IP address in the logs of a social media company. Which was identified as a particular GRU officer. <a href="https://forum.anomali.com/t/lone-dnc-hacker-guccifer-2-0-slipped-up-and-revealed-he-was-a-russian-intelligence-officer/2220" target="_blank">Click here for Anomali recommendation</a><a href="https://arstechnica.com/information-technology/2018/03/thousands-of-servers-found-leaking-750-mb-worth-of-passwords-and-keys/" target="_blank">Thousands of servers found leaking 750MB worth of passwords and keys</a> (March 22, 2018) The security researcher "Giovanni Collazo" has discovered almost 2,300 internet exposed servers running "etcd." etcd is a distributed key-value store database that is able to store data across a cluster. Using a simple script, Collazo was able to query the servers to return all the stored credentials. The queries fetched 8,781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys. <a href="https://forum.anomali.com/t/thousands-of-servers-found-leaking-750mb-worth-of-passwords-and-keys/2221" target="_blank">Click here for Anomali recommendation</a><a href="https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp" target="_blank">Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk Utility.app</a> (March 21, 2018) Security researcher Sarah Edwards has discovered that plaintext passwords for APFS encrypted external volumes are visible in unified logs in High Sierra via the Disk Utility application. Starting from a "clean" flash drive, using the Disk Utility application to create an encrypted APFS volume on the drive. Monitoring the unified logs during this will reveal the plaintext password. <a href="https://forum.anomali.com/t/uh-oh-unified-logs-in-high-sierra-10-13-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utility-app/2222" target="_blank">Click here for Anomali recommendation</a><a href="https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/" target="_blank">TrickBot Banking Trojan Adapts with New Module</a> (March 21, 2018) The TrickBot banking trojan has incorporated multiple new modules according to Webroot researchers. One module, named "Spreader_x86.dll," is used by TrickBot to spread laterally through an infected network by leveraging "EternalRomance" (MS17-010:CVE-2017-0145). Another module still in development appears to be a "screenlocker." It appears that the developers are trying to adapt TrickBot to also target corporate networks, as evidenced by the fact that the screenlocking is only called after lateral movement. Prior to this new activity, Trickbot typically targeted individuals using their personal banking websites. In this context, this appears to be an attempt by Trickbot actors to generate more revenue in a corporate setting because users are less likely to be visiting targeted personal banking URLs from corporate networks. <a href="https://forum.anomali.com/t/trickbot-banking-trojan-adapts-with-new-module/2223" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/" target="_blank">Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers</a> (March 21, 2018) Trend Micro researchers have discovered a new cryptocurrency-mining campaign that is targeting Linux servers. The campaign delivers the miners by exploiting the vulnerability registered as "CVE-2013-2618." The vulnerability lies in Cacti's "Network Weathermap" plugin, which is used by network administrators to visualize network activity. A patch for this vulnerability has existed for five years. The delivered cryptominer is a modified "XMRig" miner that mines the "Monero" cryptocurrency. <a href="https://forum.anomali.com/t/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/2224" target="_blank">Click here for Anomali recommendation</a><a href="https://thehackernews.com/2018/03/expedia-data-breach.html" target="_blank">Expedia's Orbitz Says 880,000 Payment Cards Compromised in Security Breach</a> (March 20, 2018) An online travel booking subsidiary of Expedia, Orbitz, has revealed that one of its deprecated websites has been hacked, exposing the card payment numbers of approximately 880,000 customers. The breach likely took place between October 2016 and December 2017. Along with card numbers, other personal data of customers that were exposed included the following: name, address, date of birth, phone number, email address, and gender. Orbitz is working to notify the affected customers and is planning to offer one year of free credit monitoring and identity protection service. <a href="https://forum.anomali.com/t/expedias-orbitz-says-880-000-payment-cards-compromised-in-security-breach/2225" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/windows-remote-assistance-tool-can-be-used-for-targeted-attacks/" target="_blank">Windows Remote Assistance Tool Can Be Used for Targeted Attacks</a> (March 20, 2018) A utility that ships with all Windows distributions, called "Windows Remote Assistance Tool," is able to be used in targeted attacks. The vulnerability was discovered by a Belgian security researcher "Nabeel Ahmed." The vulnerability exists because Microsoft failed to sanitize an invitation file used by Windows Remote Assistance Tool. The invitation file, which is an XML file with configuration data, is able to embed an XML External Entity (XEE) exploit that can be sent to a target to take a local file and exfiltrate it to a remote server. <a href="https://forum.anomali.com/t/windows-remote-assistance-tool-can-be-used-for-targeted-attacks/2226" target="_blank">Click here for Anomali recommendation</a><a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" target="_blank">TeleRAT: Another Android Trojan Leveraging Telegram's Bot API to Target Iranian Users</a> (March 20, 2018) Palo Alto Unit 42 researchers have discovered a new Android Trojan that is using Telegram's Bot API, targeting Iranian users. The malware, dubbed "TeleRat," uses the bot API for both Command and Control (C2) and data exfiltration. When first executed, the trojan steals contact information, details of Google accounts on the phone, SMS history, and pictures taken using both front and rear camera. TeleRat uses the API every 4.6 seconds to receive further commands from the Telegram Bot and can perform actions such as calling a number, getting GPS location, getting app list, recording audio, and taking pictures. It is believed that the trojan is being distributed via third party application stores. <a href="https://forum.anomali.com/t/telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/2227" target="_blank">Click here for Anomali recommendation</a><h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial.</a><a href="https://ui.threatstream.com/tip/18477" target="_blank">TrickBot Tool Tip</a> TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family. Tags: TrickBot, Family-Trickbot, victim-Financial-Services