Weekly Threat Briefing: New Banking Trojan IcedID Discovered

The intelligence in this week’s iteration discuss the following threats: Business Email Compromise, Financial theft, Malspam, Phishing, Ransomware, Threat group, Trojan, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank">New Banking Trojan IcedID Discovered</a> (November 13, 2017) IBM X-Force researchers have published information regarding a newly identified banking trojan, dubbed “IcedID,” that was first found in September 2017. Researchers note that the malware has similar banking trojan capabilities as the notorious “Zeus Trojan.” At the time of this writing, the malware is targeting banks, mobile services providers, payment card providers, payroll, in addition to ecommerce and webmail websites. IcedID has been observed being distributed via the “Emotet” trojan, which is distributed via malspam emails that typically contain files with malicious macros. Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided. Tags: Malspam, Malware, Emotet, Banking trojan, IcedID<a href="https://blog.eset.ie/2017/11/13/windows-movie-maker-scam-spreads-massively-due-to-high-google-ranking/" target="_blank">Windows Movie Maker Scam Spreads Massively due to High Google Ranking</a> (November 13, 2017) Threat actors are distributing malicious versions of the “Windows Movie Maker,” Windows free video editing software, with the objective of stealing money, according to ESET researchers. The actors are distributing the malicious Movie Maker, which was discontinued in January 2017, via search engine optimization of the actor’s website in Google search results. As of this writing, the website responsible for distributing the malicious Movie Maker version appears on the first page of a Google search for “movie maker,” and is also located on the first page of results from the “Bing” search engine. If the fake Movie Maker is downloaded, users receive a functioning product, however, this version claims that the user needs to upgrade to the full version for $29.95 USD. Recommendation: Any free product should be researcher carefully prior to installation, thus features that should not be in the product, such as a paid version of Movie Maker, will be easier to identify. Furthermore, search engine results should not be taken at face value because as this story portrays, search engine results can sometimes display malicious locations. User should navigate to the official website of the creator/owner of the product for download and installation. Tags: Impersonation, Microsoft Movie Maker, Financial theft<a href="https://www.bleepingcomputer.com/news/security/new-cobra-crysis-ransomware-variant-released/" target="_blank">New Cobra Crysis Ransomware Variant Released</a> (November 10, 2017) Researchers have found what appears to be a new variant of the “Crysis/Dharma” ransomware. As of this writing, it is unknown how the actors are distributing this malware. However, researchers note that previous Crysis variants were distributed by compromising Remote Desktop Services and a subsequent manual installation of the ransomware. Encrypted files have an extension appended in the format “.id-[unique_id].[cranbery@colorendgrace[.]com].cobra”. It will also encrypt mapped network drives and unmapped network shares. Recommendation: As shown in this story, it is important to make sure corporate network shares are locked down and only those who need files have access. Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be created to assist in dealing with ransomware infections. Tags: Ransomware, Cobra Crysis, Remote Desktop Services<a href="https://www.appthority.com/mobile-threat-center/blog/eavesdropper-mobile-vulnerability-exposing-millions-conversations/" target="_blank">Eavesdropper: The Mobile Vulnerability Exposing Millions of Conversations</a> (November 9, 2017) Appthority researchers have identified a vulnerability, dubbed “Eavesdropper,” that affects approximately 700 applications. The vulnerability resides in developers hard coding credentials in applications that use the “Twilio Rest API” or “Twilio SDK.” Researchers state that “the developers have effectively given global access to the text/SMS messages, call metadata, and voice recording from every app they’ve developed with the exposed credentials.” The applications affected by this vulnerability consist of 44% Android, and 56% iOS and are associated with 85 Twilio developer accounts. The credentials in vulnerable apps were found by using YARA to find the string “twilio” which was listed beside the plaintext account ID and token. Recommendation: This vulnerability is worrying because it has the potential to expose sensitive information that could be stolen and subsequently sold by threat actors, or potentially lead to an information ransom scenario. This vulnerability arose because of developers failing to follow the documented guidelines set out by Twilio. Developers should always follow secure guidelines and avoid hard coding any form of credentials in an application. This vulnerability affects many applications, of which 33% are business related. Companies should identify applications that are used internally, and cease the use of the applications until the vulnerability has been addressed. Furthermore, companies should have policies that disallow employees from using applications for company-related work that have not been approved by the company. Tags: Vulnerability, Mobile, Data leak<a href="https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-via-rdp-brute-force-attacks" target="_blank">LockCrypt Ransomware Spreading via RDP Brute-Force Attacks</a> (November 9, 2017) The threat actors behind the ransomware “LockCrypt,” which was first discovered in June 2017, have increased their malicious activity to target business-owned servers, according to Alien Vault researchers. At the time of this writing, LockCrypt has infected businesses in India, South Africa, the U.K., and the U.S. One business reported that it was infected via a Remote Desktop Protocol (RDP) brute-force attack from a compromised mail/VPN server. The actors are demanding anywhere from 0.5 (approximately $3,443 USD) to 1 (approximately $6,887 USD) Bitcoin for the decryption key per server. Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection. Tags: Brute-force attacks, RDP, Ransomware, LockCrypt<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/toast-overlay-weaponized-install-android-malware-single-attack-chain/" target="_blank">Toast Overlay Weaponized to Install Several Android Malware</a> (November 9, 2017) Trend Micro researchers have discovered a new Android malware family, dubbed “TOASTAMIGO,” that is capable of installing other malware via the “Toast Overlay” attack. Toast is a feature in Android used to display notifications over other applications. The Toast Overlay vulnerability, registered as “CVE-2017-0752,” was issued a patch in September 2017 and affects all Android versions except “Oreo.” The malware that exploits the vulnerability was discovered inside applications impersonating legitimate application lockers that protect apps with a PIN code, one of which was found to have been downloaded approximately 500,000 times, as of this writing. The malicious applications request Accessibility permissions upon installation which will allow it to download additional malware. Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. The two malicious applications on the app store had a high number of positive, fake reviews. When choosing an application to download, check the reviews with substantive wording in it, as it is common for the fake positive reviews to have little context in support of a positive rating. Also check the application description for correct grammar and spelling, the malicious applications in this case had many errors in their descriptions. Tags: Android, Vulnerability, Toast Overlay<a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" target="_blank">OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan</a> (November 8, 2017) The threat group “OilRig” is using a new version of their malicious “Clayside” delivery document to distribute a new custom trojan dubbed “ALMA Communicator,” according to Unit 42 researchers. The Clayside document was also observed to drop the credential stealing tool “Mimikatz.” This Clayside version is similar to past iterations in that if opened, it will display a worksheet that states that the file was created with a newer version of Excel. The document requests that the user clicks “Enable Content” to properly view the document. If Enable Content is clicked, a malicious macro will run to display the content of the decoy document, while also creating an HTML Application (.HTA) file in which HTML will run a VBScript to download ALMA Communicator. Recommendation: Files that request content to be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown sender should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Tags: Threat group, OilRig<a href="https://nakedsecurity.sophos.com/2017/11/08/hijackers-deface-800-school-websites-with-pro-islamic-state-messages/" target="_blank">Hijackers Deface 800 School Websites with Pro-Islamic State Messages</a> (November 8, 2017) Jim Brogan, the director of technology services for school in Gloucester County, Virginia, has confirmed that approximately 800 school websites were directing users to an iFramed YouTube page depicting an Islamic State recruitment video. The attack was accomplished by injecting a file into one of the web hosting company’s, SchoolDesk, websites. The redirection caused the user to see a picture of Saddam Hussein, and an audible message in Arabic. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: Compromised websites, Defacement<a href="https://www.bleepingcomputer.com/news/security/linux-has-a-usb-driver-security-problem/" target="_blank">Linux Has a USB Driver Security Problem</a> (November 7, 2017) Google security researcher, Andrew Konovalov, has discovered 79 Linux USB-related vulnerabilities. The vulnerabilities can be exploited via a maliciously crafted USB device. Some of the vulnerabilities can be exploited for Denial-of-Service (DoS) attacks, and others can be exploited to allow an actor to elevate privileges and execute arbitrary code. Researchers note that not all of the 79 vulnerabilities have been reported or patched. Recommendation: Vulnerabilities that can be exploited via a USB drive are in a state of increasing demand because of the corresponding increase the use of air-gapped systems. Therefore, the use of USB drives is a security risk, and the use of such devices should be limited to only the appropriate personnel who may need to use such equipment. Tags: Vulnerability, Linux, USB<a href="https://www.helpnetsecurity.com/2017/11/07/real-estate-scams/" target="_blank">BEC Scammer Stealing Millions From Home Buyers</a> (November 7, 2017) In early May 2017, the U.S. Federal Bureau of Investigation (FBI) warned homebuyers that threat actors were targeting their email accounts, and now the agency reports that throughout 2017 threat actors have diverted or attempt to divert approximately $1 billion USD. This malicious activity was accomplished by compromising real estate email accounts, monitor them until a transaction was underway, and then send a fraudulent request to change the payment type. The payment type was typically changed from check to wire transfer, or change the account to one controlled by the actors. Recommendation: It is important that your employees use different password for business-related accounts because actors will often test other accounts with previously stolen passwords. In addition, it is crucial that business accounts use a form of two-factor, or multi-factor authentication to make it difficult for actors to compromise accounts. Tags: Business Email Compromise, Theft<a href="http://www.theregister.co.uk/2017/11/07/android_november_security_update/" target="_blank">KRACK Whacked, Media Playback Holes Packed, Other Bugs Go Splat in Android Patch Pact</a> (November 7, 2017) Google has released it security update for November that addresses multiple vulnerabilities in the Android operating system. Among the vulnerabilities addressed is the critical “KRACK” Wi-Fi key reinstallation flaw that could allow actors to monitor nearby wireless traffic. Overall, 31 vulnerabilities were patched by Google. Nine of said vulnerabilities could be exploited to allow an actor to execute code remotely. Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow, or can be exploited by malicious actors. Tags: Vulnerabilities, Android, Security updates<a href="https://latesthackingnews.com/2017/11/06/phishing-emails-sent-users-netflix-hackers/" target="_blank">Phishing Emails Are Being Sent to The Users of Netflix by Hackers</a> (November 6, 2017) Researchers have found that threat actors are targeting Netflix users with phishing emails. The objective of the campaign is to steal billing data by claiming that the recipient needs to update said information. If the recipient follows a link provided in the phishing email, they will be directed to a fake Netflix page that asks the user to log in and enter their information such as credit card data. Recommendation: Netflix has stated that it will never contact ask its customer for personal information in an email. Therefore, if an email purporting to be Netflix requests personal data needs to changed or updated, it is likely a sign of a scam. If a user is curious, they should visit Netflix’s official website to check their account status. Tags: Phishing, Netflix, Data theft<a href="http://www.zdnet.com/article/watch-out-gibon-enters-the-ransomware-space/" target="_blank">Watch Out: GIBON Enters The Ransomware Space</a> (November 6, 2017) Proofpoint researcher, Matthew Mesa, has discovered a new strain of ransomware, dubbed “GIBON.” Threat actors are distributing this ransomware via phishing campaigns. The malicious attachments contain macros that will download and execute the ransomware if they are enabled. GIBON targets every file that is not located in the Windows folder. At the time of this writing, there are minimal details discussing the technical features of this new malware, in addition to the ransom demanded for the encryption key. Recommendation: Educate your employees on the risks of opening attachments from unknown senders. In addition, as shown in this story, employees should also be cautious of opening suspicious attachments in emails even if they appear to have been sent from within the company as the Necurs botnet is easily able to spoof email addresses. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection. Tags: Phishing, Ransomware, GIBON<a href="https://www.us-cert.gov/ncas/current-activity/2017/11/06/Google-Releases-Security-Update-Chrome" target="_blank">Google Releases Security Update for Chrome</a> (November 6, 2017) The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning Google Chrome users to update their web browser as soon as possible. A vulnerability resided in Chrome for Linux, Mac, and Windows operating systems that has been addressed in Chrome version 62.0.3202.89. The vulnerability could be exploited by threat actors to take control of an affected system, according to the US-CERT. Recommendation: The US-CERT recommends that users and administrators review the Chrome releases page located at “https://chromereleases.googleblog.com/search/label/Stable%20updates” and apply the necessary update. Tags: Alert, Vulnerability, Google Chrome<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial.</a><a href="https://ui.threatstream.com/tip/18477" target="_blank">TrickBot Tool Tip</a> TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family. Tags: TrickBot, Family-Trickbot, victim-Financial-Services