Weekly Threat Briefing: New Mirai Variant Targets Billions of ARC-Based Endpoints

<p>The intelligence in this week’s iteration discuss the following threats: <b>APT</b>, <b>Disk-wiper</b>, <b>DNS hijacking</b>, <b>Malicious extensions</b>, <b>Malicious application</b>, <b>Malvertising</b>, <b>Targeted attacks</b>, and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.infosecurity-magazine.com/news/mirai-variant-targets-billions-arc/" target="_blank"><b>New Mirai Variant Targets Billions of ARC-Based Endpoints</b></a> (<i>January 16, 2018</i>)<br/> Security researchers are discussing a new variant of the Internet-of-Things (IoT) malware “Mirai” dubbed “Okiru.” The new malware was first observed by MalwareMustDie researcher “@unixfreaxjp.” Researchers now believe that Okiru is the first malware designed to target “Argonaut RISC Core” (ARC) processors. In addition, researchers also believe that there are over 1.5 billion devices that have ARC processors such as cameras, cars, cell phones, and televisions (among others). At the time of this writing, it is unknown how many devices have been infected with Okiru, however, researchers state that the malware is specifically targeting ARC Linux devices.<br/> <a href="https://forum.anomali.com/t/new-mirai-variant-targets-billions-of-arc-based-endpoints/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" target="_blank"><b>New KillDisk Variant Hits Financial Organizations in Latin America</b></a> (<i>January 15, 2018</i>)<br/> A new variant of the disk-wiping malware “KillDisk” is targeting financial organizations in Latin America, according to Trend Micro researchers. The malware appears to be dropped by another process rather than being directly installed. This KillDisk variant changes its file name to “c:windows 3456789” while it is running. In addition, KillDisk will go through all logical drives and before it deletes a file, it is first randomly renamed. It is capable of reading the Master Boot Record (MBR) as well as overwriting the Extended Boot Record (EBR).<br/> <a href="https://forum.anomali.com/t/new-killdisk-variant-hits-financial-organizations-in-latin-america/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses" target="_blank"><b>Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses</b></a> (<i>January 15, 2018</i>)<br/> Researchers from U.S.-based cyber security firm “ICEBERG” have discovered four malicious Chrome browser extensions which were available for download on the official Chrome Web Store. The four extensions were titled “Change HTTP Request Header,” “Nyoogle – Custom Logo for Google,” “Lite Bookmarks,” and “Stickies – Chrome’s Post-it Notes” which were found to have been downloaded approximately 500,000 times. The extensions were designed in such a way that could allow a threat actor to send commands to an affected user’s browser via JavaScript code. Researchers discovered that the actors behind this campaign are using the extension to conduct click fraud by loading a website in the background and clicking on advertisements.<br/> <a href="https://forum.anomali.com/t/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2018/01/macos-dns-hijacker.html" target="_blank"><b>Warning: New Undetectable DNS Hijacking Malware Taregting Apple macOS Users</b></a> (<i>January 12, 2018</i>)<br/> A security researcher has published information regarding what may be the first reported macOS specific malware of 2018. The malware was first identified via a post on a Malwarebytes forum. The malware, dubbed “OSC/MaMi,”is an unsigned Mach-O 64-bit executable that is reported to be similar another malware family called “DNSChanger.” In 2012, DNSChanger infected millions of machines around the globe. DNSChanger would change Domain Name Server (DNS) server settings to route traffic through actor controlled servers, this would allow actors to intercept potentially sensitive data. OSC/MaMi appears to be doing the same thing, in addition to installing a new root certificate in an attempt to intercept encrypted communications.<br/> <a href="https://forum.anomali.com/t/warning-new-undetectable-dns-hijacking-malware-taregting-apple-macos-users/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/" target="_blank"><b>Update on Pawn Storm: New Targets and Politically Motivated Campaigns</b></a> (<i>January 12, 2018</i>)<br/> The Advanced Persistent Threat (APT) group “APT28” has added new targets in its cyber espionage campaign “Operation Pawn Storm,” according to Trend Micro researchers. Researchers note that the group’s tactics in this campaign have remained the same. APT28 uses well prepared, politically-themed spear phishing emails to target political organizations around the world. The group has been conducting this campaign since 2015. Now researchers have observed the group distributing phishing emails that attempt to steal user credentials. In October and November APT28 distributed emails that purported to be a message from the recipient’s Microsoft Exchange server regarding an expired password, and another that purported that there is a new file on the recipient company’s OneDrive system.<br/> <a href="https://forum.anomali.com/t/update-on-pawn-storm-new-targets-and-politically-motivated-campaigns/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/hackers-make-whopping-226k-installing-monero-miners-on-oracle-weblogic-servers/" target="_blank"><b>Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Server</b></a> (<i>January 11, 2018</i>)<br/> Researchers Johannes B. Ullrich (SANS) and Renato Marinho (Morphus Labs) have discovered that threat actors are actively exploiting a vulnerability in Oracle WebLogic servers. The vulnerability, registered as “CVE-2017-10271,” was patched by Oracle in October 2017. However, the proof-of-concept code released for the vulnerability is likely a driving force behind the current malicious activity. Actors have been able to compromise enterprise-owned WebLogic server and gain access to corporate networks. Interestingly, instead of stealing information, the actors installed a “Monero” cryptocurrency miner. As of this writing, the actors have been able to mine approximately 611 Monero, valuing at approximately $226,000 USD.<br/> <a href="https://forum.anomali.com/t/hackers-make-whopping-226k-installing-monero-miners-on-oracle-weblogic-server/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://www.zdnet.com/article/adobe-patches-information-leak-vulnerabilities/" target="_blank"><b>Adobe Patches Information Leak Vulnerability</b></a> (<i>January 10, 2018</i>)<br/> As part of Patch Tuesday, Adobe has issued a security patch to address a vulnerability registered as “CVE-2018-4871.” The vulnerability could be exploited by threat actors to leak sensitive data. This vulnerability affects Adobe Flash Player on Mac, Linux, and Windows machines. In addition, Adobe Flash Player for the web browser Chrome, Edge, and Internet Explorer versions 28.0.0.126 and earlier are also affected.<br/> <a href="https://forum.anomali.com/t/adobe-patches-information-leak-vulnerability/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2018/01/microsoft-security-patch.html" target="_blank"><b>Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-day</b></a> (<i>January 9, 2018</i>)<br/> In Microsoft’s first Patch Tuesday of 2018, the company addressed 56 CVE-registered vulnerabilities that affect multiple products including ASP.NET, ChakraCore, Edge, Internet Explorer, and the .NET framework. Microsoft issued a patch for a zero-day vulnerability, registered as “CVE-2018-0802,” in Office that was observed to have been exploited by threat actors in the wild.<br/> <a href="https://forum.anomali.com/t/microsoft-releases-patches-for-16-critical-flaws-including-a-zero-day/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"><b>Diplomats in Eastern Europe Bitten by a Turla Mosquito</b></a> (<i>January 9, 2018</i>)<br/> Researchers from the IT security company ESET, have released a report discussing new malicious activity which is attributed to Advanced Persistent Threat (APT) group “Turla.” Researchers discovered that a custom backdoor used by the group called “Mosquito” was packaged with the legitimate Flash installer and it appeared to have been downloaded from adobe[.]com. Turla has been observed using a fake Adobe Flash installer in previous campaigns. The group was also observed using their “Gazer” malware to primarily target consulates and embassies in Eastern Europe, although some private companies were also infected.<br/> <a href="https://forum.anomali.com/t/diplomats-in-eastern-europe-bitten-by-a-turla-mosquito/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.malwarebytes.com/threat-analysis/2018/01/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/" target="_blank"><b>RIG Exploit Kit Campaign Gets Deep Into Crypto Craze</b></a> (<i>January 9, 2018</i>)<br/> As cryptocurrencies continue to become more popular, due in part to the significant rise in value of Bitcoin, so too are malicious campaigns designed to mine cryptocurrency. Researchers have discovered such a campaign, dubbed “Ngay,” is distributing the RIG exploit kit via malicious advertisements (malvertising). If a malvertisement is followed, a user is infected with RIG, which then downloads a “Monero” or “Electroneum” cryptocurrency miner on to the affected machine.<br/> <a href="https://forum.anomali.com/t/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/" target="_blank"><b>First Kotlin-Developed Malicious App Signs User Up for Premium SMS Services</b></a> (<i>January 9, 2018</i>)<br/> Trend Micro researchers have identified a malicious application on the Google Play store that impersonated the utility cleaning tool application for Android devices called “Swift Cleaner.” The application was written in the “Kotlin” programming language, which was announced by Google in May 2017, used to create Android applications. The fake application was observed to have been downloaded between 1,000 and 5,000 times. The malicious application is capable of click advertisement fraud, data theft, remote code execution, URL forwarding, and signing up for paid SMS subscription services without user permission.<br/> <a href="https://forum.anomali.com/t/first-kotlin-developed-malicious-app-signs-user-up-for-premium-sms-services/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/01/08/Apple-Releases-Multiple-Security-Updates" target="_blank"><b>Apple Releases Multiple Security Updates</b></a> (<i>January 8, 2018</i>)<br/> The United States Computer Emergency has issued an alert regarding vulnerabilities in multiple Apple products. The affected Operating Systems (OS) are macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6. The products affected by vulnerabilities are iPhone 5s and later, iPad Air and later, and iPod 6th generation. A threat actor could exploit these vulnerabilities to gain access to sensitive information.<br/> <a href="https://forum.anomali.com/t/apple-releases-multiple-security-updates/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner" target="_blank"><b>A North Korean Monero Cryptocurrency Miner</b></a> (<i>January 8, 2018</i>)<br/> A new application, identified to have been compiled on December 24, 2017, is being used to mine “Monero” cryptocurrency, according to AlienVault labs researchers. The currency, after being mined, is then sent to “Kim Il Sung University” in Pyongyang, North Korea. Researchers believe that it is likely that the installer is associated with the open source Monero mining software “XMRig.” Interestingly, it was discovered that the actors behind this campaign used a hostname no longer resolves, which means XMRig cannot send the mined currency to actors on most networks. Researchers believe that this fact, in addition to the use of a North Korean server, may indicate that this a testing phase of a potential malicious campaign, or this may be a genuine Monero mining operation. However, the use of a North Korean server may indicate that actors within the country are mining cryptocurrencies as a way to bypass United Nation’s sanctions. Lastly, the observation of Monero being sent to Kim Il Sung University does not necessarily attribute this activity to a North Korean citizen because the university is “unusually open” and analysis of the code samples reveal French text.<br/> <a href="http://https://forum.anomali.com/t/a-north-korean-monero-cryptocurrency-miner/" target="_blank">Click here for Anomali recommendation</a></p>