July 18, 2017
Anomali Threat Research

Weekly Threat Briefing: New 'WPSetup' Attack Targets Fresh WordPress Installs

<p>The intelligence in this week’s iteration discuss the following threats: <b>Adobe Patches</b>, <b>Android Malware</b>, <b>Cloud Leaks</b>, <b>Point-of-Sale</b>, <b>Ransomware</b>, <b>Remote Access Trojan</b>, and <b>Windows Protocol Vulnerabilities</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" target="_blank"><b>GhostCtrl Is an Android RAT That Also Doubles as Ransomware </b></a> (<i>July 17, 2017</i>)<br/> A new Android Remote Access Trojan (RAT) called "GhostCtrl RAT," has been used in a wave of attacks against Israeli healthcare organizations. GhostCtrl RAT is a variant of OmniRAT, which targets four operating systems: Android, Linux, macOS and Windows. GhostCtrl tries to hide itself by masquerading as popular applications. It has a large amount of functions such as data exfiltration, audio and video recording, ransomware, controlling bluetooth, and more.<br/> <b>Recommendation:</b> Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.<br/> <b>Tags:</b> RAT, Android, Malware</p><p><a href="http://www.securityweek.com/new-wpsetup-attack-targets-fresh-wordpress-installs" target="_blank"><b>New "WPSetup" Attack Targets Fresh WordPress Installs</b></a> (<i>July 14, 2017</i>)<br/> A campaign was discovered that took place in May and June that targeted fresh installations of WordPress which allowed an attacker to take over the hosting account. The attackers scanned for a URL used by new installations of WordPress, "/wp-admin/setup-config.php." The URL, if present, indicates that the user did not complete the installation steps. An attacker is able to go through the first steps of the installation and enter their own database server information. This allows an attacker to create an admin-level account on the victim's server, which gives the attacker the ability to run any PHP code on the hosting account.<br/> <b>Recommendation:</b> Website administrators should always make sure that their WordPress installation is complete as soon as possible. Additionally, website administrators should also use a web application firewall to block unwanted access. One can also use a ".htaccess" file to limit access by IP address.<br/> <b>Tags:</b> WordPress, Vulnerability</p><p><a href="https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" target="_blank"><b>A .NET malware abusing legitimate ffmpeg</b></a> (<i>July 13, 2017</i>)<br/> A new wave of malware that records videos and spies on user activities is being distributed in a new campaign, according to researchers. First discovered in 2015, the malware's objective is to spy on a user's banking activities. The malware contacts a Command and Control (C2) server over TCP. The C2 server requests information on the infected machine, and then sends the infected machine a list of targeted banks which are saved in the registry. The legitimate program "FFmpeg" is downloaded and used to record videos of the victim. The recording event is triggered when the victim opens a website associated with banking. The video is then sent to the C2 server encoded in Base64.<br/> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Also take a look at processes running in your computer in the background that should not be running. If there are unexpected processes running, you should terminate them and run a virus scan immediately.<br/> <b>Tags:</b> Malware, FFmpeg, Banking</p><p><a href="https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" target="_blank"><b>Meet Ovidiy Stealer: Bringing Credentials Theft to the Masses </b></a> (<i>July 13, 2017</i>)<br/> A new credential-stealing malware called "Ovidiy Stealer" has been found being advertised for sale on Russian-speaking marketplaces, according to Proofpoint researchers. The malware is offered for purchase for 450-750 Rubles (approximately $7-13 USD). Ovidiy Stealer is being distributed via emails with compressed executable attachments or links to an executable download. The malware can steal information from multiple web browsers and credentials from targeted applications on a Windows OS machine.<br/> <b>Recommendation:</b> Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.<br/> <b>Tags:</b> Crenditla theft, Ovidiy</p><p><a href="http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html" target="_blank"><b>New Ransomware Threatens to Send Your Internet History and Private Pics to All Your Friends </b></a> (<i>July 13, 2017</i>)<br/> Two malicious applications were discovered in the Google Play Store to contain malware called "LeakerLocker," according to McAfee researchers. Researchers call the malware a form of ransomware except that it does not encrypt files. Instead the malware gathers information from the infected device and then displays a screen that threatens to share the data unless a payment is made. LeakerLocker can read various forms of data including Chrome history, device information, email address, pictures, as well as random text messages and call information.<br/> <b>Recommendation:</b> Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.<br/> <b>Tags:</b> Ransomware, LeakerLocker, Mobile</p><p><a href="https://www.helpnetsecurity.com/2017/07/12/katyusha-sql-injection-scanner/" target="_blank"><b>Telegram-based Katyusha SQL injection scanner sold on hacker forums</b></a> (<i>July 12, 2017</i>)<br/> A Russian-speaking hacker is offering an automated SQL injection vulnerability scanner tool, called "Katyusha," for sale on an underground forum. The tool is based on the open source Arachni web app security scanner. Katyusha is controlled via a web app and it can be monitored using the Telegram messenger. In addition to identifying SQL injection flaws within websites, the tool is able to perform actions such as brute-forcing logins, dumping databases, and uploading web shells.<br/> <b>Recommendation:</b> Properly sanitize user provided data to prevent injection attacks. Using prepared statements and stored procedures, implementing escape schemes, properly limiting privileged accounts, and using input validation are also different steps you can take to better protect your company from SQL injections attacks.<br/> <b>Tags:</b> Telegram, SQL, Vulnerability</p><p><a href=" https://www.upguard.com/breaches/verizon-cloud-leak" target="_blank"><b>Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts </b></a> (<i>July 12, 2017</i>)<br/> UpGuard researchers discovered in late June that the Israeli technology company, "Nice Systems," controlled an Amazon S3 storage bucket that was misconfigured. The bucket was configured to be publicly accessible, and the data was downloadable by anyone who was able to guess the correct web address. The data was available for download for approximately one week, according to researchers. The files stored consisted of 14 million Verizon customer records with each record containing cell phone number, full name, and their account PIN.<br/> <b>Recommendation:</b> Always make sure your cloud storage is properly configured. Experts have been warning companies that Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store.<br/> <b>Tags:</b> Verizon, Breach</p><p><a href="https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" target="_blank"><b>LockPOS Joins the Flock </b></a> (<i>July 12, 2017</i>)<br/> Arbor Networks researchers have discovered that an inactive C2 server for the "FlokiBot" Point of Sale (POS) malware has recently become active. Interestingly, the C2 is not distributing FlokiBot but was instead identified to be distributing a new strain of POS malware dubbed "LockPOS." Additionally, researchers believe that the same actors behind FlokiBot are responsible for LockPOS because both are distributed by the same botnet have a mutual C2 host.<br/> <b>Recommendation:</b> Customer facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of FastPoS infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.<br/> <b>Tags:</b> POS, LockPOS</p><p><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat/" target="_blank"><b>Spam Campaign Delivers Cross-Platform Remote Access Trojan Adwind</b></a> (<i>July 11, 2017</i>)<br/> The "Adwind" Remote Access Trojan (RAT) has reappeared in a spam-distribution campaign, according to Trend Micro researchers. The spam emails attempt to trick recipients into following a malicious URL to download a PDF file. This download will install the Adwind RAT that is capable of filming and retrieving videos, exfiltrating data, keylogging, stealing credentials, and taking pictures or screenshots.<br/> <b>Recommendation:</b> Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.<br/> <b>Tags:</b> RAT, Adwind</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.