November 7, 2017
Anomali Threat Research

Weekly Threat Briefing: Over A Million Android Users Fooled by Fake WhatsApp App in Official Google Play Store

<p>The intelligence in this week’s iteration discuss the following threats: <strong>Botnet</strong>, <strong>Data leak</strong>, <strong>Email account compromise</strong>, <strong>Malicious application</strong>, <strong>Malspam</strong>, <strong>Phishing</strong>, <strong>Ransomware</strong>, <strong>RAT</strong>, <strong>Spear phishing</strong>, <strong>Trojan</strong>, <strong>Targeted attacks</strong>, and <strong>Vulnerabilities</strong>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="" target="_blank"><b>Tor Browser Flaw Leaks Users' Real IP Address</b></a> (<i>November 6, 2017</i>)<br/> "We Are Segment" CEO, Filippo Cavallarin, has discovered a vulnerability in the Tor Browser that can reveal a user's real IP address. The vulnerability, dubbed "TorMoil," is only present in macOS and Linux versions of the Tor Browser.<br/> <b>Recommendation:</b> Tor Project personnel advise its macOS and Linux users to update to version 7.0.9 or 7.5a7 as soon as possible. The security fix limits some of the browser's functionality, but it also includes a temporary fix to the vulnerability which will likely be addressed further in another security update.<br/> <b>Tags:</b> Vulnerability, Data leak, Tor Browser</p><p><a href="" target="_blank"><b>Over A Million Android Users Fooled by Fake WhatsApp App in Official Google Play Store</b></a> (<i>November 4, 2017</i>)<br/> Researchers have found that a fake version of the "WhatsApp" messaging application was present in the Google Play store. The application was observed to have been downloaded approximately one million times. If the application is opened, it appears just like the legitimate WhatsApp application, however, it shows the user advertisements. The showing of advertisements generates revenue for the threat actor(s) behind this malicious application.<br/> <b>Recommendation:</b> Google has since removed the malicious application from the Google Play store. If WhatsApp was downloaded recently, showing of advertisements is a sign that the fake version was downloaded; the application should be removed as soon as possible. Users should be wary of downloading applications because as this story portrays, even legitimate stores can sometimes contain malicious applications. Therefore a user should review the permissions an application will request upon download, and looking through user comments can sometimes reveal problems with the application. Users should also check the name of the organization in the Google Play Store when downloading an application, to see if there are any irregularities. For example, recent "WhatsApp" fakes were make by company names "WhatsApp Inc,,;" and "WhatsApp Inc….".<br/> <b>Tags:</b> Android, Google Play store, Fake application, WhatsApp</p><p><a href="" target="_blank"><b>Art Galleries Targeted by Cyber-Thieves</b></a> (<i>November 2, 2017</i>)<br/> Threat actors are conducting email scams that target art galleries and dealers, and several galleries in the U.S. and U.K. were affected, according to The Art Newspaper. The actors were found to have monitored outgoing email messages from art gallery accounts by compromising them, and then intercepted the invoices and altered them. The scam was discovered when the "Rosenfeld Porcini" gallery in London received an invoice from a buyer that said that the original invoice was in the wrong currency and to make the payment to a different account. At the time of this writing, the gallery is working with the bank to attempt to recover the funds.<br/> <b>Recommendation:</b> All business email accounts should have security features to help protect sensitive information and communications. At minimum, two-factor authentication should be applied to email accounts to better protect them against threat actors.<br/> <b>Tags:</b> Email account compromise, Scam, Theft</p><p><a href="" target="_blank"><b>Cisco Releases Security Updates</b></a> (<i>November 1, 2017</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in Cisco products. The affected products are: Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol, Application Policy Infrastructure Controller Enterprise Module, Application Collaboration Provisioning, Firepower 4100 Series NGFW and Firepower 9300 Security Appliance, Identity Services Engine, Prime Collaboration Provisioning, Wireless LAN Controller Simple Network Management Protocol, and Wireless LAN Controller 802.11v.<br/> <b>Recommendation:</b> The US-CERT and Cisco recommend that users of the products listed in this alert apply the corresponding security updates as soon as possible. Some of these vulnerabilities can be exploited to take control of an affected system, while others can result in Denial-of-Service (DoS) attacks.<br/> <b>Tags:</b> Alert, Vulnerabilites, Cisco</p><p><a href="" target="_blank"><b>Everybody Gets One: QtBot Used to Distribute Trickbot and Locky</b></a> (<i>November 1, 2017</i>)<br/> Unit 42 researchers have discovered that the "Necurs" botnet is being used by threat actors to distribute malspam that can lead to "Locky" ransomware and the "Trickbot" banking trojan. The emails contain malicious Microsoft Office Dynamic Data Exchange (DDE) files. If a user allows DDE to take place after opening the attachment, which the email purports is related to financial services, a new downloader dubbed "QtBot" will download the malware payload. Researchers note that the amalgamation of two separate campaigns in Locky and Trickbot is an interesting tactic, however, the reasons behind the combination are not yet clear.<br/> <b>Recommendation:</b> Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.<br/> <b>Tags:</b> Malspam, Trojan, Trickbot, Ransomware, Locky, Downloader, QtBot</p><p><a href="" target="_blank"><b>Adwind Remote Access Trojan Still Going Strong</b></a> (<i>November 1, 2017</i>)<br/> The threat actors behind the "Adwind Remote Access Trojan (RAT)" are continuing to distribute the malware via spam emails, according to Phish Labs researchers. The spam emails were observed to have numerous attachment titles such as "DHL Delivery Notice," "Proforma Invoice," "Request for Information," "Transfer Import," and "Swift Copy," among others. The attachments are malicious JAR files. The objective of Adwind is to steal information from an infected machine, and due to the ease of availability of the tools on underground forums, it can be modified to fit both less sophisticated and advanced threat actors.<br/> <b>Recommendation:</b> Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Educate your employees on the risks of opening attachments from unknown senders. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management. Anti-spam and antivirus applications provided by trusted vendors should also be employed.<br/> <b>Tags:</b> Malspam, RAT, Adwind</p><p><a href="" target="_blank"><b>Silence – A New Trojan Attacking Financial Organizations</b></a> (<i>November 1, 2017</i>)<br/> A campaign has been actively targeting financial institutions since September 2017 with a new trojan called "Silence," according to Kaspersky Lab researchers. This campaign primarily targets Russian banks, however, infected financial institutions were also found in Armenia and Malaysia. The actors behind this campaign send spear phishing emails from a sending address of a financial institution that has already been infected to add "credibility" to the phishing email. The emails come with a malicious .chm attachment, specifically, a "Microsoft Compiled HTML Help" file that is compressed and deployed in a binary format with the .chm (compiled HTML) extension. The file can automatically use JavaScript to download and execute malware from a hardcoded URL.<br/> <b>Recommendation:</b> Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; as this story portrays, another organization is compromised to be used to send out the phishing emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware what sort of requests to expect from business partners to better identify phishing attempts, and whom to contact when they suspect they are the target of a possible spear phishing attack.<br/> <b>Tags:</b> Targeted attacks, Spear phishing, Trojan, Silence</p><p><a href="" target="_blank"><b>If Your Websites Use WordPress, Put Down That Coffee and Upgrade to 4.8.3 Thank Us Later</b></a> (<i>October 31, 2017</i>)<br/> Engineer, Anthony Ferrara, discovered an SQL injection vulnerability in "WordPress" powered websites. Specifically, WordPress version 4.8.2 and earlier. The vulnerability does not affect the WordPress default core, but rather it resides in a security function provided to the core by plugins and themes. The function lies in the WordPress Database Access Abstraction (wpdb) class called "prepare". The prepare function prepares a SQL query for "safe" execution. This function uses "vsprintf" to replace placeholders with values in the function. This can be abused with an array argument to perform SQL injection.<br/> <b>Recommendation:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Site owners should upgrade to version 4.8.3 immediately and update all plugins that override wpdb. If you are a plugin developer for WordPress, ensure that all user input is removed from the string query part of the prepare function and instead build queries and arguments separately.<br/> <b>Tags:</b> Vulnerability, SQL Injection, WordPress</p><p><a href="" target="_blank"><b>Night of the Devil: Ransomware or Wiper? A Look Into Targeted Attacks in Japan</b></a> (<i>October 31, 2017</i>)<br/> Cybereason researchers have published information regarding a family of ransomware, dubbed "ONI," and bootkit ransomware, dubbed "MBR-ONI," used in targeted attacks against Japanese companies. Researchers speculate that the ransomware was used to cover up evidence of a more sophisticated attack. Researchers found that the targeted attacks took place between three to nine months and note that the actors took significant attempts to hide their operation. The infections vector for these targeted attacks goes in the following order: spear phishing email, trojanized "Ammyy Admin RAT," reconnaissance and credential theft, lateral movement and DC takeover, log wipers, and ONI distributed via GPO (rogue group policy). The objective of the threat actors appears to be theft of sensitive information.<br/> <b>Recommendation:</b> Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. The use of a malicious version of a legitimate tool, Ammyy Admin, depicts the dangers of using Remote Access Tools in the workplace. In addition, legitimate tools are often used by threat actors, particularly advanced threat actors, because it assists in concealing malicious activity in the traffic of a legitimate tool. Therefore, only a select few individuals who need to use such tools should have access to them.<br/> <b>Tags:</b> Targeted attacks, Spear phishing, Ransomware, Data theft</p><p><a href="" target="_blank"><b>Necurs Botnet Malspam Uses DDE Attack to Push Locky</b></a> (<i>October 30, 2017</i>)<br/> The "Locky" ransomware is continuing to be pushed via malspam campaigns via the "Necurs" botnet, according to security researchers. One of the emails used in this campaign was identified to have the subject line "Scanned document from HP ePrint user" and purports to be from the "HP Team" with a spoofed sending address "" If the Microsoft Word document is opened, it requests permission to load another Office application, this attack method is called Microsoft "Dynamic Data Exchange" (DDE). If this process is allowed, a user will be infected with the ".asasin" variant of the Locky ransomware. The actors behind this campaign are requesting .025 bitcoins (approximately $158.25 USD) for the decryption key.<br/> <b>Recommendation:</b> Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.<br/> <b>Tags:</b> Malspam, Botnet, Necurs, Ransomware, Locky</p><p><a href="" target="_blank"><b>Coin Miner Mobile Malware Returns, Hits Google Play</b></a> (<i>October 30, 2017</i>)<br/> Trend Micro researchers have discovered three malicious applications that made it into the Google Play store. The applications, "Recitiamo Santo Rosario," "Safety Wireless App," and "Car Wallpaper HD: mercedes, ferrari, bmw and audi," were found to contain malicious cryptocurrency mining capabilities. When started, these applications will load crypto mining JavaScript from "Coinhive" and begin mining with the actor's own Coinhive key.<br/> <b>Recommendation:</b> Google has since removed the malicious applications from Google Play. Users should be cautious when downloading applications because as this story portrays, malicious applications sometimes make it into official stores. Therefore, users should carefully review the permissions an application will request prior to installation. While these versions of cryptocurrency malware are not inherently malicious, some have additional functions such as stealing user credentials. Slow response and run time on a device may be an indication of cryptocurrency malware, and installed applications should be reviewed.<br/> <b>Tags:</b> Android, Mobile, Cryptocurrency malware</p><p><a href="" target="_blank"><b>Oracle Security Alert Advisory – CVE-2017-10151</b></a> (<i>October 30, 2017</i>)<br/> Oracle Technology network has released a security update that addresses a vulnerability, registered as "CVE-2017-10151," that affects "Oracle Identity Manager." Exploitation of the vulnerability can lead to compromise of Oracle Identity Manager and remote control of the affected system via a network attack. This vulnerability is critical, and Oracle requests that its customers apply the patch as soon as possible. The affected Oracle Identity Manager versions are,,,, and<br/> <b>Recommendation:</b> The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.<br/> <b>Tags:</b> Vulnerability, Alert, Oracle Identity Manager</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="">Click here to request a trial.</a></p><p><a href="" target="_blank"><b>TrickBot Tool Tip</b></a><br/> TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint]( recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin]( detailing the unpacking of this malware family.<br/> <b>Tags:</b> TrickBot, Family-Trickbot, victim-Financial-Services</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.