April 18, 2017
Anomali Threat Research

Anomali Weekly Threat Intelligence Briefing - April 18, 2017

<p><b>Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><h2>Trending Threats</h2><p>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.</p><p><a href="https://krebsonsecurity.com/2017/04/shoneys-hit-by-apparent-credit-card-breach/" target="_blank"><b>Shoney's Hit by Apparent Credit Card Breach </b></a> (<i>April 14, 2017</i>)<br/> Multiple sources in the financial industry have reported patterns of fraud on their customers' credit cards that were used at Shoney's restaurant locations, according to researcher Brian Krebs. The restaurant chain consists of approximately 150 locations that are mostly located in southern states throughout the U.S. Best American Hospitality Corp. released a statement confirming that malware was identified on some of its Point of Sale (POS) terminals. The company believes that an unknown amount of terminals were compromised from December 27 to March 6, 2017 that resulted in the theft of the cardholder name, card number, expiration date, and internal verification code.<br/> <b>Recommendation:</b> Customer facing companies that store credit card data must actively defend against POS threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of malware infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.<br/> <b>Tags:</b> POS, Credit card theft</p><p><a href="https://www.f-secure.com/documents/996508/1030745/callisto-group" target="_blank"><b>"Callisto Group" Advanced Threat Actor Identified </b></a> (<i>April 13, 2017</i>)<br/> F-Secure researchers have published a new report detailing activity of an advanced threat actor called "Callisto Group" which they believe has never been previously identified. The group is believed to have been active since at least 2015. Callisto uses both phishing emails that are designed to steal user credentials as well as others that contain malicious attachments. Researchers claim the malware is associated with the Italian software company "HackingTeam."<br/> <b>Recommendation:</b> Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.<br/> <b>Tags:</b> Spear phishing</p><p><a href="https://www.cyphort.com/new-breed-of-cerber-ransomware-employs-anti-sandbox-armoring/" target="_blank"><b>New Breed of Cerber Ransomware Employs Anti-Sandbox Armoring</b></a> (<i>April 12, 2017</i>)<br/> Researchers have discovered a new strain of the Cerber ransomware that has sandbox detection abilities. The malware will execute in different ways when being hooked to APIs in a sandboxed environment such as crashing the hooking module, calling useless window APIs in a long loop, and stealing API addresses from the main executable.<br/> <b>Recommendation:</b> If you run your own malware sandbox you may want to open MS Word (and other Office applications) and open and close several documents in order to populate the Recent Documents list. Also, consider running your Sandbox from a consumer grade cable or DSL line instead of using Amazon or other SaaS providers. Lastly, if you are a security company, you probably should not be sandboxing malware from systems whose IPs are easily associated with your company.<br/> <b>Tags:</b> Ransomware</p><p><a href="https://www.bleepingcomputer.com/news/security/mole-ransomware-distributed-through-fake-online-word-docs/" target="_blank"><b>Mole Ransomware Distributed Through Fake Online Word Docs </b></a> (<i>April 12, 2017</i>)<br/> A new spam email campaign has been discovered to be distributing a new strain of the CryptoMix ransomware family dubbed "Mole." The emails are masquerading as shipment notifications that imply that an item was not able to be delivered and offers a link for additional information, according to researcher Brad Duncan. The link directs the recipient to a Word document that requests that a new plugin version is needed to properly read the document, but will actually begin to execute the ransomware.<br/> <b>Recommendation:</b> Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Additionally, educate your employees on the dangers of spam emails and have policies in place regarding who to contact when a malicious email has been identified.<br/> <b>Tags:</b> Ransomware, Phishing, Malspam,</p><p><a href="http://www.securityweek.com/hackers-targeting-amazon-third-party-sellers-password-reuse-attacks" target="_blank"><b>Cybercriminals Target Amazon Third-Party Sellers with Password Reuse Attacks </b></a> (<i>April 11, 2017</i>)<br/> Cybercriminals have been able to gain access to active third-party seller accounts on Amazon by testing previously stolen passwords against them. Actors are then changing the bank account details in order to transfer the revenue from online purchases to their own accounts. Actors are also identifying old and unused third-party accounts and promoting offers with substantial discounts, and again diverting the funds to their own accounts.<br/> <b>Recommendation:</b> It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis.<br/> <b>Tags:</b> Breached accounts</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-ewind-adware-applications-clothing/" target="_blank"><b>Ewind – Adware in Applications' Clothing </b></a> (<i>April 11, 2017</i>)<br/> Unit 42 researchers have been observing a mobile adware campaign since mid-2016 targeting Android users, and have released information regarding how the actors behind the adware "Ewind" are operating. The actors download a legitimate application, decompile it, add their malicious features, then repackage the Android Application Package (APK). When users download the application they are infected with Ewind that displays advertisements to accumulate revenue for the actors, however, researchers have also discovered that the malware is capable of stealing information and remotely control an infected device.<br/> <b>Recommendation:</b> Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.<br/> <b>Tags:</b> Adware, Malware</p><p><a href="https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day" target="_blank"><b>Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day </b></a> (<i>April 10, 2017</i>)<br/> A new spam campaign has been identified to be sending millions of emails in attempts to distribute malware to for the Dridex botnet. According to Proofpoint researchers, the campaign is primarily targeting organizations located in Australia. The actors behind the campaign are exploiting a new zero-day that affects Microsoft Word. The emails in this campaign have Word Rich Text Format (RTF) documents which, if opened, is capable of executing processes to install the Dridex banking trojan.<br/> <b>Recommendation:</b> Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.<br/> <b>Tags:</b> Dridex, Malspam, Zero-day</p><p><a href="https://krebsonsecurity.com/2017/04/alleged-spam-king-pyotr-levashov-arrested/" target="_blank"><b>Alleged Spam King Pyotr Levashov Arrested </b></a> (<i>April 10, 2017</i>)<br/> Pytor Levashov, believed to be behind the alias "Severa," has been arrested while vacationing in Spain with his family. Severa was a well-known figure on Russian cybercrime websites where he was the moderator of several spam related forums. The U.S. Justice Department believes that Levashov is the partner of American spammer Alan Ralsky, who ran schemes to inflate the value of penny stocks. Researcher Brian Krebs contends that Severa was also behind multiple operations in which he paid virus writers and spammers to install fake anti-virus software onto victims' machines.<br/> <b>Recommendation:</b> Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.<br/> <b>Tags:</b> Spam, Botnet</p><p><a href="http://www.securityweek.com/british-payday-loan-firm-wonga-suffers-data-breach" target="_blank"><b>British Payday Loan Firm Wonga Suffers Data Breach </b></a> (<i>April 10, 2017</i>)<br/> Threat actors have managed to breach the payday loan firm "Wonga," located in the U.K., according to a statement from the company. Actors have gained access to information consisting of bank account numbers, full names, email addresses, home addresses, partial payment card numbers, phone numbers, and sort codes. This breach is believed to affect approximately 270,000 current and previous customers in Poland and the U.K.<br/> <b>Recommendation:</b> Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data.<br/> <b>Tags:</b> Data breach</p><p><a href="http://www.securityweek.com/hackers-steal-customer-card-data-gamestop" target="_blank"><b>Hackers Steal Customer Card Data From GameStop </b></a> (<i>April 10, 2017</i>)<br/> The video game retail company "GameStop" has acknowledged that a breach has taken place that resulted in credit card information being stolen from gamestop[.]com. Two sources in the financial industry informed researcher Brian Krebs that reports from a credit card processor made it appear that GameStop had been compromised since at least September 2016. Researchers believe that due to the length of the breach, it is possible that other sensitive information was also stolen from GameStop customers.<br/> <b>Recommendation:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.<br/> <b>Tags:</b> Website, Compromise</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.</p><p><a href="https://ui.threatstream.com/tip/7453" target="_blank"><b>Cerber Ransomware Tool Tip</b></a><br/> Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.<br/> <b>Tags:</b> cerber, ransomware</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.