Anomali Weekly Threat Intelligence Briefing - April 25, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="http://www.malware-traffic-analysis.net/2017/04/21/index3.html" target="_blank">Dridex Style Malspam Pushed Locky Ransomware Instead </a> (April 21, 2017) Researchers have discovered that malspam messages that follow known Dridex formats are instead sending Locky ransomware to recipients. Actors behind this campaign are sending malicious attachments impersonating payment receipts, and PDFs. Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders. Tags: Malspam, Malware<a href="https://www.bleepingcomputer.com/news/security/milkydoor-android-malware-uses-ssh-tunnels-to-access-secure-corporate-networks/" target="_blank">MilkyDoor Android Malware uses SSH Tunnels to Access Secure Corporate Networks </a> (April 21, 2017) An Android malware called "Milkydoor" has been discovered to have been present in approximately 200 applications in the Google Play Store (Google has since removed the malicious applications). Researchers estimate that the malicious applications have been downloaded between 500,000 and one million times. Milkydoor uses SSH tunnels to allow the actors access to internal company networks. Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Tags: Mobile, Malicious Applications<a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank">Cardinal RAT Active for Over Two Years </a> (April 20, 2017) A new Remote Access Trojan (RAT) called "Cardinal," has been discovered by Unit 42 researchers. Cardinal has been active for at least two years and is being distributed via malicious macros in Microsoft Excel documents that compile C Sharp source into an executable. Researchers believe that the small amount of samples discovered in the wild is because the malware has remained undetected for an extended period of time. Recommendation: Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Tags: Malware, RAT<a href="https://www.welivesecurity.com/2017/04/19/turn-light-give-passwords/" target="_blank">Turn The Light On and Give Me Your Passwords </a> (April 19, 2017) Android users are being targeted with a banking trojan masquerading as a Flashlight application in the Google Play Store (Google has since removed the application). Researchers discovered that the malicious application called "Flashlight LED Widget" has been downloaded approximately 5,000 times. The trojan contained inside the application is capable of using overlays to target certain applications in order to steal banking information or credit card information. Recommendation: If this application has been downloaded, a user can find in the Settings, Application Manager, and then Flashlight Widget. The application can be uninstalled by booting your device in Safe mode. Even though this application was in the Google Play Store, that is still the safest location to download applications. Additionally, anti-virus applications provided by trusted vendors should be employed. Tags: Mobile, Malicious Applications<a href="https://www.helpnetsecurity.com/2017/04/19/intercontinental-data-breach/" target="_blank">InterContinental Confirms Card Data Breach at Over 1,000 Locations </a> (April 19, 2017) InterContinental Hotels Group (IHG) has issued a statement confirming that approximately 1,000 of its locations in Puerto Rico and the U.S. have been compromised with information stealing malware. The malware searched for cardholder name, card number, expiration date, and internal verification code. They believe that malware was first present in some IHG payment systems on September 29, 2016 and lasted until December 29, 2016. However, IHG did not identify the unauthorized access until their systems were "investigated in February and March 2017" so it is possible that card data was stolen up until that time. Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-sales (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of malware infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation. Tags: Breach, POS<a href="http://www.securityweek.com/flaw-drupal-module-exposes-120000-sites-attacks" target="_blank">Flaw in Drupal Exposes 120,000 Sites to Attacks </a> (April 19, 2017) The security team for the open source Drupal platform have discovered a vulnerability in third-party module called “References.” Drupal did not release additional information about the vulnerability to assist in preventing exploitation, however, the team did release a security patch to fix the problem. Additionally, Drupal stated that they will be releasing more information about this vulnerability in the next few weeks. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: Compromised websites<a href="https://www.helpnetsecurity.com/2017/04/18/bankbot-trojan-google-play/" target="_blank">BankBot Trojan Found Lurking on Google Play </a> (April 18, 2017) An Android banking trojan called "BankBot," which is based off of leaked source code of a different Android trojan, has been identified to have expanded its target list. Initially the malware was primarily targeting Russian users, but now BankBot is targeting users all over the world in attempts to steal financial data. Researchers discovered a target list that consists of over 400 applications associated with financial institutions around the globe. The malware is being distributed by masquerading as legitimate applications in the Google Play Store, and third-party application stores (Google has since removed the malicious applications). Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Additionally, do not rely on ratings alone for applications in the Google Play Store, further research into the applications is a good mitigation step because sometimes malicious applications make it into legitimate stores. Tags: Mobile, Malicious Applications<a href="https://www.helpnetsecurity.com/2017/04/18/fake-linkedin-phishing-job-seekers/" target="_blank">Fake LinkedIn Emails Phishing Job Seekers </a> (April 18, 2017) A new phishing campaign has been identified to be targeting LinkedIn users. The actors behind the campaign are attempting to trick recipients into sending their curriculum vitae (CV). With the plethora of personal information contained in a CV, cybercriminals would be able to sell the information on underground forums or use it to further target individuals with additional phishing attacks. Recommendation: Phishing continues to be one of the easiest ways for cybercriminals to make money quickly with a low level of technical expertise. Educate your employees on the dangers of phishing, how the attacks work, and how to avoid them. This includes the safe and proper use of email as well as web browsing activities. Tags: Phishing<a href="https://www.bleepingcomputer.com/news/security/new-karmen-ransomware-as-a-service-advertised-on-hacking-forums/" target="_blank">New Karmen Ransomware-as-a-Service Advertised on Hacking Forums </a> (April 18, 2017) Malware researchers have discovered a new Ransomware-as-a-Service (RaaS) called Karmen that is being advertised on a Russian cybercrime forum. The ransomware creators advertise multiple features, such as sandbox and virtual machine detection capabilities, undetected by anti-virus vendors, and access to a web-based control panel all available for purchase for $175. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer. Tags: Ransomware, RaaS<a href="http://www.securityweek.com/cradlecore-ransomware-sold-source-code" target="_blank">CradleCore Ransomware Sold as Source Code </a> (April 17, 2017) Forcepoint researchers have discovered threat actors engaging in an interesting tactic while selling a new ransomware dubbed "CradleCore." The cybercriminals behind the malware are offering the source for purchase for a negotiable price starting at 0.35 Bitcoins ($419). This tactic will likely cause new variants to be observed in the wild in the near future because the available source code will allow actors to customize the ransomware. Recommendation: The ransomware landscape continues to evolve and become a larger cause for concern and potential risk. The use of endpoint prevention systems can make all the difference between infection or not. In the case of any ransomware infection, the victim should avoid paying the ransom, and the infected system should be wiped and reformatted. Tags: Ransomware<a href="http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html" target="_blank">This Phishing Attack is Almost Impossible to Detect on Chrome, Firefox, and Opera </a> (April 17, 2017) Researcher Xudong Zheng has discovered a new phishing attack that affects multiple web browsers. Zheng cautioned that actors can use vulnerabilities in Chrome, Firefox, and Opera web browsers to display fake domains to steal financial and login credentials. The style of attack that affects said web browsers is a "Homograph" attack which uses Unicode characters in the domain name to make a malicious website appear legitimate. Recommendation: Your company should have appropriate anti-virus, anti-spam, and policies in place that will prevent your employees from visiting potentially malicious websites. Education is also a great mitigation technique that can assist your company in awareness of the risks posed by visiting less reputable online locations. Additionally, always ensure that your web browser kept up-to-date with latest versions as soon as possible. Tags: Phishing, Homograph<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.<a href="https://ui.threatstream.com/tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware