April 11, 2017
Anomali Threat Research

Anomali Weekly Threat Intelligence Briefing - April 11, 2017

<div id="weekly"><p id="intro"><b>Figure 1: IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.</p><p><a href="https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html" target="_blank"><b>Acknowledgement of Attacks Leveraging Microsoft Zero-Day </b></a> (<i>April 8, 2017</i>)<br/> Threat actors have been observed to be leveraging a Microsoft Office vulnerability via Rich Text Format (RTF) documents delivered with phishing emails. If the attachment is opened, the document will issue a HTTP request to a remote server and retrieve a malicious .hta file disguised as a RTF file. The HTA application will load and execute malicious scripts while displaying the fake document to the user.<br/> <b>Recommendation:</b> It is paramount that employees are taught to identify phishing attempts targeting them and your company. Additionally, all software and applications need to be properly maintained and updated with the latest security patches as soon as they become available.<br/> <b>Tags:</b> Microsoft, Vulnerability</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" target="_blank"><b>The Blockbuster Sequel</b></a> (<i>April 7, 2017</i>)<br/> A new spear phishing campaign has been discovered that is believed to be related to the campaign called "Operation Blockbuster," according to Unit 42 researchers. Operation Blockbuster is the name given to research conducted into the cyberattacks against the Sony Corporation. The new activity has been identified to be targeting Korean speaking users with spear phishing emails that have attachments impersonating a request form from the Korean security company "Atsoft."<br/> <b>Recommendation:</b> Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.<br/> <b>Tags:</b> Spear phishing</p><p><a href="https://blog.eset.ie/2017/04/06/sathurbot-distributed-wordpress-password-attack/" target="_blank"><b>Sathurbot: Distributed WordPress Password Attack </b></a> (<i>April 6, 2017</i>)<br/> Malware has been found being distributed by threat actors via BitTorrent downloads, and directing users to compromised WordPress websites. If these torrents which are advertising themselves as movies are downloaded, users may be infected with the Sathurbot backdoor trojan, according to ESET researchers. Sathurbot is capable of reaching out to a C2 to download additional malware onto an affected machine, in addition to web crawling capabilities that search for WordPress administrator accounts to breach.<br/> <b>Recommendation:</b> This story shows the potential dangers of downloading free entertainment media from online locations. The appeal of free access to movies and other forms of entertainment has resulted in many users being infected with malware. These kind of downloads bring with it inherent risk, and policies should be in place that prevent these type downloads from occurring on company networks.<br/> <b>Tags:</b> BitTorrent, Sathurbot</p><p><a href="http://www.hoax-slayer.net/apple-customers-being-targeted-in-icloud-mail-phishing-scam/" target="_blank"><b>Apple Customers Being Targeted in "iCloud Mail" Phishing Scam </b></a> (<i>April 6, 2017</i>)<br/> A new phishing campaign has been identified to be targeting Apple customers. The phishing emails claim that the recipients must confirm their account information, and provides a link to a fake Apple page that will steal user credentials. After Apple credentials are provided, the scam goes a step further and requests billing and credit card information.<br/> <b>Recommendation:</b> The impersonation of legitimate companies in phishing attacks is a frequent tactic used by threat actors. Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.<br/> <b>Tags:</b> Phishing, Apple</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" target="_blank"><b>Targeted Attacks in the Middle East Using Kasperagent and Micropsia </b></a> (<i>April 5, 2017</i>)<br/> Two new Windows malware families dubbed "Kasperagent" and "Micropsia" have been identified to be primarily targeting organizations located in the Middle East. Additionally, Unit 42 and ClearSky researchers have discovered connections between said malware with two strains of Android malware called "Secureupdate" and "Vamp." The group behind this campaign are attacking targets with shortened URLs that direct users to malicious websites, masquerading their malware as fake products and mobile applications, and spear phishing emails that advertise fake news.<br/> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Additionally, mobile devices should always be kept up-to-date with the latest security patches and applications should only be downloaded from official application stores.<br/> <b>Tags:</b> Windows, Android, Malware</p><p><a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-updated.pdf" target="_blank"><b>Operation Cloud Hopper </b></a> (<i>April 4, 2017</i>)<br/> PwC UK and BAE Systems have released information regarding a cyberespionage campaign that has been targeting Managed IT Service Providers (MSPs) since at least 2016. Researchers have dubbed the campaign "Operation Cloud Hopper." They believe that a Chinese threat group called "APT10" is responsible and that the group has been active since at least 2009. APT10's objective appears to be to gather information from MSP networks and their customers from around the world.<br/> <b>Recommendation:</b> Defending against APT threats requires an equally advanced and persistent strategy. Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place.<br/> <b>Tags:</b> APT10, Cyberespionage</p><p><a href="https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf" target="_blank"><b>Pegasus for Android: Technical Analysis and Findings of Chrysaor </b></a> (<i>April 4, 2017</i>)<br/> A mobile malware dubbed "Chrysaor" has been identified to be targeting Android users, according to Lookout researchers. Researchers believe that Chrysaor is a continuation of the mobile cyberespionage campaign conducted by the actors behind the iOS malware "Pegasus." Chrysaor conceals itself in applications located in the Google Play Store and third-party application stores (Google has since removed the malicious applications). The malware is capable of keylogger functions, remotely controlling an infected device via SMS, stealing information from various applications, and taking screen shots, among others.<br/> <b>Recommendation:</b> Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended.<br/> <b>Tags:</b> Mobile malware, Android</p><p><a href="https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" target="_blank"><b>ATMitch: Remote Administration of ATMs </b></a> (<i>April 4, 2017</i>)<br/> Kaspersky Lab researchers have added new information to their initial report regarding cyberattacks targeting ATMs located in 40 countries around the world. The threat group behind these attacks has been active since at least 2016. They target bank networks with PowerShell malware and legitimate Windows tools to escalate privileges until they reach the systems that control ATMs. Actors then install their malware, dubbed "ATMitch" and execute it via Remote Desktop Protocol (RDP).<br/> <b>Recommendation:</b> ATM Security relies on the same type of preventative measures as all others, as they are a certain type of computer. In the case of a confirmed ATMitch infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.<br/> <b>Tags:</b> ATM, Malware</p><p><a href="https://threatpost.com/russian-speaking-turla-joins-apt-elite/124695/" target="_blank"><b>Russian-Speaking Turla Joins APT Elite</b></a> (<i>April 3, 2017</i>)<br/> Kaspersky researchers have published additional information to support their claim that the "Moonlight Maze" cyberespionage campaign from the 1990s, and the current Advanced Persistent Threat (APT) group "Turla" may be the same group. Moonlight Maze was one of the first identified cyberespionage campaigns, and one of the first known APT groups. Researchers discovered the connection between the two groups in further examination of "Penguin Turla" attacks that targeted Linux machines with the open source LOKI2 backdoor. It was discovered that Moonlight Maze binaries were based upon the LOKI2 backdoor, which potentially links the two groups together because it does not appear any other group uses that tool.<br/> <b>Recommendation:</b> Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts.<br/> <b>Tags:</b> APT, Turla, Moonlight Maze</p><p><a href="https://threatpost.com/fake-seo-plugin-used-in-wordpress-malware-attacks/124725/" target="_blank"><b>Fake SEO Plugin In WordPress Malware Attacks </b></a> (<i>April 3, 2017</i>)<br/> A malicious plugin has been identified to be infecting WordPress websites with malware over the past several weeks. Researchers estimate that approximately 4,000 WordPress websites have been infected affected by a backdoor masquerading as a legitimate plugin called "WP-Base-SEO." Actors are likely installing the malicious plugin by conducting a mass scanning of to detect outdated WordPress sites.<br/> <b>Recommendation:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.<br/> <b>Tags:</b> Malicious plugin, WordPress</p><p><a href="http://www.securityweek.com/social-media-passwords-provide-easy-route-corporate-networks" target="_blank"><b>Social Media Password Provide Easy Route into Corporate Networks </b></a> (<i>April 3, 2017</i>)<br/> Thycotic researchers have published a report that discusses social media passwords and how they pose a significant risk to company accounts and networks. Thycotic conducted a survey at the RSA conference in February 2017 in which approximately 250 security professionals were involved. Researchers discovered that 50% of those interviewed had not changed their social media passwords for more than a year. The vulnerability exists because many different accounts can be logged in through social media accounts, such as LinkedIn. Thycotic contends that weak password habits for social media accounts, even among security professionals, can be taken advantage of by cybercriminals because many passwords include birthdays, and pet name references. This information can be gathered from social media accounts, and used in attempts to compromise company accounts and networks.<br/> <b>Recommendation:</b> Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication, and frequent password changes can help protect trade secrets and other forms of sensitive data.<br/> <b>Tags:</b> Password, Vulnerability</p><p><a href="https://www.theregister.co.uk/2017/04/03/that_sound_you_hear_is_splunk_leaking_data/" target="_blank"><b>That Sound You Hear is Splunk Leaking Data</b></a> (<i>April 3, 2017</i>)<br/> Researchers have discovered a vulnerability registered as "CVE-2017-5607" that affects Splunk's JavaScript implementation. The vulnerability can only be exploited if a malicious actor is able to direct a user to a malicious webpage. If a Splunk user visits a malicious webpage, her/his username can be stolen by an attacker, which can then be used to target with phishing attacks.<br/> <b>Recommendation:</b> Your company should have appropriate anti-virus, anti-spam, and policies in place that will prevent your employees from visiting potentially malicious websites. Education is also a great mitigation technique that can assist your company in awareness of the risks posed by visiting less reputable online locations<br/> <b>Tags:</b> Vulnerability</p><p><a href="https://www.helpnetsecurity.com/2017/04/03/eu-companies-customizable-ransomware/" target="_blank"><b>European Companies Hit with Highly Customizable Ransomware </b></a> (<i>April 3, 2017</i>)<br/> A new ransomware campaign has been identified to be targeting European-based companies, according to Panda Security researchers. The actors behind the campaign are brute-force attacking companies forward facing Remote Desktop Protocol (RDP) servers. Once a RDP server has been compromised, the attackers can target specific machines on a company's network. Researchers note that the graphical interface of the ransomware indicates that this campaign is being conducted with a Ransomware-as-a-Service (RaaS).<br/> <b>Recommendation:</b> Ensuring that your server is always running the most current software version is crucial. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br/> <b>Tags:</b> Ransomware</p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.</p><p><a href="https://ui.threatstream.com/tip/10516" target="_blank"><b>REMCOS Backdoor Tool Tip</b></a><br/> The REMCOS Backdoor is a publicly available Remote Access Tool. It has been available since 2016 and is under active development. The author, who goes by _Viotto_, offers both free and paid versions at their website `www.breaking-security.net`. REMCOS is currently being used in the wild with malicious intent despite the author's claims that the tool is for legitimate use only.<br/> <b>Tags:</b> REMCOS, RAT</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.