Trending Threats

This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

NetWire RAT Steals Payment Card Data (November 28, 2016)

During an incident response engagement in September 2016, Dell SecureWorks incident response analysts observed payment card data being collected by a generic remote access trojan (RAT) rather than typical memory-scraping malware. In many payment card data breaches, a point-of-sale (POS) system is infected with malware that searches for specific processes in memory known to store card data in plain text. The malware copies card data from the running processes, a technique known as memory scraping, to encoded files on disk. These files are then transmitted to a threat actor, often over commonly open ports 80 and 443 (HTTP and HTTPS). The threat actor sells the card data or uses it for fraudulent purchases.

Recommendation: Point of Sales (POS) Security relies on the same type of preventative measures as all others, as they are a certain type of computer. In the case of a confirmed NetWire infection, the POS device should be taken offline until it can be completely wiped and restored to it's original factory settings. Organizations with payment systems must ensure that no default passwords are used to secure these devices, and that defensive controls are embedded throughout their entire network, so that any threats can be prevented, or at least detected. All companies holding customer data must have an Incident Response (IR) procedure in place in the event of compromise.

Tags: RAT, POS, NetWire

Exciting announcement from Shadowserver: Operation Avalanche Takedown (December 1, 2016)

For the past 18 months, The Shadowserver Foundation has been quietly working to support international Law Enforcement agencies in the coordinated take down of the criminal operated Avalanche malware delivery platform. Avalanche is a Double Fast Flux (Wikipedia) content delivery and management platform designed for the delivery and so-called bullet-proof management of botnets. More than 20 different malware families using multiple Domain Generation Algorithms (DGAs) and operating criminal infrastructure in 30 countries and US states impacted over 60 registries worldwide required unprecedented levels of effective international partnership.

Recommendation: Operation Avalanche is a good case study into the complexity and depth some malware campaigns may contain, and how all organizations must work together in order to survive threats such as this. Collaboration makes all participants stronger. Organizations within certain sectors can participate in ISAC or other threat sharing programs which give groups of companies additional security posture by allowing eachother to protect against threats targeting similar organiations. Leverage the power of threat intelligence within your security controls in order to stay ahead of the curve.

Tags: Avalanche, Takedown, Botnet

PluginPhantom: New Android Trojan Abuses DroidPlugin Framework (November 30, 2016)

PluginPhantom is a new class of Google Android Trojan: it is the first to use updating and to evade static detection. It does this by leveraging the Android plugin technology. It abuses the legitimate and popular open source framework named DroidPlugin, which allows an app to dynamically launch any apps as plugins without installing them in the system. PluginPhantom implements each element of malicious functionality as a plugin, and utilizes a host app to control the plugins. With the new architecture, PluginPhantom achieves more flexibility to update its modules without reinstalling apps. PluginPhantom also gains the ability to evade the static detection by hiding malicious behaviors in plugins. Since the plugin development pattern is generic and the plugin SDK can be easily embedded, the plugin architecture could be a trend among Android malware in the future.

Recommendation: Android devices continue to be a high value target for attackers, and as the workforce becomes more reliant on their mobile devices, it becomes more important than ever to have a robust Bring Your Own Device (BYOD) strategy in order to keep your employees and your infrastructure safe. All companies should segment their networks so that any malware that makes it's way onto employees mobile phones does not propagate on your organiation's network. All devices on your network, should have

Tags: Android-Malware, PluginPhantom, DroidPlugin, China, Mobile

Shamoon is back (November 30, 2016)

In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged. Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45.

Recommendation: Companies within specific sectors such as Energy must be aware of the heightened threats they face due to the nature of their business. For this reason, additional security measures must be taken. Always practice defense in depth - the use of layered, redundant, failsafe security controls that prevent your organization from having a single point of failure, or entirely unprotected attack surface that attacks could potentially slip through.

Tags: shamoon, wiper, middle east, iran, Disttrack, Energy

Malware Actors using NIC Cyber Themed Spear Phishing to Target Indian Government Organizations (November 30, 2016)

Cysinfo's latest blog post describes an attack campaign where NIC (National Informatics Centre) Cyber Security themed spear phishing emails were used to target Indian government organizations. In order to infect the victims, the attackers distributed spear-phishing email, which purports to have been sent from NIC’s Incident response team, the attackers spoofed an email id that is associated with Indian Ministry of Defence to send out email to the victims. Attackers also used the name of the top NIC official in the signature of the email, to make it look like the email was sent by a high ranking Government official working at NIC (National Informatics Centre). The spear phishing mail contained malicious MS Word documents that ultimately dropped a backdoor, establish Command and Control, and also allow the attackers to install additional payloads.

Recommendation: The campaign described in this report is notable due to the use of spoofed sender spear phishing emails, something that all orgnaizations must do their best to filter out of employee inboxes, and all employees should be aware of. Email should not be considered a trusted source, and users should check email with this in mind, that all links and attachments may be unsafe. Email should be provided by a specialized provider (such as google) whenever possible, and all systems should contain anti-virus along with other endpoint detection solutions.

Tags: NGO, India, Spearphishing

Cerber Spam: Tor All the Things! (November 28, 2016)

Criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection. Researchers with Cisco Talos spotted the shifting tactic last week when it began tracking the latest Cerber (5.0.1) ransomware variant. The technique defies Cerber’s typical attack strategy of spam campaigns, malicious attachments and well written, professional looking emails, according to Talos researchers.

Recommendation: The cerber ransomware is one of the most common and powerful ransomware families infected the web today. It's known for being ahead of the curve, as this report shows. In the case of Cerber infection, the infected system must be quarantined, wiped, and reformatted. The entire network should be assessed for additional infections, and an incident repsonse process should begin to identify how the initial infection happened.

Tags: Cerber, ransomware, malspam, tor

Gooligan Android Malware Responsible for 1 Million Compromised Google Accounts (December 1, 2016)

Android malware called Gooligan is being blamed for 1 million breached Google accounts. The malware is still active, according Check Point Software Technologies, and is responsible for an additional 13,000 new breaches of Android devices daily.

Recommendation: Android malware most often comes from users downloading applications from places other than the official app store, but abiding by the "only install software from the google play store" is not sufficient in itself to prevent all threats. Network administrators should be watching network traffic with an Intrusion Detection/Prevention System (IDS/IPS) in order to detect infections passively.

Tags: Towelroot, VROOT, CVE-2013-6282, CVE-2014-3153, Gooligan, Android-Malware

SFMTA Hit with Ransomware, Attacker Uncovered and Hacked (November 29, 2016)

In an exciting series of events, the San Francisco Municipal Transportation Agency (SFMTA) was hit with a ransomware attack on Friday, causing fare station terminals to carry the message, “You are Hacked. ALL Data Encrypted.”, and forcing them to offer rides free of charge throughout the day. Turns out, the miscreant behind this extortion attempt got hacked himself this past weekend, revealing details about other victims as well as tantalizing clues about his identity and location.

Recommendation: The SFMTA breach presents us all with a reminder of how important it is to have an educated workforce that knows how to avoid being tricked by malspam, which was likely how the SFMTA got infected initially. The use of ransomware in the enterprise environment means that organizations must take additional care to backup all intellectual property, and have an Incident response process to follow in the event of compromise. In the case of Mamba infection, the system must be quarantined, wiped, and reformatted, and the entire network must be scanned for similar infections.

Tags: Ransomware, Mamba

Weekly Ransomware Roundup (December 2, 2016)

Lots of small ransomware infections / screenlockers this week, but no major infections were discovered. Thankfully, security researchers were able to create a bunch of decryptors and make them available for victim's to recover their files. Of particular note was the San Francisco MTA getting hit hard by the HDDCryptor ransomware, which caused them to provide rail service for free for a day or so.

Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs.

Tags: Ransomware, Scareware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.

NJRat Tool TIP

NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east.

Tags: njrat, Remote Access Tool, RAT