Trending Threats

This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Hacking Team is Back for your Androids (November 14, 2016)

Researchers from RedNaga Security recently obtained an interesting Android malware sample found in the wild. It appears to be an updated Hacking Team product, the Italian Spyware / Commercial Espionage company that suffered a highly publicized breach in 2015. Though they've been quiet as of late, their business seems to still be operational. In their post, they pull the sample apart and discuss the inner workings of how it works.

Recommendation: Targeted threats such as espionage malware by and large rely upon the same infection vectors as other threats: phishing emails and social engineering attacks. However, detection of targeted malware is typically more difficult due to lack of existing samples to use for signature matching. For such threats, it is prudent to employ less traditional defenses such as host and network behavioral monitoring, netflow and anomaly detection. But most importantly, educating everyone within your organization on how to spot the warning signs of a phishing attack, restricting the ability to install non-official app store apps, can help stop these threats from entering your environment in the first place.

Tags: HackingTeam, Android-Malware, Espionage

New Carbanak / Anunak Attack Methodology (November 14, 2016)

Trustwave Labs researchers released a post documenting their recent adventures with the Carbanak / Anunak actors, who have resurfaced targeting the hospitality industry. Carbanak is a prolific crime group, well known for stealing over one billion dollars from banks in 2015 (*Kaspersky estimated loss) and more recently orchestrating an attack on the Oracle Micros POS support site that put over one million Point of Sale systems at risk.

Recommendation: Groups such as Carbanak often struggle to change their TTPs, and high quality threat intel can be one of the easiest ways to prevent and detect the presence of threat actors on your networks. All vendors with Point of Sales (POS) technology deployed must be aware of the threats posed to these devices, and have a strategy in place in the event of a breach. All retailiers should be on extra high alert during the holiday season.

Tags: Carbanak, Anunak, Hospitality, MicrosoftWord, VBScript

ScanPOS, New POS Malware Being Distributed By Kronos (November 15, 2016)

Just in time for the holidays, a brand new Point Of Sale (POS) malware family has been discovered. Morphick responded to a Kronos phishing campaign that involved a document with a malicious macro that downloaded the Kronos banking malware. When running, the Kronos payload will download several other pieces of malware, but the one that caught our eye is a new credit card dumper with very low detection. Morphick is tracking this malware under the name ScanPOS due to the build string present in the malware. In their report, Morphick researchers document the infection chain, and internal workings of the malware samples.

Recommendation: With the holiday season quickly approaching, the number of threats targeting POS is on the rise. Retailers are on the hook now more than ever to keep their customers payment information safe. In addition to meeting compliance regulation standards, visibility into the security of all POS endpoints is critically important. These devices must be protected and monitored year round, but on extra high alert over the holiday shopping season.

Tags: POS-Malware, ScanPOS, Kronos, Financial-Services, Hospitality

CryptoLuck Ransomware being used in Malvertising by Rig Exploit Kit (November 15, 2016)

A new ransomware called CryptoLuck has been discovered by Proofpoint security researcher and exploit kit expert Kafeine that is being distributed via the RIG-E exploit kit. While it has become common to see new ransomware variants being distributed daily, it is not as common to find new ransomware infections being distributed via exploit kits. Seeing this type of activity typically indicates that a particular ransomware will see much wider distribution and thus a larger amount of victims.

Recommendation: Always run antivirus and endpoint protection software in order to prevent ransomware before it's too late. Keep secure backups of all your important files, to avoid the need to pay ransomware authors. Never open email attachments or software obtained from untrusted sources. Always keep your systems patched with the latest security fixes. In the case of CryptoLuck infection, the affected systems should be wiped and reformatted, even if the ransom is already paid. Other machines on the same network should be scanned for other similar infections, and an incident response process should be initiated to identify the original infection vector.

Tags: Ransomware, CryptoLuck, RigEK, malvertising

Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware (November 15, 2016)

Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, Proofpoint researchers observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload.

Recommendation: ATM/POS/IoT Security relies on the same type of preventative measures as all others, as they are a certain type of computer. In the case of a confirmed infection, the POS machine must be taken offline and quarantined until it can be completely wiped and restored to it's original factory settings. An incident response process should also be initiated.

Tags: POS-Malware, ScanPOS, Kronos, SmokeLoader, RigEK, Financial-Services, Hospitality

PC Locker - A New Survey Locker in the Wild (November 14, 2016)

The researchers of the ART team at Fortinet have recently discovered a new malware. While it still locks the user's computer and demands they follow instructions to have it unlocked, this time it doesn’t require them to pull out their wallets to pay a ransom. Instead, it forces them to take a tedious survey in order to unlock their computers. So, of course, a survey of this malware is in order.

Recommendation: The ever expanding market for ransomware style threats can be excruciating. The best path includes both prevention measures as well as detection. Host based file integrity, antivirus, and other host based intrusion detection systems (HIDS) can prevent attacks targeting your organization in this way. Always keep your employees educated on the latest trends in malware, social engineering, and safe usage of internet and email.

Tags: PCLocker, ransomware

KeyBoy and the targeting of the Tibetan Community (November 17, 2016)

This report by Citizen Labs analyzes an operation targeting members of the Tibetan Parliament. The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data.

Recommendation: Members of NGOs and groups targeted on a regular basis must be on high alert. Network monitoring software is of critical importance to such groups, but so are the other conventional defensive controls like antivirus. Practice defense in depth - the use of layered, redundant, failsafe security controls to give your organization the best chances of avoiding compromise.

Tags: KeyBoy, Tibet, China, NGO, CitizenLab

Wrap-up: US Campaign-themed Malware and Trolls (November 15, 2016)

The US political season is over and a new President has been elected. This election has arguably been one of the most colorful (some might say entertaining) and controversial presidential election cycles in the country’s history. For cyber crooks, this has been just the right environment to target victims with their attacks and trolls. In this post Fortinet researchers take a look at some of the more notable US campaign-themed malware and scams. While some may induce false fears and a few laughs, others represent serious threats.

Recommendation: Malware authors have learned over the years that distracting users while you attempt to compromise them can raise the chances of successful compromise. Employees should be educated on the use of current events and appeals to emotion (social engineering) from a security perspective. Keep your employees well trained on the latest threats and encourage them to be proactive when it comes to security.

Tags: ransomware, trumplocker

Android Banking Malware Masquerading as Email App Targets German Banks (November 18, 2016)

Researchers at Fortinet recently found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching.

Recommendation: Android malware often relies upon users installing applications from untrusted sources. The safest policy is to obtain all software from the app store. Antivirus software should always be used, and software updates should be treated as a matter of safety.

Tags: Android-Malware, Germany, Stealer

Android Malware Masquerades as Banking App, Part II (November 18, 2016)

In the second part to this expose on Android banking malware, Fortinet researchers follow up with subsequent expansions they observed watching this malware family in the wild. Notably, they found several new variants of this growing malware.

Recommendation: This post is a good example of how successful malware is often repurposed, copied, and otherwise expanded upon. Typically these variants are delivered using the same tactics as their predecessors, and good user education can be the difference between a thwarted attack and a full compromise. Always keep your users educated on how to safely use their devices, and the importance of keeping them patched with the latest security updates.

Tags: Android-Malware, Germany, Stealer

Ransomware Roundup - Week of Nov 18 (November 18, 2016)

This week's highlights include: Master decryption keys and decryptor for CrySiS ransomware released, new monetization methods for Karma ransomware, a new version of PadCrypt (3.0), an Angela Merkel themed ransomware, Ransoc ransomware turning to scare tactics threatening legal action, and much more. Stay safe out there!

Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of Locky infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. As noted in this week's roundup, decryptors may be available, and should be considered in the event of a compromise.

Tags: ransomware, CrySiS, KarmaRansomware, PadCrypt, Ransoc

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.

NJRat Tool TIP

NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east.

Tags: njrat, Remote Access Tool, RAT