Updated: May 6
On March 31, the Cyber Threat Alert Level was evaluated and is being lowered to Blue (Guarded). The MS-ISAC is still observing exploitation attempts of critical vulnerabilities in versions of Microsoft Exchange servers. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network. On March 25, the MS-ISAC released an advisory for multiple vulnerabilities in Cisco Jabber, the most severe of which could allow for arbitrary code execution. On March 30, the MS-ISAC released two advisories. The first was an advisory for multiple vulnerabilities in ArubaNetworks Instant Access that could allow for arbitrary code execution. The second advisory was for multiple vulnerabilities in VMware vRealize Operations Manager, the most severe of which could allow for remote code execution. Organizations and users are advised to update and apply all appropriate vendor security patches to vulnerable systems and to continue to update their antivirus signatures daily. Another line of defense includes user awareness training regarding the threats posed by attachments and hypertext links contained in emails, especially from un-trusted sources.
1. SHLAYER TROJAN ATTACK MacOS USER IN USA
We noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).
In most cases, it was advertising landing pages that brought users to the next stage of the distribution chain — nicely crafted fake pages prompting to install the malware under the veil of a Flash Player update. This is primarily how the Trojan-Downloader. OSX.Shlayer a modification was distributed.
For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains, says antivirus company Kaspersky Lab.
The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much: the number of detections remains at the same level as in the first months after the malware was uncovered.
2. AGENT TESLA ATTACK
The AgentTesla malware has been around since 2014. It is based on a subscription model that provides customers with time-limited licenses for the malware, including a web panel for monitoring and configuration, a converter for Word documents, as well as technical support. According to investigators, more than 6.300 purchases have been made for this spyware product. Its main purpose is to steal stored login information and send them to the attacker. Additionally, the software takes screenshots and monitors keystrokes.
Many users tend to store login information in their browsers and other software they use on a daily basis. These credentials can be valid for services of the compromised company, but also for services hosted by business partners. AgentTesla exploits exactly this user behavior.
According to MITRE the malware is capable of capturing webcam video feeds, bypass anti-virus products, and communicates with the attacker using HTTP or SMTP.
The complete execution chain has been documented after extensive reverse engineering of the malware sample. Some aspects of this analysis will be described throughout this section, structured by the different execution stages.
3. SNUGY MALWARE ATTACK
In September 2020, we were notified that threat actors breached an organization in Kuwait. The organization's Exchange server had suspicious commands being executed via the Internet Information Services (IIS). Actors issued these commands via a web shell we call BumbleBee that had been installed on the Exchange server, which we will discuss in detail in a future blog. We investigated how the actors installed the web shell on the system, and we did not find any evidence of exploitation of the Exchange server within the logs that we were able to collect. However, we did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.
The xHunt campaign has been active since at least July 2018 and we have seen this group target Kuwait government and shipping and transportation organizations. Recently, we observed evidence that the threat actors compromised a Microsoft Exchange Server at an organization in Kuwait. We do not have visibility into how the actors gained access to this Exchange server. However, based on the creation timestamps of scheduled tasks associated with the breach, we believe the threat actors had gained access to the Exchange server on or before Aug. 22, 2019. The activity we observed involved two backdoors – one of which we call TriFive and a variant of that we call Snugy – as well as a web shell that we call BumbleBee.
The TriFive and Snugy backdoors are PowerShell scripts that provide backdoor access to the compromised Exchange server, using different command and control (C2) channels to communicate with the actors. The TriFive backdoor uses an email-based channel that uses Exchange Web Services (EWS) to create drafts within the Deleted Items folder of a compromised email account. The Snugy backdoor uses a DNS tunneling channel to run commands on the compromised server. We will provide an overview of these two backdoors since they differ from tools previously used in the campaign.
4. GAMEOVER ZEUS ATTACK
More than 15,000 machines in the United Kingdom are believed to have been infected with the virus, known as GameOver Zeus, which has been tailored by a criminal gang based in Russia and the Ukraine to search for files that will allow access to banking or financial information. The FBI believes that GameOver Zeus has been responsible for $100m (£60m) in losses.
According to FBI estimates, nearly 250,000 computers worldwide have been infected with CryptoLocker since it emerged in April and it has so far been used to extort payments of more than $27m (£16m). Up to a million machines worldwide are thought to have been infected with GameOver Zeus.
Internet service providers will now contact thousands of customers believed to have been affected by Gameover Zeus, which is distributed via links or attachments in unsolicited emails, offering advice on how to update anti-virus software to disable the virus. A website set up to provide this information appeared to be offline last night.
Alerts have been issued by the National Crime Agency in the UK, FBI, other law enforcement agencies as far away as Australia and carried in the media and was on Sky News today. Computer users worldwide in particular those doing their banking on-line have been warned to ensure that their computer security protection is up to date.
5. DRIDEX MALWARE ATTACK
Dridex is credential-stealing malware that targets Windows clients like desktops and laptops. Dridex is designed to steal credentials and obtain money from victims' bank accounts. The malware is generally distributed through email. Dridex-related email has often been labeled as phishing; however, it is more accurately described as malspam.
The criminal organizations behind this malware rely on Microsoft office documents containing malicious macros to download Dridex onto an unsuspecting user's Windows computer.
First spotted around November 2014, Dridex is considered the direct successor of Cridex banking malware. Dridex malspam has been fairly consistent since then, usually appearing on a near-daily basis. Dridex disappeared about a month in September 2015 after the arrest of an administrator for a botnet delivering the malware. By October 2015, Dridex malspam was back, and it's been appearing on a near-daily basis up through the present day.
According to IBM security intelligence, Dridex released a new malware build earlier this month on 2016-01-06. This new build was followed by a malspam campaign using the Andromeda botnet to deliver malware to would-be victims. Campaigns have mainly focused on users in the UK.
6. NANOCORE TROJAN ATTACK
The attacks, caused by malicious pieces of software, originating from the infamous Trojan horse group, can be really devastating for any computer. Not only is it very difficult to detect such infections because they are using various camouflaging techniques, but the harmful effects they may initiate inside the system can cause serious damage. One freshly detected Trojan threat, which we need to warn you about is NanoCore. This malware has recently been reported by a number of online users and security researchers, and on this page, we are going to elaborate upon its possible abilities. If you have been infected with this virus, stay with us because here you will find a detailed Removal Guide and a trusted malware removal tool, which could help you get rid of NanoCore and all of its traces.
NanoCore is a very sophisticated infection, which can sneak inside any computer without visible symptoms. Once inside, the malware has the ability to initiate various harmful activities, most of which, may not be spotted on time, or at least not before a major damage or malfunction has been caused. This specific method of operation makes NanoCore a particularly harmful Trojan horse, which uses stealth and disguise in order to achieve the criminal deeds it has been programmed for.
Similarly to the wooden Trojan horse from the famous Greek myth about the war of Troy, the computer threat that we are describing pretends to be a harmless file, or some interesting offer, the aim of which, is to trigger the victims’ curiosity and make them click on the malware. It is typical for Trojans like NanoCore to be camouflaged so as to mislead the online users in order to get them infected. Normally, such threats are distributed via spam emails and infected attachments, malicious ads and fake pop-ups, misleading links, torrents or infected web pages. Oftentimes, you may find Trojans bundled inside software installers, which could be potential transmitters also of other viruses such as Ransomware.
The criminals, who stand behind NanoCore, have many ways of using their Trojan and can program it to perform a number of malicious activities. As for the information that we have, such infection could be effectively employed for criminal purposes such as fraud and theft.
7. GHOSTCTRL MALWARE ATTACK
Android is the most used operating system in smartphones of the current age. And this is most attacked OS by various malware. And today, it’s the turn to talk about a new one. That is GhostCtrl, a remote access Trojan that has already made destructions in a series of computer attacks in Israel.
Apparently, this malware was initially created for Windows operating systems. Although it is now attacking the Android devices. It has the first detection earlier this year in various attacks against Windows. But now it acts on Android devices and is arguably one of the most potent threats detected in quite some time.
It carries out a series of malicious actions that put the security of the users at risk. Here is the complete list of measures that GhostCtrl performs:
· Allows you to record audio and video from infected devices
· Has full control over calls and SMS
· Install and open applications (possibly also malicious)
· Root of the infected device
· Receive orders from a remote C & C server
· Upload and download files from your C & C server
· It has the full control over Bluetooth and Wi-Fi services
That is one of the most powerful malware on Android devices in a long time. But apparently, it also acts as ransomware and can hijack the phone. And a ransom of up to 75 $ is requested in some cases.
8. COINMINER TROJAN ATTACK
Coinminer is one of the worst types of malware that you can come across is what is known as Trojan Horse. Coinminer is currently on the rise and many users have become victims to it which is why we decided it is important that our readers are well informed with regards to this noxious malware threat.
Now, we know that you have most likely heard about this highly dangerous category of PC viruses but are you aware of their actual characteristics – what they can do, how they are distributed and how one could handle such a threat? In case you want to learn more about any of those aspects, we advise you to read the paragraphs below as they will offer you some important information that you might want to know with regards to Trojans. The main reason we have written the current article is one recently reported Trojan called Coinminer – it is currently on the rise and many users have become victims to it which is why we decided it is important that our readers are well informed with regards to this noxious malware threat.
You all know that Trojan Horses are very dangerous and have the potential to cause some pretty nasty problems to the computers they infect. However, what makes a Trojan like Coinminer so devastating?
For starters, you need to understand that malicious programs that fall under this malware group are very, very stealthy. Most users do not even realize that their computers have been compromised. In most cases, the best chance one would have at detecting a Trojan would be if they have a good antivirus that can spot the infection on time. However, even with a reliable antivirus, there’s still no guarantee that the threat would get detected.
9. DANABOT BANKING MALWARE ATTACK
New Banking malware called “DanaBot” actively attacking various counties organization with sophisticated evasion technique and act as a Stealer and ability to gain remote access from targeted victims machine.
DanaBot content some evasion technique such as extensive anti-analysis features and targeting various countries including Poland, Italy, Germany, and Austria, Australia and mainly targeting organization in the U.S.
DanaBot is a banking malware written in the Delphi programming language and also it has some junk codes with extra instructions, conditional statements, and loops.
In order to make it difficult to analyze the code by analyst and automatic tools, it uses Windows API function hashing and encrypted strings.
Also this malware under active development and keep adding new futures, geographic expansion, and add other new malicious activities.
10. MIRAI BOTNET MALWARE ATTACK
If you don’t remember, in 2016 the Mirai botnet seemed to be everywhere. It targeted routers, DVR systems, IP Cameras, and more. These are often called Internet of Things (IoT) devices and include simple devices like thermostats that connect to the internet. Botnets work by infecting groups of computers and other Internet-connected devices and then forcing those infected machines to attack systems or work on other goals in a coordinated fashion.
Mirai went after devices with default admin credentials, either because no one changed them or because the manufacturer hardcoded them. The botnet took over a massive number of devices. Even if most of the systems weren’t very powerful, the sheer numbers worked could work together to achieve more than a powerful zombie computer could on its own.
Mirai took over nearly 500,000 devices. Using this grouped botnet of IoT devices, Mirai crippled services like Xbox Live and Spotify and websites like BBC and Github by targeting DNS providers directly. With so many infected machines, Dyn (a DNS provider) was taken down by a DDOS attack that saw 1.1 terabytes of traffic. A DDOS attack works by flooding a target with a massive amount of internet traffic, more than the target can handle. This will bring the victim’s website or service to a crawl or force it off the internet entirely.
The original creators of the Marai botnet software were arrested, pleaded guilty, and given terms of probation. For a time, Mirai was shut down. But enough of the code survived for other bad actors to take over Mirai and alter it to fit their needs. Now there’s another variant of Mirai.