During the last couple weeks of the year the infosec industry was abuzz about methods for both building and using malicious Microsoft Office documents. Utilizing another staple of the office world, a phishing campaign stores its RAT payloads on a Google Cloud Storage domain. Also noteworthy is some interesting research that connects the TTPs of cryptominers and malware families.
For more articles, check out our #onpatrol4malware blog.

Analysis of the latest Emotet propagation campaign
Source: ESET
In November, we issued warnings about a huge new spam campaign which was being used to propagate Emotet. On this occasion though, the implementation is a little unusual, consisting of a downloader incorporated into an Office file. Read more.

Ransomware suspected in cyberattack that crippled major US newspapers
Source: ZDNet
The Ryuk ransomware strain is the primary suspect in a cyberattack that caused printing and delivery disruptions for several major US newspapers over the weekend. All Tribune Publishing newspapers were impacted to some degree by the cyber-attack. Read more.

Cybercriminals Use Malicious Memes that Communicate with Malware
Source: Trend Micro
The malware authors have posted two tweets featuring malicious memes on October 25 and 26 via a Twitter account created in 2017. Twitter has already taken the account offline as of December 13, 2018. Read more.

What are Deep Neural Networks Learning About Malware?
Source: FireEye
An increasing number of modern antivirus solutions rely on machine learning (ML) techniques to protect users from malware. Can we take advantage of these advances in deep learning to automatically learn how to detect malware without costly feature engineering? Read more.

Connecting the dots between recently active cryptominers
Source: Cisco TALOS
Through Cisco Talos’ investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs. Read more.

LCG Kit: Sophisticated builder for Malicious Microsoft Office Documents
Source: proofpoint
Proofpoint researchers discovered “LCG Kit,” a weaponized document builder service, in March 2018. Since we began tracking LCG Kit, we have observed it using the Microsoft Equation Editor CVE-2017-11882 [1] exploit in various forms. Read more.

URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Source: Trend Micro
We discovered a connection between EMOTET, URSNIF, DRIDEX and BitPaymer from open source information and the loaders of the samples we had, functioning as if tasks were divided among different developers and operators. Read more.

Phishing campaign targets finance employees with RATs downloaded from Google Cloud Storage
Source: SC Media
A recently discovered phishing campaign has been targeting financial sector employees in the U.S. and UK with remote access trojan payloads stored on a Google Cloud Storage domain. Read more.