The industry saw lot of phishing and smishing in the second month of 2020. Most of this was related to the coronavirus epidemic. Read some of the most interesting and useful infosec articles from early February.

For more articles, check out our #onpatrol4malware blog.

emotet trojan

CamuBot Banking Trojan Returns In Targeted Attacks

Source: Threat Post

The malware is back in targeted attacks against Brazilian banking customers, this time using a new technique that involves mobile app authorization. Read more.

emotet trojan

Fake Interview: The New Activity of Charming Kitten

Source: Certfa

Certfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group who has a close relationship with Iran’s state and Intelligence services. Read more.

emotet trojan

Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications

Source: Cofense

The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device. Read more.

emotet trojan

Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign

Source: Risk IQ

A recent blog post highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020. Read more.

emotet trojan

Living off another land: Ransomware borrows vulnerable driver to remove security software

Source: Sophos

Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers. Read more.

emotet trojan

RATs in the Library

Source: Reversing Labs

It was reported that a malicious file was being hosted on archive.org in an encoded format called Base64. The sample was identified as njRAT. This is a known technique used by adversaries to hide payloads on public sites. Read more.

emotet trojan

InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime

Source: CSIS

Traffic exchange is probably one of the oldest types of grey-hat business on the internet. Different companies compete to buy or sell real traffic for your projects. Read more.

emotet trojan

Winnti Group targeting universities in Hong Kong

Source: Secodify

Secodify found a new variant of the ShadowPad backdoor deployed using a new launcher and embedding numerous modules. The Winnti malware was also found at these universities a few weeks prior to ShadowPad. Read more.

emotet trojan

Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed

Source: Secodify

Researchers periodically scanned and collected metadata from Docker hosts exposed to the internet and this research reveals some of the tactics and techniques used by attackers in the compromised Docker engines. Read more.

emotet trojan

Forging SWIFT MT Payment Messages for fun and pr… research!

Source: F-Secure Labs

F-Secure Labs were able to demonstrate a proof of concept for introducing a fraudulent payment message to move £0.5M from one account to another, by manually forging a raw SWIFT MT103 message. Read more.

smishing

Suspected Sapphire Mushroom (APT-C-12) malicious LNK files

Source: bit_of_hex

In July 2018, the Chinese-based research group 360 TIC produced a report Sapphire Mushroom (APT-C-12) Technical Details Revealed. This report analysed a malicious LNK file allegedly used by the APT group “Sapphire Mushroom”. Read more.

emotet trojan

Watching you watch: the tracking system of over-the-top TV streaming devices

Source: The Morning Paper

The results from this paper are all too predictable: channels on Over-The-Top (OTT) streaming devices are insecure and riddled with privacy leaks. Read more.

emotet trojan

APT review: what the world’s threat actors got up to in 2019

Source: Secure List

Researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the developments behind them. Read more.

emotet trojan

“Distinguished Impersonator” Information Operation Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests

Source: Fire Eye

FireEye published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that was organized in support of Iranian political interests. Read more.

emotet trojan

Loda RAT Grows Up

Source: Talos

Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT. Read more.

emotet trojan

Threat Research Report: The State of Cryptomining

Source: Threat Vector

In this blog, we’ll discuss how cryptomining started, what targets are being mined, and exactly how threat actors are doing this. Read more.

emotet trojan

Enterprise Mobile Threat Landscape

Source: Pradeo

Today, employees leverage mobile services to enhance their performance and cybercriminals are well aware of it. To reach companies’ data, hackers have shifted to a data centric approach that extensively targets the mobile workforce. Read more.

emotet trojan

LokiBot: dissecting the C&C panel deployments

Source: Virus Bulletin

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. Read more.

smishing

Goblin Panda APT: Recent infrastructure and RAT analysis

Source: MeltXOR Security

Goblin Panda has historically had information theft and espionage related motives that align with Chinese interests. Their targets have primarily been defense, energy, and government organizations located in South/Southeast Asia. Read more.

emotet trojan

South Korea sees rise in smishing with coronavirus misinformation

Source: ZDNet

The South Korean government has warned the public of a sharp rise in smishing attempts — scam text messages — that use misinformation about the novel coronavirus outbreak. Read more.

emotet trojan

Lookout Phishing AI provides an inside look into a phishing campaign targeting mobile banking users

Source: Lookout

Consumers are increasingly using mobile banking apps as their primary means to manage their finances. It has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector. Read more.

emotet trojan

Ransomware Impacting Pipeline Operations

Source: CISA

The CISA encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied. Read more.

emotet trojan

What DNS encryption means for enterprise threat hunters

Source: We Live Security

In one way, the proliferation of domain name service (DNS) attacks throughout the world has helped to raise awareness about a deep problem in the “plumbing” of the internet. Read more.

smishing

Hamas Android Malware On IDF Soldiers-This is How it Happened

Source: CheckPoint Research

Earlier, IDF’s spokesperson revealed that IDF (Israel Defense Force) and ISA (Israel Security Agency AKA “Shin Bet”) conducted a joint operation to take down a Hamas operation targeting IDF soldiers, dubbed ‘Rebound’. Read more.

emotet trojan

US Gas Pipeline Shut After Ransomware Attack

Source: Info Security

A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed. Read more.

emotet trojan

DRBControl Espionage Operation Hits Gambling, Betting Companies

Source: Bleeping Computer

An advanced threat actor has been targeting gambling and betting companies in multiple regions of the globe with malware that links to two Chinese hacker groups. Read more.

smishing

Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1

Source: Bleeping Computer

In 2019, Black Banshee launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations. Read more.

smishing

The challenges of cyber research and vulnerability disclosure for connected healthcare devices

Source: HelpNetSecurity

CyberMDX gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. Read more.

smishing

Malware Analysis Report (AR20-045G)
MAR-10135536-8.v4 – North Korean Trojan: HOPLIGHT

Source: CISA

Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. Read more.

emotet trojan

WordPress botnet deploys anti-adblocker script to make sure its spammy ads are profitable

Source: ZDNet

The threat actor behind the internet’s largest WordPress botnet is using an anti-adblocker script to make sure the ads they inject on hacked sites are showing up in users’ browsers and generating a profit. Read more.

smishing

Uncovering New Magecart Implant Attacking eCommerce

Source: Marco Ramilli

Defending our financial assets is always one of the top priorities in the cybersecurity community but it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Read more.

smishing

PHP’s Labyrinth – Weaponized WordPress Themes & Plugins

Source: Prevailion

Prevailion’s Tailored Intelligence team has followed an active supply chain attack that has been ongoing since late 2017, we named this campaign “PHPs Labyrinth.” Read more.

smishing

44% of Security Threats Start in the Cloud

Source: Dark Reading

Cloud-enabled cyberattacks are ramping up, as indicated in a new Netskope study that found 44% of security threats use cloud services in various stages of the kill chain. Read more.