Weekly Threat Briefing: Apple Removes Top Security Tool for Secretly Stealing Data

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, Data theft, Banking trojan, Malicious applications, Phishing, Social engineering, Targeted attacks, Threat group, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://securelist.com/luckymouse-ndisproxy-driver/87914/" target="_blank">LuckyMouse Signs Malicious NDISProxy Driver with Certificate of Chinese IT Company </a> (September 10, 2018) The Advanced Persistent Threat (APT) group “LuckyMouse” (APT27, EmissaryPanda) has been found distributing a previously unknown, in-memory trojan, according to Kaspersky Lab researchers. The malware contains three different modules that include: a custom C++ installer, a network filtering driver (NDISProxy), and a last-stage C++ trojan functioning as an HTTPS server. The NDISProxy driver was identified to be signed with a digital certificate that belongs to the Chinese information security software developer company “LeagSoft.” The distribution method for this campaign is believed to be accomplished via networks that have been previously compromised. <a href="https://forum.anomali.com/t/luckymouse-signs-malicious-ndisproxy-driver-with-certificate-of-chinese-it-company/2905" target="_blank">Click here for Anomali recommendation</a><a href="https://www.infosecurity-magazine.com/news/apple-removes-security-tool/" target="_blank">Apple Removes Top Security Tool for Secretly Stealing Data </a> (September 10, 2018) The top rated paid utility application on the Mac App Store, “Adware Doctor,” has been removed by Apple after security researchers found that the application was surreptitiously stealing browser data. The stolen data was observed being sent to AWS servers that were administered by an individual in China. This discovery is troubling because Adware Doctor, prior to its removal from the App Store, was on top of the paid utility list boasting a 4.8 star rating with over 7,000 user reviews. <a href="https://forum.anomali.com/t/apple-removes-top-security-tool-for-secretly-stealing-data/2906" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/apple-removes-top-security-tool-for-secretly-stealing-data/2906" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/apple-removes-top-security-tool-for-secretly-stealing-data/2906" target="_blank"> recommendation</a><a href="https://latesthackingnews.com/2018/09/06/exposed-git-repositories-could-make-around-400000-websites-vulnerable/" target="_blank">Exposed .git Repositories Could Make Around 400,000 Websites Vulnerable </a> (September 6, 2018) Researcher Vladimír Smitka discovered that over 400,000 websites online had publicly accessible “.git” folders that contained sensitive information. The .git directory information should never be made public and according to Smitka, it can be tested to ensure it is not available to the public by trying to open “<web-site>/.git/” and seeing if it gives a 403 error output. Smitka noticed that this can produce false positives for some websites and that the correct way is to search for the “HEAD” file in the .git directory. These folders tend to contain information such as database passwords, API keys, and development IDE settings. Smitka analysed many Czech websites and discovered that in less than two days, 1,925 Czech websites had accessible .git repositories that had both database passwords and unauthenticated uploaders available, and he discovered over 400,00 websites globally did. <web-site><a href="https://forum.anomali.com/t/exposed-git-repositories-could-make-around-400-000-websites-vulnerable/2907" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/exposed-git-repositories-could-make-around-400-000-websites-vulnerable/2907" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/exposed-git-repositories-could-make-around-400-000-websites-vulnerable/2907" target="_blank"> recommendation </a></web-site></web-site><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/" target="_blank">Slicing And Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware </a> (September 6, 2018) Researchers from Palo Alto Networks have discovered a new cyber attack campaign utilizing a recently uncovered Adobe Flash Player zero-day exploit, registered as “CVE-2018-5002” and installing a new malware called “CHAINSHOT.” The campaign targets victims in the Middle East, for reasons unknown at the writing of this article. The initial attack vector appears to be a malicious Microsoft Excel spreadsheet that, if opened, triggers the start of the malware installation. The exploit and the shellcode payloads within the malware are obfuscated which makes analysis of the malware more difficult. The exploit attempts to gain read-write-execute (RWX) permissions, and if it does, it then passes execution to the shellcode payload. The shellcode loads a Dynamic Link Library (DLL) called “FirstStageDropper” into the memory of the infected machine, and runs two resources: “SecondStageDropper” and a x64 kernelmode shellcode. CHAINSHOT collects and sends encrypted user system and process information data to the attacker’s server for future use. The SecondStageDropper.dll acts as a downloader for the final payload to collect various information from the victim’s system which it encrypts and sends to the attacker. <a href="https://forum.anomali.com/t/slicing-and-dicing-cve-2018-5002-payloads-new-chainshot-malware/2908" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/slicing-and-dicing-cve-2018-5002-payloads-new-chainshot-malware/2908" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/slicing-and-dicing-cve-2018-5002-payloads-new-chainshot-malware/2908" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/09/06/small-businesses-targeted-by-highly-localized-ursnif-campaign/" target="_blank">Small Businesses Targeted By Highly Localized Ursnif Campaign </a> (September 6, 2018) Unknown threat actors have begun targeting home users and small businesses in the United States in a newly identified spear phishing campaign. The campaign is distributing the information-stealing malware “Ursnif.” Ursnif is capable of stealing passwords, sensitive files, and others. This campaign was found to be very specific, only aiming at 200 specific targets within specific city areas such as Omaha, NB, St. Louis, MO, Knoxville, TN, Johnson City, TN, and the Virginia area. The phishing emails pretended to be from a legitimate and well-known business containing a malicious macro-enabled document that appeared as a business statement. If the potential target opens the attachment and allows for macros to be enabled in the document, that de-obfuscates a PowerShell command to deliver a Ursnif payload. <a href="https://forum.anomali.com/t/small-businesses-targeted-by-highly-localized-ursnif-campaign/2909" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/small-businesses-targeted-by-highly-localized-ursnif-campaign/2909" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/small-businesses-targeted-by-highly-localized-ursnif-campaign/2909" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/83814">PowerShell</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a><a href="https://www.securityweek.com/british-airways-hacked-details-380000-cards-stolen" target="_blank">British Airways Hacked With Details of 380,000 Cards Stolen </a> (August 6, 2018) Airline company, British Airways, announced that they had suffered a data breach which compromised approximately 380,000 bank cards. The breach affected the personal and financial details of customers who used both the company’s website or mobile application between August 21 and September 5, 2018. The airline stated that they will contact customers and will manage any claims on an individual basis. The company stated that it had fixed the source of the breach as of this writing. <a href="https://forum.anomali.com/t/british-airways-hacked-with-details-of-380-000-cards-stolen/2910" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/british-airways-hacked-with-details-of-380-000-cards-stolen/2910" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/british-airways-hacked-with-details-of-380-000-cards-stolen/2910" target="_blank"> recommendation</a><a href="https://www.securityweek.com/goblin-panda-targets-vietnam-again" target="_blank">GOBLIN PANDA Targets Vietnam Again</a> (September 5, 2018) Researchers from CrowdStrike have observed the China-linked Advanced Persistent Threat (APT) group, GOBLIN PANDA, to be active again targeting Vietnamese entities. This campaign utilizes malicious Microsoft Office Word documents attached to phishing emails written in Vietnamese. The phishing emails are themed around training-related materials oriented towards defense, energy, and governmental sectors, though there is no explicit reference to Vietnamese government projects or departments. The malicious attachments exploit a Microsoft Office vulnerability, registered as “CVE-2012-0158,” that drops a malware CrowdStrike Falcon Intelligence calls “QCRat” onto the infected machine. The documents use a legitimate executable and a side-loading Dynamic Link Library (DLL) implant. Configuration files for the malare is stored on the infected machine in “.tlb” files. The APT group is also believed to be targeting Laos since the group has also targeted them in the past, though there is no evidence to corroborate this belief for this new campaign. <a href="https://forum.anomali.com/t/goblin-panda-targets-vietnam-again/2911" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/goblin-panda-targets-vietnam-again/2911" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/goblin-panda-targets-vietnam-again/2911" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://www.group-ib.com/media/silence/" target="_blank">Group-IB Detects APT-attacks on Banks: The Sound of Silence</a> (September 5, 2018) Researchers at Group-IB have uncovered a new threat group dubbed the “Silence” that is believed to have been active since autumn 2017. This cyber-criminal duo has been seen targeting Russian banks, though they have recently expanded their attacks to other countries such as Azerbaijan, Belarus, Kazakhstan, Poland, and Ukraine, as well. The group is suspected to consist of two members who are new to the cybercriminal arena, and researchers suspect they once worked in development operations (DevOps) and penetration testing most likely for a cybersecurity company based on their capabilities. They appear to use phishing emails written in Russian to target banks and employ their own self-signed certificates from phishing domains that they have registered. They rent servers based in the Netherlands and Russia to use as Command and Control (C2) servers. At the time of this writing, the group has made approximately $800,000 USD in illicit profit. The group initially borrowed a backdoor, called “Kikothac,” in their first few attacks, but they have developed their own tools to attack ATMs and card processors: 1. “Silence” which is a framework for infrastructure attacks. 2. “Atmosphere” which is a set of software tools for attacks on ATMs. 3. “Farse” which is a tool to obtain passwords from a compromised computer. 4. “Cleaner” which is a tool to remove logs. <a href="https://forum.anomali.com/t/group-ib-detects-apt-attacks-on-banks-the-sound-of-silence/2912" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/group-ib-detects-apt-attacks-on-banks-the-sound-of-silence/2912" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/group-ib-detects-apt-attacks-on-banks-the-sound-of-silence/2912" target="_blank"> recommendation</a><a href="https://nakedsecurity.sophos.com/2018/09/05/knock-knock-digital-key-flaw-unlocks-door-control-systems/" target="_blank">Knock, Knock: Digital Key Flaw Unlocks Door Control Systems</a> (September 5, 2018) David Tomaschik from Google discovered a major flaw in a popular Radio-Frequency Identification (RFID) door lock provider, Software House. Two of the devices with vulnerabilities are iStar Ultra, which is a Linux-based controller that supports hardwired and wireless locks, and IP-ACM Ethernet Door Module, which is a door controller that communicates with iStar. The devices use encryption to protect their network communications, but Software House utilizes their own cryptography rather than already-available and tested encryption. The devices send hard-coded encryption key over the network using a fixed initialization vector, which is the cryptographic input that creates a key. This vector is not digitally signed, so a threat actor could send their own message to the controls under the guise of being a legitimate device and obtain access to through the door the actor is trying to get into. A threat actor only needs access to the IP network used by the devices to then send the fake messages and get through the doors. Once Software House was made aware of the issue, they patched the flaw and sent out an update to the software for the devices; however, the update to the devices is not completely a fix-all solution because the original IP-ACM units do not have enough memory to cope with the new firmware, so they are left vulnerable still. There are still many version 1 devices out in the wild, so this is a consistent threat to organizations that use these devices. <a href="https://forum.anomali.com/t/knock-knock-digital-key-flaw-unlocks-door-control-systems/2913" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/knock-knock-digital-key-flaw-unlocks-door-control-systems/2913" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/knock-knock-digital-key-flaw-unlocks-door-control-systems/2913" target="_blank"> recommendation</a><a href="https://latesthackingnews.com/2018/09/04/magentocore-malware-has-infected-thousands-of-e-commerce-websites/" target="_blank">MagentoCore Malware Has Infected Thousands Of E-Commerce Websites</a> (September 4, 2018) Dutch security researcher Willem de Groot discovered that e-commerce websites employing Magneto software have been infected by payment skimming malware that has already stolen thousands in money from users. The malware, dubbed “MagentoCore,” has been installed in more than 7,339 online stores’ websites just in the last six months and affects more than 50 new websites per day. The malware utilizes brute force to guess the administrative password for the Magento Admin panel and, once access has been obtained, it subsequently injects a malicious piece of code to the HTML that logs keystrokes of all users who have accessed that specific website and their data such as usernames, passwords, credit card information, and personal details. Approximately 4.2% of the infected websites have been seen to already be leaking customer information to the unknown threat actors, and this amount is expected to grow. <a href="https://forum.anomali.com/t/magentocore-malware-has-infected-thousands-of-e-commerce-websites/2914" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/magentocore-malware-has-infected-thousands-of-e-commerce-websites/2914" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/magentocore-malware-has-infected-thousands-of-e-commerce-websites/2914" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a><a href="https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" target="_blank">CamuBot: New Financial Malware Targets Brazilian Banking Customers</a> (September 4, 2018) Researchers at IBM X-Force have discovered a new financial malware, dubbed “CamuBot,” that has been targeting Brazilian banks through socially engineering their business banking customers. The malware disguises itself as a security module required by the bank it is targeting. CamuBot does not attempt to hide itself like other malwares, and instead utilizes the bank’s logos and brand images to appear legitimate to targets. The threat actors first use social engineering tactics, mainly phishing phone calls, to speak to persons at businesses who would most likely have the credentials to the organisation’s bank account. The social engineers say they are from the bank and have the victim go to a specific URL to see if their security module is up-to-date. Seeing that it is not, the threat actor advises the target to install the updated security module. The malicious application loads CamuBot onto the victim’s machine that establishes a Secure Shell (SSH)-based SOCKS proxy on the machine. This allows the threat actors to tunnel traffic through the infected machine to access the bank accounts. Once the fake application is finished installing, the victim is taken to a phishing site that pretends to be the bank’s online banking portal, where the threat actor can then log the username and password. Even with accounts that use multi-factor authentication, threat actors can ask the victim on the phone to enable sharing access remotely, so the actor can intercept the one-time authentication code. Due to the time-consuming reconnaissance and social engineering process, it is believed that this campaign is extremely targeted to business account holders in Brazil. <a href="https://forum.anomali.com/t/camubot-new-financial-malware-targets-brazilian-banking-customers/2915" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/camubot-new-financial-malware-targets-brazilian-banking-customers/2915" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/camubot-new-financial-malware-targets-brazilian-banking-customers/2915" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&CK] Trusted Relationship (T1199)</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts (T1078)</a> | <a href="https://ui.threatstream.com/ttp/947271">[MITRE ATT&CK] Two-Factor Authentication Interception (T1111)</a><a href="https://www.bleepingcomputer.com/news/security/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/" target="_blank">Thousands Of Compromised MikroTik Routers Send Traffic To Attackers </a> (September 4, 2018) Threat actors have started targeting thousands of MikroTek routers in a cryptojacking campaign that exploits vulnerability registered as “CVE-2018-14847,” which has had a patch released since April 2018. This vulnerability affects the Winbox management component of the router that allows for a threat actor to bypass authentication and read files on the device. The infected routers have been seen to deliver their TaZmen Sniffer Protocol (TZSP) traffic to nine different external IP addresses from the threat actors modifying the router’s packet sniffing settings to forward the location to the specified IPs. The vulnerable devices are infected with “Coinhive,” a browser-based cryptomining script. The compromised devices are located in Brazil, India, Iran, Russia, and Ukraine. <a href="https://forum.anomali.com/t/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/2916" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/2916" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/2916" target="_blank"> recommendation</a><a href="https://www.zdnet.com/article/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers/" target="_blank">New Hakai IoT Botnet Takes Aim At D-Link, Huawei, And Realtek Routers </a> (September 3, 2018) A new Internet of Things (IoT) botnet has been discovered by security researchers from NewSky Security. The botnet uses a malware dubbed “Hakai” that is based on the Qbot IoT malware. It initially began to exploit Huawei HG352 routers via a remote code execution vulnerability registered as “CVE-2017-17215.” The Hakai botnet has also been observed targeting “D-Link” routers supporting an Home Network Administration Protocol (HNAP) protocol and Realtek devices that use an unpatched version of the Realtek SDK. The Hakai malware exploits users who use the default password for their IoT device or use simple passwords that are easily brute forced. Since its discovery in June 2018, the botnet has rapidly evolved, exploiting several additional vulnerabilities and many different types of devices. It has been seen to be extremely active in Latin America. <a href="https://forum.anomali.com/t/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers/2917" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers/2917" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers/2917" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a><a href="https://www.bleepingcomputer.com/news/security/banking-trojans-and-shady-apps-galore-in-google-play/" target="_blank">Banking Trojans and Shady Apps Galore In Google Play</a> (September 3, 2018) Security researcher Lukas Stefanko from ESET, discovered several malicious applications in Google Play containing banking trojans. Several were disguised as astrology horoscope applications. The trojans inside the applications were found to be capable of stealing the user’s text and call logs, sending text messages under the user’s name, downloading and installing applications without the user’s consent and stealing banking credentials. This is not the first instance recently where fake applications unknowingly act as banking trojans. Nikolaos Chrysaidos, a security researcher, discovered five banking trojans in the official Google Play store that were pretending to be device performance improving applications. Malicious applications also have taken the guise of VPN services, memory extensions, and other applications that actually track a user’s location, can install adware, spyware, or malware, and steal credentials. Many of these applications had thousands of downloads each, before Google Play removed them. <a href="https://forum.anomali.com/t/banking-trojans-and-shady-apps-galore-in-google-play/2918" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/banking-trojans-and-shady-apps-galore-in-google-play/2918" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/banking-trojans-and-shady-apps-galore-in-google-play/2918" target="_blank"> recommendation</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial.</a> Additional information regarding the threats discussed in this week’s Community Threat Briefing can be found below:</div><div id="threat_model"><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/46" target="_blank">Emissary Panda</a> EMISSARY PANDA is an adversary with a suspected nexus to the People’s Republic of China (PRC). This adversary frequently leverages strategic web compromises (SWC) as well as spear phishing campaigns to infect targets. EMISSARY PANDA uses the well known remote access tool (RAT) PlugX as well as a number of post exploitation tools in operations. Based on the SWC sites chosen and the themes of spear phishing emails, it appears that organizations in the government, diplomatic, defense, aerospace, and manufacturing sectors are of particular interest to this adversary. </div><div> </div><div><a href="https://ui.threatstream.com/actor/48" target="_blank">Goblin Panda</a> CrowdStrike first observed GOBLIN PANDA activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors. Malware variants primarily used by this actor include PlugX and HttpTunnel. This actor focuses a significant amount of its targeting on entities in Southeast Asia, particularly Vietnam. Heavy activity was observed in the late spring and early summer of 2014 when tensions between China and other Southeast Asian nations were high due to conflict over territory in the South China Sea. GOBLIN PANDA targets have been primarily observed in the defense, energy, and government sectors. </div></div></div></div>