Weekly Threat Briefing: Hackers Target Payment Transfer System at Chile's Biggest Bank

The intelligence in this week’s iteration discuss the following threats: Adobe Flash Vulnerabilities, InvisiMole, Operation Prowli, PatchWork APT, Ransomware, Sofacy and Zip Slip Vulnerability. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://www.theregister.co.uk/2018/06/11/chile_bank_wiper_prelude_cyberheaist/" target="_blank">Hackers Target Payment Transfer System at Chile's Biggest Bank</a> (June 11, 2018) Banco de Chile General Manager, Eduardo Ebensperger Orrego, has confirmed that threat actors stole $10 million USD from the country's largest bank. Bank employees identified "unusual transaction" in the bank's Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. Further details discussing how actors manipulated SWIFT transaction have not yet been reported. The financial institution also suffered a breach on May 24, 2018, in which actors infected the bank with ransomware. Researchers believe that the ransomware is likely a variant of the wiper malware"KillDisk." The attack resulted in the bank disabling 9,000 workstations as a mitigation. <a href="https://forum.anomali.com/t/hackers-target-payment-transfer-system-at-chiles-biggest-bank/2561" target="_blank">Click here for Anomali recommendation</a><a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank">Patchwork APT Group Targets US Think Tanks</a> (June 7, 2018) The India based "Patchwork" Advanced Persistent Threat (APT) group, also known as "Dropping Elephant," has been observed targeting United States-based think tanks. The group conducted spear phishing attacks leveraging related themes and typosquatted domains mimicking those of well known U.S. think tank organizations. Patchwork was found to use Rich Text Format (RTF) documents to beacon back to Patchwork controlled command and control servers and to drop the embedded "QuasarRAT" backdoor. The malware is executed using the vulnerability registered as "CVE-2017-8570," using "Packager.dll" to drop an ".sct" file into the "%temp%" directory and using embedded code to execute the backdoor binary. <a href="https://forum.anomali.com/t/patchwork-apt-group-targets-us-think-tanks/2562" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.barkly.com/iqy-file-attack-malware-flawedammyy" target="_blank">IQY Files Used to Evade AV, Download Malware via Excel</a> (June 7, 2018) Threat actors behind the "Necurs" botnet are using Excel Web Query (.iqy) files to download and run malicious scripts via Microsoft Excel and bypass antivirus software. IQY files are simple text based files that are used to download data from a remote source directly into Excel. These files can be used to download a PowerShell script which can be executed. The Necurs botnet is currently using the technique to deliver the "Flawed Ammyy" RAT. <a href="https://forum.anomali.com/t/iqy-files-used-to-evade-av-download-malware-via-excel/2563" target="_blank">Click here for Anomali recommendation</a><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank">InvisiMole: surprisingly equipped spyware, undercover since 2013</a> (June 7, 2018) ESET researchers have discovered a cyber espionage tool, dubbed "InvisiMole," that has been active since at least 2013. The campaign is highly targeted having only infected a few dozen computers, at the time of this writing. It has a modular architecture, many backdoor features and take measures to avoid being detected, allowing it to reside on the target system for as long as possible. The malware supports many features such as activating the microphone, recording webcam, taking screenshots, exfiltrate files, and listing system information. Communication with the command and control servers use a custom HTTP like protocol. <a href="https://forum.anomali.com/t/invisimole-surprisingly-equipped-spyware-undercover-since-2013/2564" target="_blank">Click here for Anomali recommendation</a><a href="https://www.wordfence.com/wp-content/uploads/2018/06/Wordfence-BabaYaga-WhitePaper.pdf" target="_blank">LOL: BabaYaga WordPress Malware Updates Your Site</a> (June 7, 2018) A new version of the malware "BabaYaga" has been spotted targeting WordPress sites. This sort of malware is designed to redirect users to potentially dangerous pages and generate spam links among the search results. Russian-speaking hackers are suspected to be behind this malware. The malware is of interest because it has a few features that lead to persistent infection of the targeted site. This version updates or re-installs the victim's site to maintain functionality so their malware works, as well as scans the site for other competing malware and removes it. This malware injects victim sites with a special keywords to drive SEO traffic to hidden pages on compromised sites which is used to then redirect the user to affiliate marketing sites where, if the user makes a purchase on the site, the attacker will also make a profit. <a href="https://forum.anomali.com/t/lol-babayaga-wordpress-malware-updates-your-site/2565" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/lol-babayaga-wordpress-malware-updates-your-site/2565" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/lol-babayaga-wordpress-malware-updates-your-site/2565" target="_blank"> recommendation</a><a href="https://www.theregister.co.uk/2018/06/07/flash_emergency_patch/" target="_blank">Adobe Flash gets emergency patch for zero-day exploit</a> (June 7, 2018) Adobe has released an emergency update for a security vulnerability in their Flash product. Adobe says that the "Flash Player 30.0.0.113" update should be a top priority to install. The vulnerability affects macOS, Windows and Linux systems. One of the vulnerabilities addressed by the patch, registered as "CVE-2018-5002," is a remote code execution vulnerability caused by a buffer overflow using documents with embedded malicious Flash Player content. It is believed that this vulnerability is currently being exploited by threat actors in the wild to compromise victims machines. <a href="https://forum.anomali.com/t/adobe-flash-gets-emergency-patch-for-zero-day-exploit/2566" target="_blank">Click here for Anomali recommendation</a><a href="https://www.securityweek.com/redeye-ransomware-destroys-files-rewrites-mbr" target="_blank">RedEye' Ransomware Destroys Files, Rewrites MBR</a> (June 7, 2018) A new ransomware has been discovered by the security researcher "Bart Blaze". The ransomware, dubbed "RedEye," was created by the actor known as "iCoreX." The file size is quite large as it contains embedded image and audio files. When executed the malware will play a creepy sound of a child laughing and start overwriting the users files. The victim computer will reboot and will display a changed background and a ransom message claiming that the user's files have been encrypted with 256-Bit AES key. The victim is told to pay 0.1 bitcoins (approximately $6,709.99 USD) for a decryption key to receive files. If the countdown timer expires, or if the user chooses the "Destroy PC" button, the computer will reboot and the Master Boot Record will be replaced, wiping the computer. <a href="https://forum.anomali.com/t/redeye-ransomware-destroys-files-rewrites-mbr/2567" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/redeye-ransomware-destroys-files-rewrites-mbr/2567" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/redeye-ransomware-destroys-files-rewrites-mbr/2567" target="_blank"> recommendation</a><a href="https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" target="_blank">Operation Prowli: Monetizing 40,000 Victim Machines</a> (June 6, 2018) Guardicore Labs researchers have discovered a campaign, dubbed "Operation Prowli," that is targeting a large number or organizations with cryptocurrency miners and traffic manipulation. As of this writing, the campaign has compromised more than 40,000 machines across the world. Multiple platforms are targeted including Content Management Systems (CMS), Digital Subscriber Line (DSL) modems, and Internet of Things (IOT) devices. The first source of revenue is installing Monero cryptocurrency miners, via SSH brute forcing, on targeted systems. The second is traffic monetization fraud. The group generates money by directing traffic to domains owned by the paying entities. The domains commonly host fake browser extensions and scam service websites such as tech support scams. <a href="https://forum.anomali.com/t/operation-prowli-monetizing-40-000-victim-machines/2568" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/malware-infection-at-hr-company-triggers-flurry-of-data-breach-notifications/" target="_blank">Malware Infection at HR Company Triggers Flurry of Data Breach Notifications</a> (June 6, 2018) One of the world's largest human resources providers "PageUp" has suffered a security breach resulting in client data of hundreds of companies being compromised. According to PageUp the breach occurred due to a malware infection on one of its IT systems. The exact type of data stolen is unknown and the exact customers affected is unknown according to PageUp as they state the investigation is in its "early stages." PageUp have also stated that "The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware." <a href="https://forum.anomali.com/t/malware-infection-at-hr-company-triggers-flurry-of-data-breach-notifications/2569" target="_blank">Click here for Anomali recommendation</a><a href="https://nakedsecurity.sophos.com/2018/06/06/the-zip-slip-vulnerability-what-you-need-to-know/" target="_blank">The Zip Slip vulnerability</a> (June 6, 2018) Research by U.K. based security firm Snyk has uncovered a remote code execution vulnerability in implementations of the popular Zip archive format. The vulnerability potentially affects thousands of applications, including ones developed by HP, Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google. Languages affected include JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. It can be exploited via a specially crafted archive that contains directory traversal file names (e.g. ../../evil.sh) and can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. <a href="https://forum.anomali.com/t/the-zip-slip-vulnerability/2570" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" target="_blank">VPNFilter exploits endpoints, targets new devices </a> (June 6, 2018) Cisco's Talos Intelligence group have published further details about the router malware dubbed "VPNFilter." It was initially to affect half a million devices, but only small-office-home-office (SOHO) devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP storage kit. New research shows this ongoing threat also affects devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. "VPNFilter" has a number of capabilities, which includes performing man-in-the-middle (MitM) attacks, packet capture, and destruction of the device. The Man-In-the-iMiddle (MITM) attack facilitates injection of JavaScript code without the user's knowledge, allowing an actor to deliver additional capabilities to endpoints inside a network such as rootkits. Another capability intended to erase evidence of the actor's presence involves overwriting flash memory before deleting all files and folders. The overwriting of flash memory is particularly devastating because it renders the device unusable. The FBI have seized a domain (ToKnowAll.com) and Photobucket user accounts used by the threat actors for C2. The malware also has the ability to receive instructions from incoming TCP connections. The U.S Justice department believe the botnet is the work of the Advanced Persistent Threat (APT) group "Sofacy Group". <a href="https://forum.anomali.com/t/vpnfilter-exploits-endpoints-targets-new-devices/2571" target="_blank">Click here for Anomali recommendation</a><a href="https://www.welivesecurity.com/2018/06/06/fake-fifa-world-cup-themed-lotteries-giveaways/" target="_blank">You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways</a> (June 6, 2018) Researchers from ESET have observed a number of emails leveraging the upcoming FIFA World Cup as a lure to entice people to fall for scams. Fraudsters come up with a large variety of ways to scam people including fake lottery and giveaway campaigns. Emails have been observed attached with PDF or Word documents that detail the targets "winnings" and contact details for the organizers to claim their prize. To boost credibility, the emails have references to official organizations, including logos, seals, and visuals. These scams will collect victims personal information and will often evolve into an "advance-fee" fraud, where targets are asked to pay a fee in order to release their prize money. <a href="https://forum.anomali.com/t/you-have-not-won-a-look-at-fake-fifa-world-cup-themed-lotteries-and-giveaways/2572" target="_blank">Click here for Anomali recommendation</a><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank">Sofacy Group's Parallel Attacks</a> (June 6, 2018) The Advanced Persistent Threat (APT) group known as "Sofacy" (APT28) has been observed targeting a large number of entities in a new campaign distributing their lesser known tool dubbed "Zebrocy," via spear phishing emails. Differing slightly from their typical tactics, where a small number of individuals are targeted, Sofacy has sent the malware to a larger number of individuals to email addresses that are readily available from web search engines. The researchers, from Palo Alto Networks, have also observed Sofacy deliver malware via politically themed documents leveraging a Dynamic Data Exchange (DDE) exploitation technique. The technique is used to execute code on the target machines to download and execute malware. In one case, a document delivered an open-source penetration testing toolkit called Koadic, previously unused by Sofacy. <a href="https://forum.anomali.com/t/sofacy-groups-parallel-attacks/2573" target="_blank">Click here for Anomali recommendation</a><a href="https://www.helpnetsecurity.com/2018/06/06/keyloggers-finance-industry/" target="_blank">Sophisticated keyloggers target the finance industry </a> (June 6, 2018) US-based cyber security company, Lastline has detected a large amount of iSpy malware samples, which appears to be a variant of HawkEye, similar to the trojan malwares Emotet and URSNIF, in various finance-based institutions.. This malware actively extracts installed products' license keys on the victim's computer as well as email, FTP, and website credentials. The malwares Emotet and URSNIF are delivered on Microsoft Office documents, which are also targeting the finance industry specifically. These two specific trojan strains share an evasion module to detect dynamic analysis environments. They use methods like "an-In-the-Middle" (MITM) network sniffing capabilities and hijacking automated transfer payments to infiltrate financial transactions. These three strains have new features like lateral movement, spam capabilities, and the theft of additional credential information which are becoming more frequently seen in new keyloggers. It is key to note that the malware samples contained all four key advanced malware behaviours at a rate 20% higher than the national average. <a href="https://forum.anomali.com/t/sophisticated-keyloggers-target-the-finance-industry/2574" target="_blank">Click here for Anomali recommendation</a><a href="https://krebsonsecurity.com/2018/06/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/" target="_blank">Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage</a> (June 5, 2018) Israeli-based genealogy and DNA testing website, "MyHeritage," released a statement that a file exists on the Internet containing the email addresses and hashed passwords of 92.3 million users. MyHeritage announced that the DNA data they have is stored in a different IT system separate to that of the emails and user passwords, so that data is supposedly uncompromised. The breach is reported to have occurred on October 26, 2017; any user who joined before that is likely compromised. The site stated that the passwords underwent one-way hashing to make the passwords more difficult to crack as well as they used unique "hash keys" to further secure the passwords. The company said that they are in the process of developing a two-factor authentication option to the site, to allow users to further secure their data. On June 6th, MyHeritage released a statement that they would be putting forth a password reset for all their users, no matter if they were affected or not by the breach. <a href="https://forum.anomali.com/t/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/2575" target="_blank">Click here for Anomali recommendation</a>