Weekly Threat Briefing: Malspam Continues to Push Trickbot Banking Trojan

The intelligence in this week’s iteration discuss the following threats: Adware, APT, Data breach, Data leak, Malspam, Phishing, and Spear phishing. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/" target="_blank">CVE-2017-0199: New Malware Abuses PowerPoint Slide Show </a> (August 14, 2017) Trend Micro researchers have discovered a new phishing campaign that is using a remote code execution vulnerability (CVE-2017-0199). The phishing emails claim to be from a cable manufacturing provider that is seeking a response on whether the recipient can provide supplies listed in the attachment. The attachment is a PowerPoint file that exploits CVE-2017-0199 and runs a malicious payload that impersonates PowerPoint animation features. The actors behind this campaign are dropping the REMCOS remote access trojan (RAT). REMCOS allows the actors to execute remote commands on the infected machine to accomplish further malicious activity. Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from business partners. Tags: Phishing, Vulnerability<a href="http://www.malware-traffic-analysis.net/2017/08/12/index.html" target="_blank">Malspam Continues to Push Trickbot Banking Trojan </a> (August 12, 2017) Researchers report that they are continuing to observe the "Necurs" botnet distribute the "Trickbot" banking trojan via malspam campaigns. The actors behind this campaign have been distributing Trickbot since mid-July and have used a variety of email subjects in attempts to trick recipients into opening malicious file attachments. Other emails from this ongoing campaign are financially-themed and claim that the attachments are payment receipts while others claim to be from various companies regarding reports associated with taxes and other finances. Recommendation: Malspam is a constant threat used by malicious actors who are consistently changing the themes of the messages to trick unsuspecting recipients. Anti-spam and antivirus application provided from trusted vendors should be employed in addition to educating your employees to identify such attempts. Tags: Malspam, Malware<a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank">APT28 Targets Hospitality Sector, Presents Threat to Travelers </a> (August 11, 2017) A new spear phishing campaign has been identified to be targeting the Hospitality Industry. The campaign appears to be conducted by the threat group, "APT28," according to FireEye researchers. Spear phishing emails were discovered in July 2017 and were sent to approximately seven European countries and one in the Middle East. The emails contain malicious attachments that launch macros that infect the recipient with the group's custom malware, " GAMEFISH.” Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts. Tags: APT, APT28, Spear phishing<a href="https://www.helpnetsecurity.com/2017/08/11/mughthesec-mac-adware/" target="_blank">Stealthy Mughthesec: Mac Adware Exposed: What It Does, How to Protect Yourself </a> (August 11, 2017) Security researcher Patrick Wardle has discovered a form of malware dubbed, " Mughthesec," t hat affects macOS. At the time of writing, Mughthesec falls under the category of Potentially Unwanted Program (PUP), but it does have the potential to be modified for more malicious activity. The malware is distributed as a fake disk image of Adobe Flash installer which is capable of detecting if it is being run in a virtual machine. If a virtual machine is detected it will install a legitimate copy of Flash Player. If no virtual machine is detected, Mughthesec will install an adware called " Safe Finder," and a fake " Advanced Mac Cleaner" that charges to fix " problems" detected on a machine. Recommendation: Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Additionally, software and applications should only be downloaded from the company's official website and only from trusted vendors. Tags: Mughthesec, macOS, Adware<a href="https://blog.lookout.com/sonicspy-spyware-threat-technical-research" target="_blank">SonicSpy: Over A Thousand Spyware Apps Discovered, Some in Google Play </a> (August 10, 2017) Approximately 1,000 mobile applications have been identified to contain spyware, according to Lookout researchers. The researchers discovered that the malware belongs to the "SonicSpy" family. The malware is distributed via impersonations of messaging applications. SonicSpy is capable of making outbound calls, recording audio, sending text messages to arbitrary numbers, and taking photos. The malware is capable of stealing various forms of data including call logs, contacts, and information regarding Wi-Fi access points. Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software. Tags: SonicSpy, Malware, Mobile<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/oniondog-not-targeted-attack-cyber-drill/" target="_blank">OnionDog is not a Targeted Attack – It's a Cyber Drill </a> (August 9, 2017) The Advanced Persistent Threat (APT) called, "OnionDog," is not actually a threat group, but rather their activity is a "cyber drill," according to Trend Micro researchers. The group, or drill rather, primarily targets South Korean energy and transportation companies and was first identified in 2013, and reported on in 2016. The researchers claim that first glance at the approximate 200 unique samples attributed to the OnionDog attacks they appear to be a "still-significant threat actor group." However, the researchers point to the hardcoded Command and Control (C2) servers (ncsc.go[.]kr) in some of the samples and associated IP addresses as evidence that OnionDog is a drill because the C2 and domains are controlled by the National Cyber Security Center (NCSC) of South Korea. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts. Tags: APT, OnionDog<a href="https://www.directdefense.com/harvesting-cb-response-data-leaks-fun-profit/" target="_blank">Harvesting Carbon Black Response Data for Fun and Profit </a> (August 9, 2017) DirectDefense researchers have released a report discussing how the endpoint security company, "Carbon Black," is leaking sensitive information in their Endpoint Detection and Response (EDR) tool. According to DirectDefense, they discovered leaked data from several Fortune 1000 companies that consists of the following: App store keys (allows uploading of fake applications that can be updated in place), communications infrastructure (Box, Dropbox, Slack, etc.), cloud keys, customer data, internal usernames, passwords, and network intelligence, single sign-on and two-factor keys, and proprietary internal applications (custom algorithms, trade secrets). The researchers state that the data will continue to leak with Carbon Black's current architecture layout. Recommendation: Using applications that handle sensitive comes with inherit risk. Therefore, it is important for your company to properly inspect how the data is being handled by applications and software that are being used. Asking the vendor for transparency in how customer data is transported to and stored on the vendor's servers can assist in this process. Tags: Carbon Black, Data leak<a href="http://www.zdnet.com/article/critical-security-bugs-affect-all-windows-versions/" target="_blank">Microsoft Fixes " Critical" Security Bugs Affecting All Versions of Windows </a> (August 8, 2017) Microsoft has patch released patches for 48 vulnerabilities with 25 rated critical, 21 rated important, and two rated moderate that affect Windows 7, 8.1, 10, Server 2008. According to the company, a threat actor would have to deliver a custom created message to the Windows Search service to exploit the remote execution vulnerability. If exploited, an actor would be able to escalate privileges and take control of the affected machine. Recommendation: Your company should always be aware of Patch Tuesday and apply the updates that are provided as soon as possible. Additionally, the updates are often critical as the remote code execution vulnerabilities patched here that can cause damage of loss of reputation for the affected company. Therefore it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available. Tags: Vulnerability, Windows<a href="https://www.bleepingcomputer.com/news/security/adobe-patches-security-holes-in-flash-player-acrobat-and-reader/" target="_blank">Adobe Patches Security Holes in Flash Player, Acrobat, and Reader </a> (August 8, 2017) Adobe has released its monthly security updates for its following products, Adobe Acrobat and Reader, Digital Editions, Experience Manager (enterprise CMS), and Flash Player. The update address numerous vulnerabilities, some of which could allow an attacker execute code, steal sensitive information, or even take control of a vulnerable machine. Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In Adobe's case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version. Tags: Vulnerability, Adobe<a href="https://nakedsecurity.sophos.com/2017/08/08/parents-sue-disney-over-breaching-privacy-rules-in-kids-apps/" target="_blank">Parents Sue Disney Over Breaching Privacy Rules in Kids' Apps </a> (August 8, 2017) A federal lawsuit has been filed in California, U.S. against the Walt Disney Corporation for secretly collecting data on mobile applications designed for children. The suit claims that 43 Disney applications embed tracking software that can then "exfiltrate that information off the smart device for advertising and other commercial purposes."Additionally, the 14-page suit goes on to say that Disney uses this data to build online profiles for the users of the 43 applications. Recommendation: The threat of preinstalled features has the ability of hiding from even the most cautious of users. If personal devices are also used for work and potentially used by children with the applications affected by the features mentioned in this story, they should be properly inspected and the unwanted applications removed. Additionally, it is crucial to inspect all privileges that applications request prior to installation from legitimate application stores such as Google Play and the Apple App Store. Tags: Mobile, Tracking software<a href="https://www.upguard.com/breaches/data-leak-pqe" target="_blank">Blackout: Engineering Firm Exposes Critical Infrastructure Data </a> (August 7, 2017) On July 6, 2017, UpGuard's Cyber Risk Team has identified that sensitive information has been exposed by the U.S.-based electrical engineering operator, " Power Quality Engineering" (PQE). The researchers discovered that the data was publicly accessible through any web browser via an open port on the company's server used for remote synchronization. The data consists of infrastructure details associated with multiple entities including Dell, the City of Austin, Oracle, and Texas Instruments (among others). Other data that was noted comprised of a plain text file that listed PQE internal passwords. Recommendation: Your company should maintain policies regarding user access control to restrict who can access what data. Furthermore, do not make the service publicly available until it has been secured properly. Tags: Data leak, Misconfigured server<a href="https://www.databreaches.net/hbo-hackers-dump-game-of-throne-scripts-another-episode-and-confidential-corporate-files/" target="_blank">HBO Hackers Dump Game of Thrones Scripts, Another Episode, and Confidential Corporate Files </a> (August 7, 2017) The threat actors who revealed that they had compromised the television network, HBO, on July 30, 2017, have revealed more of the stolen data. The spokesperson for the group, "Mr Smith," sent a video letter to the chief executive of HBO, Richard Plepler, stating how this is the second wave of information that has been released. Additionally, Mr Smith also appears to have sent a ransom note demanding a payment to prevent further leaking of sensitive information. The information includes administrator passwords, contracts, draft scripts for Game of Thrones' episodes, and litigation claims. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Additionally, password should not be stored in unencrypted documents and the user of password managers can assist in protecting login credentials. Tags: Breach, Data leak, Ransom<a href="https://blog.malwarebytes.com/cybercrime/2017/08/apple-phish-summary-report-statement/" target="_blank">Apple Phish: Summary Report Statement </a> (August 7, 2017) Malwarebytes researchers have discovered a phishing campaign that is targeting Apple users. The actors behind the campaign are attempting to trick recipients into following a link that leads them to a fake website that imitates Apple's support website by adding "RE:" to the phishing email title. This tactic is used in attempts to trick the recipient into thinking that an interaction has already taken place. If recipients follow the link, they are presented with a fake page that requests that Apple credentials be entered. Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack. Tags: Phishing, Malware<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial</a>.<a href="https://ui.threatstream.com/tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware