Weekly Threat Briefing: Malware Analysis Report – A New Variant of Ursnif Banking Trojan Served by the Necurs Botnet Hits Italy

The intelligence in this week’s iteration discuss the following threats: Botnet, Banking trojan, Credential theft, Cyberespionage, Data leak, Malicious applications, Phishing, Ransomware, RAT, Spear phishing, Targeted attacks, Threat group, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="http://csecybsec.com/download/zlab/20180621_CSE_Ursnif-Necurs_report.pdf" target="_blank">Malware Analysis Report: A New Variant of Ursnif Banking Trojan Served by the Necurs Botnet Hits Italy</a> (June 25, 2018) CSE CybSec ZLab researchers have found that threat actors behind the “Ursnif” banking trojan, known for targeting companies around the world, have begun targeting Italian companies. The actors are distributing a Microsoft Word document with a malicious macro that, if enabled to “properly view content,” will begin the infection process for Ursnif. Ursnif is capable of stealing user credentials for cloud storage, cryptocurrency exchange platforms, e-commerce websites, and local webmail. <a href="https://forum.anomali.com/t/malware-analysis-report-a-new-variant-of-ursnif-banking-trojan-served-by-the-necurs-botnet-hits-italy/2611" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/thousands-of-apps-leak-sensitive-data-via-misconfigured-firebase-backends/" target="_blank">Thousands Of Apps Leak Sensitive Data Via Misconfigured Firebase Backends</a> (June 23, 2018) Mobile security company, Appthority, discovered that thousands of Android and iOS applications are exposing 113 GBs of user data through at least 2,271 misconfigured Firebase databases. Firebase is a Google-owned Backend-as-a-Service that provides a variety of services to mobile- and web-based application developers. Appthority found that applications that were connected to Firebase-based JSON URLs could allow an unauthorized third-party to view all the application’s data. Over 3,000 applications of the 28,000 that use Firebase backends saved their data to misconfigured Firebase databases that could allow anyone the ability to view their content. This has exposed over 100 million user data records. Many of the Android applications have been downloaded more than 600 million times from Google Play, suggesting that popular applications are amongst those running with the misconfigured and vulnerable backends. Google has been notified of the issue in Firebase, but it is uncertain when a fix will be released. <a href="https://forum.anomali.com/t/thousands-of-apps-leak-sensitive-data-via-misconfigured-firebase-backends/2612" target="_blank">Click here for Anomali recommendation</a><a href="https://cyware.com/news/ransomhack-cybercriminals-already-using-gdpr-to-blackmail-businesses-in-new-extortion-scheme-7d92e871/" target="_blank">Ransomhack: Cybercriminals already using GDPR to blackmail businesses in new extortion scheme</a> (June 22, 2018) Threat actors have begun to utilize the General Data Protection Regulation (GDPR) in their most recent efforts to extort businesses out of money. Since many organizations are quickly trying to fit their privacy policies to be in compliance with the new EU-based law, actors are now taking advantage of the GDPR’s substantial fines to extort money. This new method of attack has been coined “ransomhack” and it differs from other ransomware attacks because it does not encrypt an organization’s files or hold data hostage, but instead threatens to release customers’ private data to the public unless the stated ransom is paid. As of this writing, primarily medium and large-sized Bulgarian companies have been targeted, though this could expand to other countries. Hackers are requesting anywhere from $1,000 to $20,000 USD. The ransom is significantly less than the fine a company could be forced to pay on top of other sanctions from the EU for failing to properly adhere to the GDPR. Researchers believe that companies will be more inclined to pay these ransoms quietly so they do not face severe fines and legal action. With the GDPR still being fairly new, many organizations are likely to be susceptible to this new form of cyber-extortion attack. <a href="http://ttps://forum.anomali.com/t/ransomhack-cybercriminals-already-using-gdpr-to-blackmail-businesses-in-new-extortion-scheme/2613" target="_blank">Click here for Anomali recommendation</a><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/" target="_blank">Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems</a> (June 22, 2018) The cyberespionage group “Tick,” which primarily targets companies in Japan and the Republic of Korea, has been identified targeting a secure USB drive created by a South Korean defense company. Palo Alto Networks Unit 42 researchers found that the group has weaponized this USB drive model to make it host a malicious file. In addition, researchers found that this campaign only affects Microsoft Windows XP and Windows Server 2003. The Tick group created a custom malware, dubbed “SymonLoader,” that somehow gets on older Windows systems and continuously looks for these specific USBs. Researchers note that this campaign is not currently active and that it is likely that these attacks took place multiple years ago. <a href="https://forum.anomali.com/t/tick-group-weaponized-secure-usb-drives-to-target-air-gapped-critical-systems/2614" target="_blank">Click here for Anomali recommendation</a><a href="https://www.theregister.co.uk/2018/06/21/wannacry_is_back_except_its_not/" target="_blank">WannaCry Is Back! (Psych. It's Just Phisher Folk Doing What They Do)</a> (June 21, 2018) A slew of phishing emails have come out that warned recipients that all of their devices had been infected with the “WannaCry” malware. Most recipients were based in the U.K. The email warned of a “super virus” that could run on any operating system (Windows, Linux, Mac iOS, etc.) and bypass antivirus software detection. The email then threatened to delete all user data on the device unless a 0.1 Bitcoin payment (approximately $650 USD) was sent to the actors by 17:00 June 22, 2018. Researchers have stated there actually is no infection, and that this campaign is actually a fear-mongering phishing scam. <a href="https://forum.anomali.com/t/wannacry-is-back-psych-its-just-phisher-folk-doing-what-they-do/2615" target="_blank">Click here for Anomali recommendation</a><a href="https://www.darkreading.com/iot/four-new-vulnerabilities-in-phoenix-contact-industrial-switches/d/d-id/1332121" target="_blank">Four New Vulnerabilities in Phoenix Contact Industrial Switches</a> (June 21, 2018) Phoenix Contact, a Germany-based industrial manufacturer, has reported that four vulnerabilities in their “FL SWITCH” industrial line have been discovered by Positive Technologies researchers. The devices affected are used for automated processes at digital substations, oil and gas, maritime, and other industrial applications. Two of the vulnerabilities could allow actors to run code on a switch (CVE-2018-10730 and CVE-2018-10731). The third vulnerability (CVE-2018-10728) allows a buffer overload to be implemented which would then cause a system to be vulnerable to the web or a DoS attack. The final vulnerability (CVE-2018-10729) would allow an unauthorized user to read the contents of the switch configuration file. This affects FL SWITCH models 3xxx, 4xxx, and 48xxx running on firmware 1.0-1.33. <a href="https://forum.anomali.com/t/four-new-vulnerabilities-in-phoenix-contact-industrial-switches/2616" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/drupal-vulnerability-cve-2018-7602-exploited-to-deliver-monero-mining-malware/" target="_blank">Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware</a> (June 21, 2018) Trend Micro researchers have discovered attacks targeting “Drupal” content management framework websites exploiting a remote code execution vulnerability registered as “CVE-2018-7602.” The vulnerability affects multiple subsystems in Drupal 7.x and 8.x and is being exploited to turn the infected system into a “Monero” cryptocurrency-mining bot. Threat actors are exploiting the vulnerability to install the open source miner “XMRig” on affected systems. <a href="https://forum.anomali.com/t/drupal-vulnerability-cve-2018-7602-exploited-to-deliver-monero-mining-malware/2617" target="_blank">Click here for Anomali recommendation</a><a href="https://www.alienvault.com/blogs/labs-research/gzipde-an-encrypted-downloader-serving-metasploit?utm_medium=Social&utm_source=THN&utm_content=SP&utm_campaign=GZipDE_blog" target="_blank">GZipDe: An Encrypted Downloader Serving Metasploit</a> (June 20, 2018) AlienVault Labs has published a report discussing a new multistage infection currently targeting the Middle East. The infection process begins via a distribution of a malicious Microsoft Office Word document regarding a possible Afghanistan peace process. The document asks for permission to “enable content.” If this is allowed, the computer is then infected with Macro malware that ultimately results in a “Metasploit” backdoor being installed on to a user’s computer. The Metasploit module contains a shellcode that helps the backdoor bypass antivirus security systems to remain hidden. This type of backdoor is common in targeted attacks by actors and can allow an actor to transmit other payloads to gain elevated privileges on a machine and move within the local network. <a href="https://forum.anomali.com/t/gzipde-an-encrypted-downloader-serving-metasploit/2618" target="_blank">Click here for Anomali recommendation</a><a href="https://www.us-cert.gov/ncas/current-activity/2018/06/20/Cisco-Releases-Security-Updates-Multiple-Products" target="_blank">Cisco Releases Security Updates for Multiple Products</a> (June 20, 2018) The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding multiple vulnerabilities that affect various Cisco products. Overall, 24 Cisco products are affected with a vulnerability. The vulnerabilities range from arbitrary code execution, arbitrary command injection, denial of service, and privilege escalation, among others. <a href="https://forum.anomali.com/t/cisco-releases-security-updates-for-multiple-products/2619" target="_blank">Click here for Anomali recommendation</a><a href="https://threatvector.cylance.com/en_us/home/threat-spotlight-urlzone-malware-campaigns-targeting-japan.html" target="_blank">Threat Spotlight: URLZone Malware Campaigns Targeting Japan</a> (June 20, 2018) A phishing campaign has been found to be distributing the “URLZone” malware, which was first identified in 2009 as a banking trojan but now has other malicious capabilities, according to Cylance researchers. The phishing campaign is primarily targeting Japanese companies and is attempting to infect recipients via macro code from a “corrupt” Microsoft Office documents. URLZone will begin its infection process if macros are enabled. The malware checks the infected machine’s information and is capable of using process hollowing techniques and downloading additional malware such as the “Cutwail” and “Ursnif” trojans. The actors behind this campaign mention legitimate company names in URLZone’s executables files such as Dropbox, LiteManagerTeam, and Zoom Communications in efforts to confuse researchers. <a href="https://forum.anomali.com/t/threat-spotlight-urlzone-malware-campaigns-targeting-japan/2620" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.sucuri.net/2018/06/magento-credit-card-stealer-reinfector.html" target="_blank">Magento Login and Credentials Stealer</a> (June 19, 2018) The popularity of the “Magneto” open-source software makes it a target-of-interest for threat actors attempting to harvest credit cards, logins, and PayPal credentials. Many actors have exploited vulnerabilities in the software itself or via add-ons running on a website. However, there are also attacks possible due to weak administrator credentials, which can then be brute forced remotely, and this is a common method of attack by botnets searching the web for admin panels exposed to the internet. Vulnerabilities in Magento extensions tend to be the main vector for attackers. Third-party extensions that are not audited for security by the Magento community can be susceptible to various attacks, including SQL injection and Cross site scripting (XSS). These vulnerabilities can be leveraged by attackers to compromise customers and the entire website. <a href="https://forum.anomali.com/t/magento-login-and-credentials-stealer/2621" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/" target="_blank">SamSam Ransomware: Controlled Distribution for an Elusive Malware</a> (June 19, 2018) The threat actor(s) behind “SamSam” ransomware has been observed by Malwarebytes Labs researchers to have added some new features to the malware. The ransomware still functions the same as previous versions, however, the way SamSam interacts with new modules that have been incorporated has changed. The new interaction methods were added in attempts for the malware to be more difficult to analyze. This addition indicates that SamSam will continue to be used in targeted attacks contrary to other ransomware that spreads without discretion. <a href="https://forum.anomali.com/t/samsam-ransomware-controlled-distribution-for-an-elusive-malware/2622" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/" target="_blank">FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users</a> (June 19, 2018) An SMS-message campaign is targeting Android users in attempts to infect devices with an information-stealing malware called “FakeSpy,” according to Trend Micro researchers. FakeSpy is distributed via SMS-messages that masquerade as authentic messages from an unnamed Japanese logistics and transportation company that attempts to convince recipients to follow a link. The link directs a user to a malicious webpage on which any click will prompt a user to install an Android Application Package (APK). Installing the APK will result in an infection of FakeSpy. The malware is capable of stealing various forms of information such as account information, call records, and text messages. Furthermore, FakeSpy can also be used as an infection vector for the “LOADGFISH” banking trojan. <a href="https://forum.anomali.com/t/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/2623" target="_blank">Click here for Anomali recommendation</a><a href="https://securelist.com/olympic-destroyer-is-still-alive/86169/" target="_blank">Olympic Destroyer Is Still Alive</a> (June 19, 2018) Kaspersky Lab researchers discovered that the spear phishing campaign “Olympic Destroyer,” which targeted organizations associated to the Winter Olympic Games 2018 in Pyeongchang, South Korea, began a new campaign in May 2018 that continues into June. The recently identified spear phishing campaign was found to distribute malicious Word documents targeting financial organizations in Russia, and biological and chemical laboratories in Europe. The document contains a heavily obfuscated macro that will execute a PowerShell command if enabled in the document. Execution of the PowerShell begins the process that can eventually lead to infection with the open source post-exploitation framework, “PowershellEmpire,” that can grant an actor control over an infected machine. <a href="https://forum.anomali.com/t/olympic-destroyer-is-still-alive/2624" target="_blank">Click here for Anomali recommendation</a><a href="https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" target="_blank">New Telegram-Abusing Android RAT Discovered in the Wild</a> (June 18, 2018) A new Remote Access Tool (RATs) has been identified to be targeting Android devices, according to ESET researchers. The RAT, dubbed “HeroRat,” was observed to be offered for purchase on a specific “Telegram” (messaging application) channel; the malware is offered for sale even though its source code is freely available. HeroRat is distributed via applications in third-party stores themed around free bitcoins, free internet connections, and additional followers on social media. The malware is able to run on all Android versions and is capable of intercepting and sending text messages, making calls, obtaining device location, and recording audio and screen. Researchers note that HeroRat is primarily targeting Android users in Iran. <a href="https://forum.anomali.com/t/new-telegram-abusing-android-rat-discovered-in-the-wild/2625" target="_blank">Click here for Anomali recommendation</a>