Weekly Threat Briefing: New GnatSpy Mobile Malware Family Discovered

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: ATM-theft, Data leak, Malspam, Mobile malware, Phishing, Targeted attacks, Threat group, underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://securelist.com/jack-of-all-trades/83470/" target="_blank">Jack of All Trades</a> (December 18, 2017) A new mobile malware is targeting Android devices, according to Kaspersky Lab researchers. The malware, called “Loapi,” is being called a “jack of all trades” malware because of the numerous malicious capabilities that have been observed. The modular architecture of the malware allows it to perform different malicious actions such as advertisements, Distributed Denial-of-Service (DDoS) attacks, mine cryptocurrency, send SMS messages, and subscribe to paid services, among others. Researchers note that the modular architecture could allow the actors behind the malware to add new features at any time. The malware was observed to impersonate antivirus and adult-related applications. <a href="https://forum.anomali.com/t/jack-of-all-trades/" target="_blank">Click here for Anomali Recommendation</a><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/" target="_blank">New GnatSpy Mobile Malware Family Discovered</a> (December 18, 2017) In early 2017, researchers discovered that a threat group, dubbed “Two-tailed Scorpion/APT-C-23,” was targeting Middle Eastern organizations with the “Vamp” and later on “FrozenCell” malware. Now Trend Micro researchers have discovered a new mobile malware family, dubbed “GnatSpy,” that is believed to be a new variant of “Vamp.” As of this writing, researchers do not know how the threat group is distributing the malware to Android devices. However, it is possible that the actors sent them directly to said devices; researchers note the distribution method is in question because few Android applications were found to contain GnatSpy. The complexity of GnatSpy indicated that the group is increasing their malicious engineering efforts to steal information from Android devices. <a href="https://forum.anomali.com/t/new-gnatspy-mobile-malware-family-discovered/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-gnatspy-mobile-malware-family-discovered/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-gnatspy-mobile-malware-family-discovered/" target="_blank"> Recommendation</a><a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" target="_blank">Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks</a> (December 15, 2017) Microsoft has released an Office update that disables the Dynamic Data Exchange (DDE) protocol in Word applications as part of December’s Patch Tuesday. The DDE feature allows an Office application to load data from other applications. DDE has been used by threat actors to distribute malware, and this update is Microsoft’s attempt to help mitigate such malicious activity. <a href="https://forum.anomali.com/t/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" target="_blank"> Recommendation</a><a href="http://www.malware-traffic-analysis.net/2017/12/14/index.html" target="_blank">Ngay Campaign Rig EK Pushes Quant Loader & Monero CPU Miner</a> (December 14, 2017) Nao-sec researchers discovered a drive-by download attack campaign, dubbed “ngay,” that appears to be targeting Vietnamese-speaking individuals. The actors behind this campaign previously used drive-by download attacks to redirect website visitors to the “Disdain” Exploit Kit (EK). Researcher identified that this campaign is now using the “RIG” EK to distribute the “Quant” loader malware and a “Monero” cryptocurrency miner. <a href="https://forum.anomali.com/t/ngay-campaign-rig-ek-pushes-quant-loader-monero-cpu-miner/" target="_blank">Click here for Anomali Recommendation</a><a href="https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" target="_blank">Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure</a> (December 14, 2017) While responding to a security incident, FireEye Mandiant researchers discovered that an unnamed company was infected with an attack framework malware called “TRITON.” The malware is designed to interact with Triconex Safety Instrumented System (SIS) controllers. Researchers state that TRITON is one of the publicly identified malwares that target Industrial Control Systems (ICS) and is consistent with the “Stuxnet” and “Industroyer” malware. The malware was found on a SIS workstation that ran the Microsoft Windows operating system while impersonating the authentic Triconex Trilog application. <a href="https://forum.anomali.com/t/attackers-deploy-new-ics-attack-framework-triton-and-cause-operational-disruption-to-critical-infrastructure/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/attackers-deploy-new-ics-attack-framework-triton-and-cause-operational-disruption-to-critical-infrastructure/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/attackers-deploy-new-ics-attack-framework-triton-and-cause-operational-disruption-to-critical-infrastructure/" target="_blank"> Recommendation</a><a href="https://www.us-cert.gov/ncas/current-activity/2017/12/13/Apple-Releases-Security-Updates-iOS-and-tvOS" target="_blank">Apple Releases Security Updates</a> (December 13, 2017) The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in multiple Apple products. The vulnerabilities could be exploited by a remote threat actor to alter the application state iOS and tvOS. Apple’s iCloud for Windows 7.2 is vulnerable to an actor on a privileged network position tracking a user on the same network. <a href="https://forum.anomali.com/t/apple-releases-security-updates/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/apple-releases-security-updates/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/apple-releases-security-updates/" target="_blank"> Recommendation</a><a href="https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" target="_blank">WORK Cryptomix Ransomware Variant Released</a> (December 13, 2017) A new variant of the “Cryptomix” ransomware, dubbed “WORK” because of the .WORK extension appending of the malware, has been discovered in the wild, according to BleepingComputer researchers. This new variant uses the same encryption methods as previous Cryptomix versions, with the change coming in the form of .WORK appended to encrypted files and new emails to contact for the decryption key. While the distribution method of this ransomware has not been reported, malspam is often a common method to distribute malware. <a href="https://forum.anomali.com/t/work-cryptomix-ransomware-variant-released/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/work-cryptomix-ransomware-variant-released/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/work-cryptomix-ransomware-variant-released/" target="_blank"> Recommendation</a><a href="https://robotattack.org/" target="_blank">The ROBOT Attack</a> (December 12, 2017) A vulnerability first identified in 1998 by researcher Daniel Bleichenbacher, dubbed “Return Of Bleichenbacher’s Oracle Threat (ROBOT), has resurfaced, according to researchers Hanno Böck and Craig Young. Other researchers believe that this vulnerability is in fact the original “Padding Oracle Attack.” Daniel Bleichenbacher discovered that “the error messages given by SSL server for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.” This vulnerability could allow a threat actor to record Internet traffic and later decrypt it against a vulnerable host that only supports RSA encryption. Researchers found that 27 of the top 100 domains, ranked by Alexa, had vulnerable subdomains. <a href="https://forum.anomali.com/t/the-robot-attack/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/the-robot-attack/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/the-robot-attack/" target="_blank"> Recommendation</a><a href="http://www.securityweek.com/database-14-billion-credentials-found-dark-web" target="_blank">Database of 1.4 Billion Credentials Found on Dark Web</a> (December 11, 2017) 4iQ researchers have discovered a large, interactive database that contains an aggregated list of compromised credentials from approximately 252 previous breaches. The discovery was made on December 5, 2017. The total amount of advertised data consists of usernames and associated, clear text passwords is 1,400,533,869. The structure of the database makes it simply for anyone to download and interact with it, and the search feature is fast enough to return a result in one second. After additional analysis on the data, researchers found that the number of compromised credentials is less because not all of the usernames are listed with an associated password. While some sources state that the data was located on underground forums, and this is likely, the data was also found on open source locations such as “Reddit.” <a href="https://forum.anomali.com/t/database-of-1-4-billion-credentials-found-on-dark-web/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/database-of-1-4-billion-credentials-found-on-dark-web/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/database-of-1-4-billion-credentials-found-on-dark-web/" target="_blank"> Recommendation</a><a href="https://www.theregister.co.uk/2017/12/11/mobile_banking_security_research/" target="_blank">Hacker’s Delight: Mobile Bank App Security Flaw Could Have Smacked Millions</a> (December 11, 2017) University of Birmingham researchers have published information regarding vulnerabilities located in popular banking applications. The researchers used a custom tool called “Spinner” to conduct semi-automated security tests on 400 applications that heavily rely on security. Through this testing, it was discovered that many banking applications use a technique called “Certificate Pinning” to improve connection security, but use of this technique made it more difficult for penetration testers to find a more serious vulnerability. Researchers found that the vulnerability located in many popular banking applications was that they did not have a proper hostname verification. This flaw could have allowed a threat actor, on the same network of an individual using an affected application, to conduct Man-in-The-Middle (MiTM) attacks to steal user credentials. <a href="https://forum.anomali.com/t/hacker-s-delight-mobile-bank-app-security-flaw-could-have-smacked-millions/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/hacker-s-delight-mobile-bank-app-security-flaw-could-have-smacked-millions/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/hacker-s-delight-mobile-bank-app-security-flaw-could-have-smacked-millions/" target="_blank"> Recommendation</a><a href="https://www.bleepingcomputer.com/news/security/phishing-attacks-on-bitcoin-wallets-intensify-as-price-goes-higher-and-higher/" target="_blank">Phishing Attacks on Bitcoin Wallets Intensify as Price Goes Higher and Higher</a> (December 11, 2017) With the significant increase in monetary value of the Bitcoin currency, approximately $16,180 USD per bitcoin as of this writing, threat actors are increasing their targeting Bitcoin-related websites and Bitcoin users. In addition to phishing emails, “CheckPhish” researchers also identified five phishing domains targeting the “Blockchain” wallet service. Other security researchers found that the Bitcoin exchange “LocalBitcoins” brand was also used in phishing websites. Threat actors are attempting to steal wallet files and empty accounts of their bitcoins. <a href="https://forum.anomali.com/t/phishing-attacks-on-bitcoin-wallets-intensify-as-price-goes-higher-and-higher/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/phishing-attacks-on-bitcoin-wallets-intensify-as-price-goes-higher-and-higher/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/phishing-attacks-on-bitcoin-wallets-intensify-as-price-goes-higher-and-higher/" target="_blank"> Recommendation</a><a href="https://www.reuters.com/article/us-cyber-banks-atm/hackers-hit-major-atm-network-after-u-s-russian-bank-breaches-report-idUSKBN1E51SZ" target="_blank">Hackers Hit U.S., Russian Banks In ATM Robbery Scam: Report</a> (December 11, 2017) A previously unknown, Russian-speaking threat group, dubbed “MoneyTaker,” is responsible for the theft of approximately $10 million USD from around 18 banks, according to Group-IB researchers. The actors targeted ATMs operated by banks primarily located in the U.S. and Russia. The malicious activity is ongoing and is believed to have begun approximately 18 months ago. Researchers identified that the first attacks took place in the spring of 2016 against banks using the payment technology company “First Data’s” “STAR” network; STAR is a debit card processing and payment network. First Data has stated that “a number” of financial institutions on the STAR network had their credentials for administering debit cards compromised. The actors used custom malware called MoneyTaker, also used for the name of the group, to manipulate payment orders and then use “money mules” to cash out funds from ATMs <a href="https://forum.anomali.com/t/hackers-hit-u-s-russian-banks-in-atm-robbery-scam-report/" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/hackers-hit-u-s-russian-banks-in-atm-robbery-scam-report/" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/hackers-hit-u-s-russian-banks-in-atm-robbery-scam-report/" target="_blank"> Recommendation</a><h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial.</a><a href="https://ui.threatstream.com//tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware