I sometimes jokingly refer to Virus Bulletin as 'the oldest threat intelligence company'. In the early editions of Virus Bulletin (pdf) one could find an overview of all the known ‘IBM PC’ and ‘Apple Macintosh’ viruses, together with byte sequences that could be used to identify those viruses – indicators of compromise (IOCs) long before the term was coined.

I was reminded of this as we packed the 30-year-old Virus Bulletin archives into boxes ready for them to be moved last week to our new business premises, a bit further south in Oxfordshire (UK). Because VB operates online, you probably won’t have noticed any change from this move, but behind the scenes the team has worked hard on this ‘upgrade’ and is continuing to work hard towards the next phase when our lab will also move to a new location.

A different reminder that there is more to life than security research was the news that researcher Yonathan Klijnsma, who recently spoke at VB2019 and whose work is regularly cited in these newsletters, was recently diagnosed with cancer. Friends of Yonathan have set up a GoFundMe campaign to help him cover medical expenses. We, of course, wish Yonathan all the best as he goes through the long treatment and recovery process.

For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines.

Today, we released the recordings of two more VB2019 presentations. LINE security engineer HeungSoo Kang gave a talk in which he discussed how his company had been the target of a macOS malware attack using two Firefox zero-days that had also targeted Coinbase, while Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance.

APT33 is an Iranian APT group best known for the destructive Shamoon malware as well as more traditional cyber-espionage attempts. Now, researchers at Trend Micro have uncovered both a complex proxy network used by the group to hide its various activities and several mini-botnets, each consisting of up to a dozen computers, used to gain persistence within the networks of selected targets.

Last Tuesday, Microsoft released its monthly security patches. There were 74 vulnerabilities patched this month and, as always, the SANS Internet Storm Center has a good overview. One vulnerability had already been exploited in the wild: CVE-2019-1429 is a remote code execution flaw in Internet Explorer’s scripting engine. Also of note is CVE-2019-1457, which affects Microsoft Office for macOS. First reported by researchers at Outflank and later analysed by Patrick Wardle, this now patched vulnerability would allow for certain macros in the ancient SYLK file format to automatically be executed, ironically, if macros have been disabled without notification.

Intezer and IBM X-Force have published a piece of joint research on the PureLocker targeted ransomware. The ransomware is written in the relatively uncommon PureBasic language and targets both Windows and Linux servers. Those operating the malware don’t give details of a specific ransom to be paid but instead urge victims to contact them on a ProtonMail email address that is unique for each victim. PureLocker is sold through a ransomware-as-a-service scheme and, due to similarities in the code, the researchers believe it may have been written by the group that wrote the more_eggs backdoor, used by some prominent cybercrime groups.

PerimeterX’s Kenji Yamamoto has analysed two new carding bots that monetise stolen credit card details in bulk by making many purchases. One of the bots, named ‘Canary’, slowly rolls out changes until it has found a successful configuration, which is then rolled out to all bots and used against e-commerce platforms. The other bot is called ‘Shortcut’ and, true to its name, it avoids the e-commerce sites altogether and uses an API to interact directly with the third-party trading platforms.

Proofpoint writes about a new threat actor that it calls TA2101 and that has been targeting organisations in Germany, Italy and the United States with malware-laden emails that impersonate tax authorities and other government agencies. It has used the publicly available Cobalt Strike platform that has been popular with both cybercriminals and APT actors, while it has also served the Maze ransomware and the IcedID banking trojan. The campaign targeting Italian users and delivering Maze was previously analysed by Bleeping Computer.

‘FakeAdsBlocker’ is Android malware that, according to an analysis by Malwarebytes’ Nathan Collier, has been found on more than 500 devices and which, as the name suggests, poses as an adblocker. It does the exact opposite: after using social engineering to obtain the required permissions, the malware hides itself while serving more ads to the user.

As part of the Cyber Threat Alliance’s ‘adversary playbook’ series, Fortinet researchers published a playbook on the infamous Emotet trojan. In it, they start with one recent Word attachment and then look at the global list of servers that were or could be contacted, highlighting the global nature of Emotet. For more technical details on Emotet we recommend the VB2019 paper and accompanying presentation by Sophos researcher Luca Nagy.

It is not uncommon for a single downloader to be able to download different payloads, for example based on the location of the infected user, but Fortinet researchers Chris Navarrete and Xiaopeng Zhang have analysed a malicious piece of JavaScript that would eventually download both RevengeRAT and WSHRAT, two pieces of crimeware.

Though exploit kits have been thriving recently, ZScaler researcher Gayathri Anbalagan reminds us of another popular way for compromised websites to spread malware: through fake updates. She analyses how this social engineering technique is used to get users to install the NetSupport RAT while making them believe they are installing updates for either a font or Flash Player.

Living-off-the-land tactics, or LoLBins, are about as old as offensive computer security, but their use has increased significantly in recent years. Such techniques could help adversaries bypass various defensive methods including, but not limited to, file-based detection. In a blog post, Cisco Talos researcher and past VB conference speaker Vanja Svajcer looks at some recent cases of malicious use of benign Windows binaries.

Both phishing scams and Android malware are fairly common these days, but it is rare to see them combined in an attack. Sucuri’s Krasimir Konov analysed a phishing campaign in which the user was tricked into installing an Android app to ‘verify their phone number’. Given the permissions used by the app and the context in which it was served, it is likely that it was being used to intercept SMS messages used by banks in India to confirm transactions.

In August, ThreatFabric analysed the Cerberus Android banking trojan, sold on underground forums by people with a surprisingly open presence on the public Internet, and which used Android’s pedometer to evade automatic analysis. Now, Anomali has added its own analysis of both the malware itself and its sale on an underground forum. Based on the available overlays, Cerberus targets many organisations around the world, predominantly those in the field of finance.

Cisco Talos researchers have analysed a long-running malicious email campaign that used ARJ archives to deliver a custom dropper that would download information-stealing malware such as Agent Tesla or Lokibot.

Such off-the-shelf malware tends to be used in many different campaigns. Indeed, on the SANS Internet Storm Center blog, Brad Duncan has analysed another recent malspam campaign delivering Lokibot, this time through an attached RAR archive.

Trickbot often makes the news as a second-stage payload being served following an Emotet infection, but it is also delivered directly in malicious spam campaigns. Malcrawler found such a campaign delivering the malware using an apparent harassment complaint as a lure to open the attachment.

Bleeping Computer continues to chronicle the wide variety of ransomware campaigns out there. It noted that the Sodinokibi ransomware, the successor of GandCrab in more than just prevalence, has been targeting Asia, spreading via the Rig exploit kit. Rig is also used to distribute the AnteFrigus ransomware which is notable because it avoids encrypting files on the C:\ drive, instead focusing on removable and network-mounted drives. Meanwhile, NextCry is a new ransomware targeting instances of the NextCloud file sync and share service.

Bleeping Computer has also written about a phishing scam that urges users to log in with their email credentials to prevent their password from being changed. Such relatively basic scams phishing for email credentials are common and widespread and are a likely reason for the number of malicious spam emails sent from compromised email accounts.

Qakbot (also known as Qbot or Pinkslipbot) is a banking trojan that has been active for a decade and which continues to evolve. A paper on it was presented at VB2016 in Denver by researchers from McAfee. Hatching’s Markel Picado has analysed a recent sample of the malware and also released a tool to deobfuscate the code, thus aiding analysis.

Finally, YARA is the ‘swiss army knife’ for threat researchers. The tool helps greatly in finding specific malware families among very large data sets. Those interested in learning YARA could do worse than to read a blog post written by Vitali Kremez at SentinelOne, in which he explains how to create YARA rules for instances of the BitPaymer and DoppelPaymer ransomware families and the Dridex loader.