For those who follow me on social media, or who attended the closing address at VB2019, it will not be news that I will soon leave Virus Bulletin. As a consequence, Virus Bulletin is looking to fill my role.

Though the vacancy we posted isn’t an exact match of what my job has been these past years (VB is now looking for a Security Evangelist), the role will be largely similar and I can honestly say it is one of the greatest jobs in security - one that puts you right in the centre of this fascinating community and one that, most of all, gives you the opportunity to work with an amazing team.

For now, though, I am still VB’s Editor and in that role I will deliver one more talk: on Friday I will speak at Botconf in Bordeaux on the lessons we have learned from measuring spam detection and trends in malicious spam. The conference is sold out, but there is likely to be a live stream of many of the presentations, including mine.

For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines.

I like to emphasise the global nature of the Virus Bulletin conference, with speakers from all over the world discussing their local threats. As an example of that, Qi An Xin researchers Lion Gu and Bowen Pan wrote a VB2019 paper on ‘Poison Vine’, an APT group that has been targeting China. This week, we published the researchers' paper on our website and also uploaded the video of Bowen presenting it.

Another video we published recently was that of a last-minute presentation by ZEROSPAM researchers Pierre-Luc Vaudry and Olivier Coutu. In their presentation they explained how clustering can be used to detect and block the ‘thread hijacking’ spam used to deliver the notorious Emotet malware. We recently published another VB2019 paper on Emotet, by Sophos researcher Luca Nagy. Emotet continues to be active, and recent campaigns delivering Trickbot and a spambot respectively as a second-stage payload were analysed by Brad Duncan.

Trend Micro has published a research paper on an APT group it names Tick and that other vendors have referred to as BRONZE BUTLER or REDBALDNIGHT. Tick is likely Chinese in origin and has been targeting Japanese industries since 2008. Tick compromises PR and research firms and uses stolen email credentials and decoy documents to send credible spear-phishing emails to its real targets. Trend Micro notes that group has been using a number of new malware variants such as DATPER, down_new, Avenger and Casper; the latter is unrelated to the malware from the ‘Animal Farm’ family and is, in fact, a modified Cobalt Strike backdoor.

Last week we linked to a Malwarebytes blog post on a cross-over between phishing and skimming. Now, RiskIQ’s Yonathan Klijnsma writes that this is part of a larger campaign by a group he has named “Fullz House”. The group engages in both credit card skimming and payment provider phishing using some shared infrastructure and Yonathan believes the group may also be linked to a number of carding shops.

Kaspersky writes about two cybercrime groups that target the hospitality sector, with a particular focus on Brazil. The victims are targeted with malicious emails that deliver mostly off-the-shelf RATs such as RevengeRAT, Nanocore and njRAT. The first group, which was previously analysed by Palo Alto in March, Kaspersky names RevengeHotels, while the second group is named ProCC, after custom malware used by the group.

Microsoft has looked at the Dexphot malware that has been infecting Windows systems since a large outbreak in October 2018. Dexphot exhibits multiple layers of polymorphism to evade detection and uses a complex infection chain, largely relying on legitimate system processes. The final payload of Dexphot is always a cryptominer, but the specific miner has changed over the course of its lifespan.

Mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan, the Stantinko botnet is an exception to the rule that a lot of malware actively avoids running in these countries. ESET’s Vladislav Hrčka writes about the malware having added a Monero-mining module. Interestingly, the malware uses proxies to connect to its mining pool, a technique previously used by the Casbaneiro trojan.

The founding of the Coalition Against Stalkerware last month has helped the security industry focus on this particular threat. Unfortunately, new stalkerware apps continue to be found. A blog post by ZScaler’s Shivang Desai looks at some recent examples.

Avira’s Subramanian Rajagopalan has analysed the CoinLoader malware downloader that deploys many anti-analysis techniques during its infection cycle and eventually downloads the final payload, which is one of a number of adware of malware variants.

Kaspersky’s quarterly spam and phishing reports are always worth reading, if only because they look at issues that few others write about, such as an Amazon scam that attempts to get the recipient to call a premium-rate number, or phishing for various email accounts. The Q3 report also noted that UK TV licence phishing emails continue to be sent; as before, we have noticed that such emails continue to be missed by many products.

PSD2, the second version of the EU’s Payment Services Directive, is an important directive that the financial industry is still working on implementing. It is not surprising, then, that Anomali found that the PSD2 is being used as a lure in a number of targeted phishing campaigns.

In its Q3 threat report, Confiant notes that 60 per cent of malicious advertisements are served by only three ad providers. (The Confiant report requires registration, but Bleeping Computer has a good write-up.) This could be more than an interesting statistic: it may point to a weak spot in the ecosystem of malicious ads.

SentinelOne’s Jim Walter has analysed the Medusalocker ransomware that was first discovered in September and that is noteworthy for its ability to encrypt data on remote drives too.

After initial versions of the DeathRansom ransomware merely claimed to have encrypted victim files (which had an extension added to their name, but were otherwise left untouched), Bleeping Computer’s Lawrence Abrams writes that a new variant actually does encrypt the files. Based on submissions to the ID Ransomware project and Reddit comments, he believes there may be a link with the STOP ransomware and it is possible that, like STOP, DeathRansom is distributed through adware and cracks.

Lawrence also writes about CStealer, newly discovered malware that steals Chrome passwords. It exfiltrates these by sending them to a remote MongoDB database and uses hard-coded credentials to do so, leaving the full database of stolen passwords open for anyone with the credentials.

On the SANS Internet Storm Center blog, Brad Duncan explains how he was able to obtain a sample of the Agent Tesla information-stealing malware from PCAPs provided by the any.run sandbox.

PhishLabs has a brief post on a malicious spam campaign serving Trickbot that uses SendGrid and Google Docs to serve the malware, thus preventing the links being blocked through URL blacklists.

In a blog post that focuses both on the threat and on the (publicly available) tools to analyse it, InQuest’s Josiah Smith has analysed a multi-stage downloader that began with an Office document with malicious macros and which served njRAT as the final payload.

The Hex-Rays API for IDA Pro is used by many malware analysts to solve small ad-hoc problems while reverse-engineering malware. To make using this API easier, FireEye has released the open-source FLARE’s IDA Decompiler Library (FIDL), which provides a wrapping layer around the Hey-Rays API.

Finally, it is not often that we get an insight into malware while it is being developed through an interview with its author, but this is what Patrick Howell O’Neill gave us for the MIT Technology Review: he spoke to the owner of Memento Labs, evolved from Hacking Team and committed to selling spyware to governments and law enforcement. Hacking Team, of course, became infamous for the fact that many governments with very poor human rights records had purchased and used its software; Hacking Team was the subject of a VB2018 paper by ESET’s Filip Kafka.