Welcome to another edition of Virus Bulletin’s weekly threat intelligence newsletter, providing you with a round-up of the most interesting analyses that were published in the last week.

You can view past editions of this newsletter on our website, where you can also subscribe to have it delivered weekly to your inbox ─ help us to spread the word by encouraging your friends and colleagues to subscribe too! The VB newsletter is compiled by Martijn Grooten ([email protected]); feedback and suggestions are always very welcome.

For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines. All links have been added to the Wayback Machine.

With the VB2019 call for papers still open (it closes on 17 March), we published another paper (and corresponding video) presented at VB2018 in Montreal. In the paper, three researchers from Fraunhofer SIT looked at 'mutual-awareness tracking apps', which allow people to track the location of friends and family members with their explicit consent. Such apps are very popular, but the researchers found that security is often lacking, and they found that the apps, the communication channels and backend servers allowed for a user’s location to be obtained by third parties. They also found two apps on the Google Play store that were mere fronts for proper spyware.

In a new blog post, we looked at some of the recent spam and malware emails that we received in our test lab and that we found bypassing several email security products. In particular, we looked at a large UPS phishing campaign, several emails delivering Emotet, as well as an email carrying an ACE archive as an attachment.

Also on our blog, a case was made for threat intelligence teams to consider hiring journalists, whose unique skills would make them an excellent addition to any such team.

Reuters journalists Chris Bing and Joel Schectman have written a bombshell report on Project Raven, in which former NSA operatives worked to help the United Arab Emirates government fight terrorism and ended up spying on human rights activists, journalists and political rivals. Though the report and an accompanying article on the Karma platform don’t contain technical details, they may help those who have studied activity in this region tie together some loose ends. For example, a 2016 Citizen Lab report on the Stealth Falcon operator appears to be about Project Raven.

Another piece that may help with context for threat researchers was written by Joseph Cox at Motherboard. He detailed how cybercriminals have exploited weaknesses in the SS7 protocol to intercept authentication codes sent via SMS. SS7 has long been known to be hackable and this was used against customers of a German bank back in 2017; its usage by criminals may be more widespread than previously believed. While phishing and malware campaigns targeting banks and their customers are frequently analysed, this backend operation often remains hidden from the public.

The Lazarus Group, generally linked to North Korea, has long been active on the Korean peninsula. Some of this activity was detailed in a paper presented at VB2018 by AhnLab researcher Minseok (Jacky) Cha. The group continues to be active, according to a blog post (in Korean) by ESTsecurity, which details a recent campaign that includes the use of a Cisco job ad as a lure. This piqued the interest of researchers at Cisco Talos, who published an English-language analysis of the incident, which they found to be similar to two campaigns seen in 2017.

Those interested in the activities of the Lazarus Group would do well to read a brief analysis on the personal blog of Flashpoint researcher Vitali Kremez, who analysed two recently discovered PowerShell scripts used by the group, both of which were uploaded from Pakistan, suggesting activity in this country.

In a new blog post, FireEye introduces APT39, an attack group linked to Iran with a particular interest in targets’ personal information, as well as customer data from telecommunication firms.

APT39’s activities align with a group called Chafer, which was first analysed by Symantec in 2015. Kaspersky writes about a still-active campaign by this group, which uses the Remexi trojan to target foreign diplomatic entities based in Iran. Remexi is a typical information-stealing trojan, targeting browser-related data, capturing keystrokes and taking screenshots.

Orcus is one of many RATs available commercially, though not necessarily legally. In 2016, Brian Krebs uncovered the Canadian man believed to be the malware’s author. Recently, the official site distributing the malware was closed and it was made available as a licence-free version. This no doubt will result in an increase in the prevalence of the RAT, as pointed out in a blog post by Morphisec analysing a recent campaign delivering it. The campaign was notable for the heavy encryption and obfuscation that was used, with the payload being delivered hidden inside an mp4 video.

TheMoon is a router botnet that was first discovered in 2014 and continues to be active. Originally targeting Linksys routers, it has since used exploits to target vulnerable routers of various other brands. Researchers at CenturyLink have now discovered a new module added to the malware that would allow the botnet, or parts thereof, to be rented out as SOCKS proxies ─ something that would be valuable for many a cybercriminal campaign.

ZScaler researchers have looked at another IoT botnet, RIFT, while in the same blog post they note a significant uptick in IoT botnet activity, due to exploitation of a vulnerability in the ThinkPHP framework used by many IoT devices, especially in China. The exploitation of vulnerable ThinkPHP instances was previously reported by Trend Micro.

Also very active in China is the DDG botnet, which targets database servers and uses the infected devices to mine for cryptocurrencies. 360 reports that the owners pushed out no fewer than six updates in January, so that the botnet now includes anti-analysis features and peer-to-peer communication, while the updates are also RSA signed, to prevent ‘poisoning’ of the botnet by researchers.

As a relatively new programming language, Go (or GoLang) is only slowly emerging. For Malwarebytes’ blog, hasherezade has analysed a new piece of malware written in Go. The malware is referred to simply as CryptoStealer, for its focus is the theft of cryptocurrencies. The analysis also serves as a good introduction to analysing malware written in Go.

DarthMiner is another malware family that attempts to steal cryptocurrencies, this time from Mac users. As its name suggests, it includes the ability to mine Monero. Previously analysed by Malwarebytes, an updated version was analysed by Palo Alto’s Unit42 team, which found that it also steals iPhone text messages from iPhone backups.

The Jaff ransomware was first seen in May 2017, around the same time as WannaCry was discovered. According to Fortinet’s Raul Alvarez, it continues to lurk in the shadows. For the company’s blog, he wrote a detailed low-level analysis of the malware, similar to the numerous analyses he has written in the past for Virus Bulletin.

ESET researcher Juraj Jánošík has looked at two malicious spam campaigns, both containing zipped JavaScript attachments. The first targeted Russia and spread the Troldesh ransomware, also known as Shade. The second campaign targeted Japan and was similar to the “Love You” campaign previously reported. It would download a number of payloads, including Gandcrab and Phorpiex. In our own lab, we saw many instances of this latter campaign, but found block rates by email security products to be very high.

Vulnerable Magento extensions are a common way for websites to be targeted by one of the many Magecart groups. To help secure websites, Willem de Groot teamed up with other researchers to release a blacklist of vulnerable extensions.

WordPress plug-ins and themes are, of course, also a known infection point for websites. Sucuri’s Mohammed Obaid looked at one compromised theme file in which the malicious code was made to look like a licence key.

Minerva researchers analysed a recent sample of the AZORult information-stealing trojan, which came packed as a fake Google update signed with a valid certificate, albeit not one from Google. Meanwhile, a recent malicious spam campaign serving AZORult was analysed by My Online Security.

G DATA researcher Stefan Hausotte has written a blog post in which he takes the readers through a packer used by the Ldpinch infostealer and uses this to create a simple unpacker.

Cyberbit has analysed a multi-layered sample of the Ursnif trojan, which excels in encryption, obfuscation and compression to frustrate researchers.

PhishLabs noted a new version of the Anubis mobile banking malware that receives C&C information from a Twitter account, where the URL is encoded using Chinese characters.

Cloudmark has looked at SMS spam messages sent to users who had posted on Craigslist and found that they directed users to legitimate websites with an affiliate referral scheme that created the incentive for the spam messages.

In 2016, Kaspersky published a research paper on xDedic, an underground market specialising in selling access to compromised servers. It might be worth revisiting that paper, as international cooperation last week led to the shutdown of this marketplace.

Carbon Black researcher Michael Dockry has written an analysis of the prevalent WannaMine cryptocurrency miner, famous (and named) for its used of the Externalblue exploit that was also used by WannaCry, and fairly sophisticated as miners go.

Given recent warnings about hardening DNS, a blog post by Xavier Mertens on the SANS Internet Stormcast blog is timely: he explains how a systems monitoring tool like Nagios can be used to be alerted to DNS changes.

Those investigating cybercrime often find themselves having to look at money laundering. Gary Warner, of the University of Alabama at Birmingham, has shared what he has learned on this subject, focusing in particular on the work of the Financial Action Task Force.

Previously referred to as ‘the next big thing in DDoS attacks’, Netscout reports that the CoAP protocol is being used for the amplification of DDoS attacks. It has an average amplification factor of 34, which puts it in the midrange of UDP protocols that can be abused for this purpose. It has the notable downside for attackers that CoAP devices tend to change their IP addresses regularly.

Imperva reports that it has seen a DDoS attack sending more than 500 million packets per second, which it believes is a new record for such attacks.

Avast writes about a vulnerability discovered by Elliot Alderson in the very popular ES File Explorer app for Android, which would allow an attacker to launch apps and learn a lot of information about the device.

Trend Micro has looked at some very popular ‘beauty’ apps for Android that were serving pornographic content as well as phishing websites.

Bleeping Computer’s Ionut Ilascu had a look at the new LockerGoga ransomware, believed to be used in a targeted attack against Altran Technologies, a French engineering consultancy.

SANS Dean of Research Johannes Ullrich wrote a piece on the Internet Storm Center blog about a phishing campaign that had not accounted for the fact that some people may access the site through IPv6.

Finally, My Online Security has once again done a great job of fishing up various malicious spam campaigns seen in the past week. These included two campaigns serving Formbook, campaigns serving Trickbot, the Nanocore RAT and CandCrab and an email that used a complicated BlackTDS redirection to serve Ursnif/Gozi.

The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, UK