Today it is exactly a month until the start of VB2019, the 29th Virus Bulletin Conference. We are thrilled that no fewer than 21 organisations ─ a record number ─ have partnered with VB2019 in one way or another, and we have just closed the call for last minute papers. The complete programme should be available by the end of this week.

Even though we like to see VB as a conference that looks beyond the hype, we are more than a little proud that several of the talks have made the security news in recent months: from Operation Soft Cell to the Machete APT group, and from the Sea Turtle attacks to the weaponization of RTF documents by APT groups.

One topic that continues to feature in the news ─ including in this very newsletter ─ is Magecart: the targeting of online payment systems with JavaScript-based skimmers. Last week we previewed the paper RiskIQ researcher Yonathan Klijnsma will present on Magecart at VB2019 in London. Another regularly occurring topic is the use of ‘LOLbins’ by malicious actors. In another VB2019 paper that we previewed, Endgame researcher Bobby Filar will present a framework to detect such malicious use of legitimate binaries through the parent-child process chain.

For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines.

In a bombshell blog post, Ian Beer from Google’s Project Zero has written about the discovery of five exploit chains targeting iPhone users. The chains had been used in watering hole attacks in which a small number of hacked websites indiscriminately infected visitors for at least two years. In an analysis of the implant, Beer writes that the infection did not persist following reboot, but while active was able to steal data from, for example, email and messaging apps. Apps whose data was always uploaded included WhatsApp, Gmail and Tencent’s QQ. Interestingly, the data was uploaded to a hard-coded IP address and no encryption was used to protect the uploaded data. Sources have since told TechCrunch’s Zack Whittaker that the targets of the infections were China’s Uyghur minority.

Researchers at Avast recently worked with the French National Gendarmerie to take down the Retadup worm that had infected hundreds of thousands of Windows machines, almost all of them located in Latin America. Retadup, analysed by Trend Micro in 2017 and 2018, used infected machines to mine for the Monero cryptocurrency, yet in some cases also pushed ransomware or a password stealer. Because most of the C&C infrastructure was located in France, French law enforcement got involved and took over the C&C infrastructure. This isn’t an uncommon action against botnets, but thanks to a design flaw in the malware, the researchers were able to clean up infections without running extra code on the infected machines (something which would have been more controversial).

LYCEUM is a threat actor active in the Middle East that, according to Secureworks (the first to write about it), has been active for at least a year. It targets sectors of strategic national importance and does so in multi-stage attacks: using brute-force attacks it obtains credentials within a targeted organisation and from these compromised accounts sends spear-phishing emails. These emails spread DanBot, a first-stage RAT (not to be confused with Danabot) that is used for further access within the organisations. Interestingly, one of the documents used as a lure in the spear-phishing attacks claims to contain a list of the 25 worst passwords.

China Chopper is a widely available web shell that, despite its age (the first public analysis is from almost seven years ago), continues to be popular, especially in targeted attacks ─ for example in the recently uncovered Operation Soft Cell. Cisco Talos researchers Paul Rascagneres and Vanja Svajcer have looked at the web shell and its use in three other recent campaigns, showing how useful the tool remains to many threat actors.

The financially motivated TA505 actor continues to be very active. Researchers at Trend Micro have reported various small changes in recent campaigns by this group, from the use of .ISO attachments (not previously used by TA505) to a DDL variant of the FlawedAmmyy RAT used by the group. It has also targeted a number of new countries.

Researchers at IBM X-Force write about a cybercrime group named ITG08 that is perhaps better known as FIN6. The group has historically targeted point-of-sale systems in brick-and-mortar retailers but have now switched to targeting online retailers. FIN6 obtains access to the retailers’ systems through spear-phishing emails spreading the more_eggs backdoor, another campaign spreading which was previously analysed by Proofpoint. The targeting of online payment systems is, of course, referred to by the umbrella term ‘Magecart’ and Yonathan Klijnsma pointed out that, not without coincidence, FIN6 is what he refers to as ‘Magecart Group 6’.

The hack of the Twitter account of the Twitter's own CEO Jack Dorsey has warned the general public of the dangers of SIM swapping attacks. The authors of the Trickbot malware have also realised the value of SIM swapping: researchers at Secureworks discovered a new module added to the malware that injects code into the websites of various US mobile carriers and asks for the account PIN code. This PIN could be used to ‘swap’ the SIM of the affected user.

Cisco Talos researchers Edmund Brumaghin and Holger Unterbrink have analysed the activities of a threat actor that used both RevengeRAT and Orcus RAT as the payload in its email campaigns.

Another widely available RAT, Quasar, is being spread through a malicious spam campaign with emails pretending to contain resumes. The emails have a macro-embedded Word attachment that is password-protected with the password available in the email body, a trick commonly used in this kind of resume spam.

Earlier this year CISA sent an alert about HopLight, malware it attributed to North Korea. Now, Alert Logic has reverse engineered the string obfuscation algorithm used in the malware.

A malvertising campaign using vulnerable WordPress plug-ins to insert redirects and pop-ups into affected websites, first reported by Wordfence’s Mikey Veenstra in July, continues, according to further analysis by Mikey. Apart from targeting further plug-ins, affected websites now also have a backdoor added to them.

Kaspersky researchers have published a brief analysis of BRATA, a new RAT for Android devices used exclusively in Brazil. More than 20 variants have appeared in the Google Play store, with many posing as an update for the infamous WhatsApp vulnerability patched in May after it had been found exploited in the wild.

Also on Google Play was CamScanner, a legitimate app used to create PDFs that was downloaded no fewer than 100 million times. A discovery by Kaspersky that the app had been updated to contain a malicious dropper ─ possibly the result of a partnership with an unscrupulous advertiser ─ led Google to remove the app from the Play store.

Two other popular Android apps with a collective download count of about 1.5 million were also removed from the Play store after Symantec researchers May Ying Tee and Martin Zhang found them engaged in fraudulent ad-clicking: the advertisements were displayed outside the boundaries of the screen and then clicked on automatically.

The Android Debug Bridge left open by the manufacturer is a known issue with many Android-based devices. Now, researchers at WootCloud report they have found a new botnet, dubbed Ares, that uses this to infect various set-top boxes.

On the SANS Internet Storm Center blog, Xavier Mertens looked at two malware samples that use tools present on many Windows machines, jsc.exe and msbuild.exe, to compile the next stage malware on the infected machine itself ─ yet another way to bypass detection that looks for malicious PE files.

In Kaspersky’s quarterly report on spam and phishing, the company reports several trends also seen by Virus Bulletin in our test lab, such as the continuation of sextortion emails and the use of Google Drive and Google Cloud Storage to host malicious content.

Researchers at JASK have written a short paper on detecting two common persistence mechanisms used by adversaries: the creation of new services and scheduled tasks.

At ZDNet, Catalin Cimpanu writes about the takedown of a malware gang by Russian police, based on a story (in Russian) by Group-IB, which helped authorities in the takedown. The malware group, dubbed TipTop, predominantly used the Hqwar Android malware to target customers of Russian banks, something which put them in the spotlight of the local authorities.

Trend Micro researcher Jindrich Karasek has looked at a sophisticated phishing kit he calls Heatstroke, which demonstrates the level of sophistication in such kits today ─ the kit uses multiple stages and the code on the phishing pages is generated dynamically.

Exfiltrating data via DNS (or ‘DNS tunnelling’) is increasingly used in real-world attacks to bypass intrusion detection systems. Alert Logic has described an example of a backdoored SSH client that uses DNS to exfiltrate data from infected systems.

Finally, a personal pet peeve of mine are reports that make a lot of fuss about lacking or improper DMARC implementation, which allegedly allows for phishing attacks impersonating the affected domains. On the Word to the Wise blog, Laura Atkins explains why DMARC doesn’t fix phishing, while at the same time it has made a notable impact against phishing.