Today it is exactly a month until the start of
VB2019, the 29th Virus Bulletin Conference. We are thrilled that no fewer than 21 organisations ─ a record number ─ have partnered with VB2019 in one way or another, and we have just closed the call for last minute papers. The complete
programme should be available by the end of this week.
One topic that continues to feature in the news ─ including in this very newsletter ─ is
Magecart: the targeting of online payment systems with JavaScript-based skimmers. Last week we
previewed the paper RiskIQ researcher Yonathan Klijnsma will present on Magecart at VB2019 in London. Another regularly occurring topic is the use of ‘LOLbins’ by malicious actors. In another VB2019 paper that we
previewed, Endgame researcher Bobby Filar will present a framework to detect such malicious use of legitimate binaries through the parent-child process chain.
Don’t forget to
book your tickets for VB2019 to see these and more than 50 other talks in London!
Martijn Grooten
Editor, Virus Bulletin
For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines.
In a bombshell
blog post, Ian Beer from Google’s Project Zero has written about the discovery of five exploit chains targeting
iPhone users. The chains had been used in
watering hole attacks in which a small number of hacked websites indiscriminately infected visitors for at least two years. In an
analysis of the implant, Beer writes that the infection did not persist following reboot, but while active was able to steal data from, for example, email and messaging apps. Apps whose data was always uploaded included WhatsApp, Gmail and Tencent’s QQ. Interestingly, the data was uploaded to a hard-coded IP address and no encryption was used to protect the uploaded data. Sources have since
told TechCrunch’s Zack Whittaker that the targets of the infections were China’s Uyghur minority.
Researchers at Avast recently worked with the French National Gendarmerie to
take down the
Retadup worm that had infected hundreds of thousands of Windows machines, almost all of them located in Latin America. Retadup, analysed by Trend Micro in
2017 and
2018, used infected machines to mine for the Monero cryptocurrency, yet in some cases also pushed ransomware or a password stealer. Because most of the C&C infrastructure was located in France, French law enforcement got involved and took over the C&C infrastructure. This isn’t an uncommon action against botnets, but thanks to a design flaw in the malware, the researchers were able to clean up infections without running extra code on the infected machines (something which would have been more controversial).
LYCEUM is a threat actor active in the Middle East that, according to Secureworks (the first to
write about it), has been active for at least a year. It targets sectors of strategic national importance and does so in multi-stage attacks: using brute-force attacks it obtains credentials within a targeted organisation and from these compromised accounts sends spear-phishing emails. These emails spread
DanBot, a first-stage RAT (not to be confused with Danabot) that is used for further access within the organisations. Interestingly, one of the documents used as a lure in the spear-phishing attacks claims to contain a list of the 25 worst passwords.
China Chopper is a widely available web shell that, despite its age (the first
public analysis is from almost seven years ago), continues to be popular, especially in targeted attacks ─ for example in the
recently uncovered Operation Soft Cell. Cisco Talos researchers Paul Rascagneres and Vanja Svajcer have
looked at the web shell and its use in three other recent campaigns, showing how useful the tool remains to many threat actors.
The financially motivated
TA505 actor continues to be very active. Researchers at Trend Micro have
reported various small changes in recent campaigns by this group, from the use of .ISO attachments (not previously used by TA505) to a DDL variant of the FlawedAmmyy RAT used by the group. It has also targeted a number of new countries.
Researchers at IBM X-Force
write about a cybercrime group named
ITG08 that is perhaps better known as
FIN6. The group has historically targeted point-of-sale systems in brick-and-mortar retailers but have now switched to targeting online retailers. FIN6 obtains access to the retailers’ systems through spear-phishing emails spreading the
more_eggs backdoor, another campaign spreading which was previously
analysed by Proofpoint. The targeting of online payment systems is, of course, referred to by the umbrella term ‘
Magecart’ and Yonathan Klijnsma
pointed out that, not without coincidence, FIN6 is what he refers to as ‘Magecart Group 6’.
![](https://original.securityintelligence.com/wp-content/uploads/2019/08/si-moreeggs-chart.jpg)
The
hack of the Twitter account of the Twitter's own CEO Jack Dorsey has warned the general public of the dangers of
SIM swapping attacks. The authors of the
Trickbot malware have also realised the value of SIM swapping: researchers at Secureworks
discovered a new module added to the malware that injects code into the websites of various US mobile carriers and asks for the account PIN code. This PIN could be used to ‘swap’ the SIM of the affected user.
Cisco Talos researchers Edmund Brumaghin and Holger Unterbrink have
analysed the activities of a threat actor that used both
RevengeRAT and
Orcus RAT as the payload in its email campaigns.
Another widely available RAT,
Quasar, is
being spread through a malicious spam campaign with emails pretending to contain resumes. The emails have a macro-embedded Word attachment that is password-protected with the password available in the email body, a trick commonly used in this kind of resume spam.
Earlier this year CISA sent an
alert about
HopLight, malware it attributed to North Korea. Now, Alert Logic has
reverse engineered the string obfuscation algorithm used in the malware.
A
malvertising campaign using vulnerable
WordPress plug-ins to insert redirects and pop-ups into affected websites, first
reported by Wordfence’s Mikey Veenstra in July, continues, according to
further analysis by Mikey. Apart from targeting further plug-ins, affected websites now also have a backdoor added to them.
Kaspersky researchers have published a brief
analysis of
BRATA, a new RAT for Android devices used exclusively in Brazil. More than 20 variants have appeared in the Google Play store, with many posing as an update for the infamous
WhatsApp vulnerability patched in May after it had been found exploited in the wild.
Also on Google Play was
CamScanner, a legitimate app used to create PDFs that was downloaded no fewer than 100 million times. A
discovery by Kaspersky that the app had been updated to contain a malicious dropper ─ possibly the result of a partnership with an unscrupulous advertiser ─ led Google to remove the app from the Play store.
Two other popular Android apps with a collective download count of about 1.5 million were also removed from the Play store after Symantec researchers May Ying Tee and Martin Zhang
found them engaged in
fraudulent ad-clicking: the advertisements were displayed outside the boundaries of the screen and then clicked on automatically.
The
Android Debug Bridge left open by the manufacturer is a known issue with many Android-based devices. Now, researchers at WootCloud
report they have found a new botnet, dubbed
Ares, that uses this to infect various set-top boxes.
On the SANS Internet Storm Center blog, Xavier Mertens
looked at two malware samples that use tools present on many Windows machines, jsc.exe and msbuild.exe, to
compile the next stage malware on the infected machine itself ─ yet another way to bypass detection that looks for malicious PE files.
In Kaspersky’s
quarterly report on
spam and phishing, the company reports several trends also seen by Virus Bulletin in our
test lab, such as the continuation of sextortion emails and the use of Google Drive and Google Cloud Storage to host malicious content.
A recent example of
sextortion spam was sent pretending to come from the ‘ChaosCC’ hacking group and has been
covered by Bleeping Computer.
Researchers at JASK have written a
short paper on detecting two common
persistence mechanisms used by adversaries: the creation of new services and scheduled tasks.
At ZDNet, Catalin Cimpanu
writes about the takedown of a malware gang by Russian police, based on a
story (in Russian) by Group-IB, which helped authorities in the takedown. The malware group, dubbed
TipTop, predominantly used the
Hqwar Android malware to target customers of Russian banks, something which put them in the spotlight of the local authorities.
Trend Micro researcher Jindrich Karasek has
looked at a sophisticated phishing kit he calls
Heatstroke, which demonstrates the level of sophistication in such kits today ─ the kit uses multiple stages and the code on the phishing pages is generated dynamically.
Exfiltrating data via DNS (or ‘
DNS tunnelling’) is increasingly used in real-world attacks to bypass intrusion detection systems. Alert Logic has
described an example of a backdoored SSH client that uses DNS to exfiltrate data from infected systems.
Finally, a personal pet peeve of mine are reports that make a lot of fuss about lacking or improper
DMARC implementation, which allegedly allows for phishing attacks impersonating the affected domains. On the Word to the Wise blog, Laura Atkins
explains why DMARC doesn’t fix phishing, while at the same time it has made a notable impact against phishing.
© 2019 Virus Bulletin Limited
The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, UK