CyberProof TM

CyberProof Threat Intelligence Monthly Report November 2019

11-18-2019 NEW ATTACK DROPS DOUBLE REMOTE ACCESS TROJAN IN WINDOWS TO STEAL CHROME AND FIREFOX BROWSERS DATA

Tags: RAT, RevengeRAT, WSHRAT, Windows, Chrome, Firefox, Browser Label: Threat Analysis

Researchers discovered a new malware campaign that drops two different Remote Access Trojan (RAT) on targeted Windows systems and steals sensitive information from popular browsers such as Chrome and Firefox.

The malware drops the RevengeRAT and WSHRAT malware. It has various functionalities that use the various stage to maintain persistence.

11-18-2019 A NEW RANSOMWARE-AS-A-SERVICE WAS DETECTED

Tags: Ransomware, MaaS, Cobalt Gang, FIN6 Label: Threat Analysis

A new and until recently undetected ransomware was discovered that is being used for targeted attacks against production servers of enterprises. The ransomware was found to be closely related to the “more_eggs” malware, which is sold on the by a veteran MaaS provider and has been used by the Cobalt Gang, FIN6, and other threat groups. In addition to Windows, the ransomware also attacks infrastructure.It was dubbed PureLocker because it is written in the PureBasic programming language. 1

Scanning a sample of this ransomware in VirusTotal shows that the file was undetected by anti-viruses at the time of discovery remaining undetected for a very long and untypical time for malware. Also, analyzing the sample in several sandboxes at the time of discovery did not reveal any sign of malicious behavior. Further investigation revealed that the file was disguised as a Crypto++ Library, where most of its code was unique and probably new, or highly modified. It also contained reused code from several malware families, mainly malware related to Cobalt Gang.

1 https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/

TM CyberProof © 2019 CyberProof Inc. All Rights Reserved. 1 CyberProof TM

CyberProof Threat Intelligence Monthly Report

11-11-2019

PLATINUM APT’S NEW BACKDOOR MIMICS POPULAR PC SOFTWARE TO STAY HIDDEN

Tags: Malware, Backdoor, APT, Platinum, Titanium Label: Threat Analysis

The Platinum advanced persistent threat (APT) group has developed a new backdoor with interesting concealment techniques.

Platinum APT Group Platinum is the name given by Microsoft© to a collective active against governments and related organizations in South and Southeast Asia2. These organizations are generally secretive and rarely divulge any information about their members. They are mainly skilled with creating attacks that avoid detection for many years.

Execution During recent analysis CyberProof discovered that Platinum is using a new backdoor that security researchers call Titanium (named after a password to one of the self-executable archives). Titanium APT includes a complex sequence of file dropping, downloading and installing stages, with deployment of a Trojan-backdoor as the final step. Almost every level of the system mimics known software, such as security software, software for making DVD videos, sound drivers software, etc. allowing the malware to remain undetected.

11-11-2019

NEW NAMED CAPESAND WAS DETECTED BEING SPREAD IN THE WILD

Tags: Exploit Kit, Capesand, Malspam, Campaign Label: Threat Analysis

A new exploit kit named Capesand was discovered in October 2019. Capesand is designed to exploit recent vulnerabilities in Adobe© Flash and Microsoft© Explorer (IE). The threat actors behind this exploit kit reuse source code from a publicly shared exploit kit code, which they develop continuously.3

2 Read Microsoft’s full report here: https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/ Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

3 https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and -tools-blockchain-ruse/

TM CyberProof © 2019 CyberProof Inc. All Rights Reserved. 2 CyberProof TM

CyberProof Threat Intelligence Monthly Report

Malvertising Campaign This exploit kit was spread using a malvertisement that redirects to a supposed blockchain blog. Analysis of the page source code shows that it was copied using a website copying tool named HTTrack. This page contains a hidden iframe used to load the exploit kit. In mid-October the exploit kit that was triggered was Rig exploit kit, until it was replaced with Capesand.

11-04-2019 NEW TRICKY TECHNIQUE WHERE ATTACKERS USE EXCEL 4.0 IN MALSPAM CAMPAIGN

Tags: Office, Excel, Malspam, Campaign, CVE, VBA Label: Threat Advisory

This week, researchers found a new global campaign that lures victims to open email attachments using a new tricky technique. The attacker first sends a phishing email disguised as an important email that also contains an Excel document as attachment.

Traditional malspam contains Microsoft Office files with VBA macros, and manipulate the victim to “enable macro” content to execute malicious VBA macro code in the background. In this technique, attackers use Excel 4.0, which is old, but still effective, since all versions of Excel can run Excel 4.0 macros. In this technique, macros are not stored in a VBA project, but are placed inside the spreadsheet cells containing functions such as Exec(), Halt(), Auto_Open(). To trick the victim, attackers leverage the hidden spreadsheet features by storing the macros directly inside them.

11-04-2019 NEW RANSOMWARE CCRYPTOR CAN ENCRYPT 362 FILE TYPES

Tags: Ransomware, CCryptor, CVE Label: Threat Analysis

Recently, security researchers captured a new type of ransomware named CCryptor. The attacker spreads the virus by delivering phishing emails, and taking advantage of the CVE-2017-11882 vulnerability to release the ransomware on the victim’s machine. The CCryptor ransomware encrypts files in 362 different formats using RSA andAES256 . After 10 days of infecting the user’s machine, if the file is not restored in time, all encrypted file data is deleted; the victim is pre-warned. CCryptor is written in C# and changes code by using .Net Confuser to avoid killing and analysis defenses.

TM CyberProof © 2019 CyberProof Inc. All Rights Reserved. 3 CyberProof TM

CyberProof Threat Intelligence Monthly Report

10-28-2019 PHP7 REMOTE CODE EXECUTION BUG EXPLOITED IN THE WILD

Tags: PHP, RCE, Exploit, KovCoreG, , Campaign Label: Threat Analysis

Researchers recently found that a recently security flaw in modern versions of the PHP programming language is being exploited in the wild to take over network servers. The vulnerability is found in the remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL.

ABOUT CYBERPROOF

CyberProof's advanced cloud-based orchestration and automation platform drives operational efficiency allowing our nation-state cyber experts to remain focused on each individual threat. In the face of a hostile and evolving threat environment, CyberProof integrates all the elements you need to detect & prioritize threats early while both rapidly and decisively responding.

CyberProof is part of the UST Global family. Some of the world’s largest enterprises trust us to create and maintain secure digital ecosystems using our comprehensive cyber security platform and mitigation services.

For more information, visit our website at www.cyberproof.com or reach out to us at [email protected].

TM CyberProof © 2019 CyberProof Inc. All Rights Reserved. 4