
BluVector Threat Report Q3 2018 Trojans are still winning. Out of the 12 Threat Reports over Q3, six were trojans. While the results from the Threat Report quarterly from Q2 2018 were pretty even in terms of the volume of threats being spread out between APTs, ransomware and trojans, Q3 2018 showcased the depth and breadth of trojan diversity and malicious innovation. TABLE OF CONTENTS 3. Threat Report Q3 2018 Threat Chart 4. Summary 5. Summary Continued 6. APT: Turla 7. APT: APT28 8. APT: Lojax 9. RANSOMWARE: Magniber 10. RANSOMWARE: Gandcrab 11. RANSOMWARE: BitPaymer 12. TROJAN: AZORult 13. TROJAN: Windows/Android App 14. TROJAN: Dark Tequila 15. TROJAN: Delphi Crypters 16. TROJAN: Cobalt 17. TROJAN: RtPOS 18. About BluVector Lojax 47 Months in advance Q3 2018 Operation GhostSecret 30 Months in RIG Exploit APTs advance FILELESS Kit 41 Months in APT28 advance 42 Months in advance Turla 38 Months in Kwampirs advance 11 Months in advance Invisimole 3 Months in 50 40 30 20 10 advance MONTHS MONTHS MONTHS MONTHS MONTHS THREAT FIRST PUBLICLY IDENTIFIED RtPOS 8 Months in RANSOMWARE Windows/ advance Android App 17 Months in advance TROJANS BitPaymer Gh0st RAT 50 Months in 10 Months in advance advance GZipDe 28 Months in advance RadRAT Gandcrab 26 Months in 43 Months in advance advance Grobios Dark Tequila 50 Months in Cobalt advance 23 Months in 33 Months in advance advance Matrix KillDisk SynAck 52 Months in advance 44 Months in 43 Months in Magniber advance Delphi advance AZORult 56 Months in 55 Months in Crypters advance advance 45 Months in advance DBGer/ Satan 57 Months in advance BluVector runs all discovered malware samples through historical classifiers to KEY identify when our machine learning engine Discovered in Q2 2018 would have first detected the named threat. BluVector currently supports over 35 file- Discovered in Q3 2018 specific machine learning classifiers. © 2018 BluVector, Inc. 3 SUMMARY First, the biggest story was the threat that wasn’t. KEY FINDINGS Yet it illustrates clearly how prevalent malware has become and how those who should be the most protected aren’t. The discovery of Windows- targeted trojan code in 145 apps in Google’s FIRST UEFI Android Play Store might be easily overlooked by ROOTKIT those who didn’t understand the context. FOUND IN While there was no threat to Windows from an THE WILD Android application file (APK), the existence of the code showed that the app’s developers were infected. Through the development process, the code inserted itself into the app. It also illustrates TWO THREATS an infrequently reported attack vector as USING DELPHI developers of popular applications might become LANGUAGE bigger targets for malware that deliberately, and secretly, inserts code into programs before they’re compiled. However simple, without several obfuscation Oh Trojan, How You’ve Evolved methods that are commonly designed with newer threats, some malware detection solutions might As the most successful attacks, trojans are not pick it up. getting smarter as their developers are getting more organized or, in several apparently state- Many malware creators use crypters to hide their sponsored attacks, more multi-layered. In Q3, we malicious ways and they’re discovering old ways saw the growth of multi-layered attacks as well to build new threats. A new crypter, built in the as several attacks designed to infect computing older Delphi (née Pascal) language, is making devices in particular regions. the rounds as the compiled executable is harder to reverse engineer than some other coding Dark Tequila, unlikely to be a world-spanning languages. A similar approach also showed up in mega threat, targeted Spanish-speaking users in APT28’s Roman Holiday campaign, where Delphi South America and attempts to grab credentials code was used in the attack’s dropper. for web hosting panel access, Office 365, Lotus Notes, etc. When captured, that data is encrypted Spear phishing still works and the group behind and uploaded to a command and control (C2) Cobalt has been reported by Europol to have server. Interestingly, if the user isn’t using a stolen US$1.2 billion from 100 banks in over 40 Spanish keyboard, the malware simply uninstalls countries. Originally targeted towards Russian and itself. Romanian banks, emails were cleverly disguised as coming from the EU-based intrabank credit Other threats, such as RtPOS, came with Russian processor, Interkassa. In the U.S., Cobalt attacks language in the code but might be a plug-in used showed up in restaurant chains including Arby’s, with other malware, as it doesn’t encrypt data from Chili’s, Chipotle and Red Robin. POS machines. It simply writes the information to a text file, which might be more of a functional part of a bigger attack and not an attack itself. © 2018 BluVector, Inc. 4 APT:SUMMARY OperationKwampirs GhostSecret Potentially the meanest attack of Q3, AZORult (“Marina Militare”) with a cleverly named C2 that 3.2, rips off cryptocurrency, exfiltrates browsers was similar to its Italian language name, “marina- histories from non-Microsoft browsers (yet, who info.net”. really uses Edge?) and any data to get admin access. Targeted at North America, the attack The scariest APT of the quarter easily goes begins with password-encrypted Zip file enclosed to Lojax, known for attacking the Democratic in an email that tells the recipient the password. National Committee, with a new campaign Inside is a Word file filled with malicious macros. that’s been deployed in Central and Eastern EU After stealing all that data, it then downloads counties. Rather than going file or fileless, the Hermes ransomware for a final coup-de-grace. new attack writes itself into the UEFI (the modern version of a BIOS) of the device. Removing Ransomware Still Getting Paid the threat would require reflashing the UEFI, something that most non-technical people would Rather than count how much ransomware not know how to do. The threat does seem to creators are earning, the Threat Report team be more limited, attacking Intel-based controller prefers to observe changes that are going on chips prior to the Intel Series 5, released in 2008. in the malware underworld. Gandcrab isn’t new but the group behind it is accelerating its efforts. Q4 Holiday Attacks Just two days after Gandcrab 4.0 was released, version 4.1 was released with new encryption, As with years prior, we expect to see an increase a unique method for hardcoding C2 URLs and in attacks in Q4 2018. Seasonally, this can be has several trojan-like functions that grabs partly due to holiday vacations of security staff, information, including installed AV software, and which can mean a delayed response to an attack. sends it back to a C2. With a reported $600,000 From the end user side, shoppers, looking for in ransom payments, Gandcrab isn’t going away bargains, are often a prime target for email-related anytime soon. Yet, BitPaymer could easily top that breaches. This is where user education proves amount with its high 53 bitcoin ransom request its worth in the real world. Remind your users to (roughly $337,000). be mindful about the emails they’re receiving, checking the links and reporting any activities APTs, The Choice for State-run Attacks that they believe might constitute a breach. Despite fewer APTs this quarter, APTs are the weapon of choice for state-run or state- targeted attacks. The Turla group, believed to Q3 FINDINGS be Russia-based, has attacked the U.S. State Department, U.S. Central Command, embassies MONTHS IN ADVANCE IN in EU countries and the German Federal Foreign EARLIEST DETECTION office. Attacks included a PDF file that includes a fileless PowerShell script. Once breached, the malware places the acquired information into an encrypted Outlook email back to its attackers. Yet, the APT28 group, known for attacking NEW THREATS FOUND southeast Asian countries jumped to Italy for THIS QUARTER its “Roman Holiday” attack on the Italian Navy © 2018 BluVector, Inc. 5 APT: OperationKwampirsTurla GhostSecret What Is It? Firstly, the backdoor logs information related to each legitimate email sent or received by the Researchers from security company ESET user (sender, recipients, subject and attachment have released a report detailing their analysis filenames). This information is encrypted and of malware used by the Advanced Persistent periodically sent to the attackers in a PDF Threat (APT) group Turla (also known as file attached to an email. Incoming emails Waterbug, Venomous Bear and KRYPTON). The containing PDF files are scanned to see if malware is currently using a novel technique they contain commands common to bots and for its C2 communication, it utilizes specially- backdoors, such as downloading and executing formatted PDF files in emails being sent to and files, running commands and exfiltrating data from Microsoft Outlook clients. via PDF files attached to outgoing emails. The The Turla APT group is Russia-based and has malware attempts to remain undetected by been active since 2007, targeting various blocking notifications of incoming C2 emails and governmental organizations and military removing them from the inbox and sent folder. contractors. Previous targets have included the It is believed to be the only malware using email U.S. Department of State, U.S. Central Command exclusively for its C2 communication. (CENTCOM) and embassies located in European countries. How Does It Propagate? Recent breaches attributed to Turla include the The malware does not contain the necessary German Federal Foreign Office, where several code to self-propagate. There are no details systems were backdoored for nine months in available regarding the initial infection vector, 2017 before the malware was discovered. however the Turla APT group have proven themselves adept at utilizing social engineering Previous attacks have shown Turla to have to their advantage, which may include malicious excellent social engineering and technical skills, documents in spear phishing emails.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages18 Page
-
File Size-