In the middle of June, we observed a phishing campaign involving the distribution HawkEye malware. The threat actors behind this campaign are not targeting any specific group of industries or any specific region.
Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH). You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.
Doubleclick Involved in Malware Distribution
The problem is exacerbated by the fact that an enormous number of Android users are stranded with old versions of the operating system. Earlier this year Google announced that it would no longer develop or distribute patches for security vulnerabilities in its WebView library, which is used to serve many ads in Android apps, for version 4.3 or less of the OS. This affects the majority of Android devices and as many as 930 million users. These unfixed vulnerabilities allow malicious advertising to seize control of ad serving apps, with all the same privileges that were granted to it by the user. Since advertising is the distribution method chosen by many malware authors for exploit payloads, Google's censorship of Disconnect and similar apps denies almost a billion users access to tools that would defend them against real and present dangers that Google is no longer willing to address.
ELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.
ISO files became a popular vehicle for malware deployment this summer. The malware families involved were Qbot, Icedid, and Bumblebee. We captured several malicious ISO files containing different files, as described below.
As shown in Figure 16, the execution chains of Icedid and Qbot are similar. The ISO file plays an essential role in the chain. The difference is an original way of using a CHM file to run the Icedid malware payload. In addition, a malicious Word document attachment is involved in dropping and executing the payload.
Over the past three months, we have seen a significant reduction in malware campaigns compared to the first half of the year. Since discovering an Emotet campaign in mid-July, nothing has been seen. Qbot activity also stopped in mid-July before resuming its spread in September. And while Icedid malware distribution has been continuous, it has not been as frequent.
Although malware distribution has constantly been changing, with new updates and techniques regularly being added, all the attacks we have observed started with phishing emails. As a result, it is vital to be aware of social engineering, including training end users, to avoid these threats.
Falcon Sandbox uses a unique hybrid analysis technology that includes automatic detection and analysis of unknown threats. All data extracted from the hybrid analysis engine is processed automatically and integrated into the Falcon Sandbox reports. Automation enables Falcon Sandbox to process up to 25,000 files per month and create larger-scale distribution using load-balancing. Users retain control through the ability to customize settings and determine how malware is detonated.
First noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common in our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a week on average through an email distribution network nicknamed Shathak or TA551. Characteristics of Valak include:
This blog covers the history of Valak, reviews the chain of events for an infection, examines traffic generated by Valak and explores recent updates in obfuscation techniques used by the malware in order to evade detection. This blog also examines the Shathak/TA551 distribution system that has been consistently pushing Valak since April 2020.
The problem of malicious ads has been around for a while and there are a handful of papers addressing it. In 2007, Provos et al. included rogue ad networks in their extensive study of web malware [2], but the major focus was the emerging problem of exploit kits. In the 2009 paper by Ford et al. [3], an attempt was made to investigate the problem of malicious Flash banners. The paper is focused on the detection and classification of rogue SWF files and showcases an attack scenario of a malicious ActionScript 2.0 program. Later, a broader theoretical study was conducted by Angelia and Prishva [4], addressing the problem of malvertising. It investigates the different sides of the advertising market and covers several security-related problems, from malware distribution to privacy violation. All of these papers lack a significant number of samples, use cases of malicious adverts, and approach the problem from the defensive perspective. In this paper, we summarize our findings regarding in the-wild Flash banners and look at the properties of ad networks that could be leveraged by an attacker.
From our investigation we conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits. Loose security policies, high prevalence and powerful scripting capabilities make it a viable tool for malware distribution.
Adversaries utilize the PrivateLoader pay-per-install (PPI) malware distribution platform to spread a new malware framework dubbed NetDooka. This comprehensive malware framework possesses several components, such as a loader, a dropper, a kernel-mode process, a file protection driver, and a remote access trojan (RAT).
As hacks evolve, we must adapt. To keep abreast of the hackers, proactive threat detection is paramount. In the face of the massive boom in the number of malware distribution occurrences, SOC Prime leverages the collaborative expertise of 23,000+ cybersecurity professionals offering timely and efficient solutions to enable security teams to detect threats easier and faster.
In order to investigate reports of email phishing or malware/virus distribution, the Information Security Office (ISO) needs to obtain the full message - body, full headers and any attachments. Forwarding the message typically does not include the full headers.
Citadel is a malware distribution and botnet management toolkit that makes it simple to create a ransomware and infect computers one by one using pay-per-install apps. Citadel was created to steal personal information from its victims, including banking and financial information.
Cybercriminals are most commonly associated with malware development and distribution, but malicious software can be used for more than just ruining the day for regular internet users. For example, covert government agencies develop and use malware for the purpose of cyberespionage. 2ff7e9595c
Comments