Martijn Lammerts
My own digital place with a little of everything

Necurs Poses a New Challenge Using Internet Query File

22 June 2018

By Jed Valderama, Ian Kenefick, and Miguel Ang Our last report on the Necurs botnet malware covered its use of an internet shortcut or .URL file to avoid detection, but its authors seem to be updating it again. Current findings prove that its developers are actively devising new means to stay ahead of the security measures...

The post Necurs Poses a New Challenge Using Internet Query File appeared first on .

Continue reading...

Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware

21 June 2018

We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. While these attacks currently deliver resource-stealing and system performance-slowing malware, the vulnerability can be used as a doorway to other threats.

The post Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware appeared first on .

Continue reading...

FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users

19 June 2018

Spoofing legitimate mobile applications is a common cybercriminal modus that banks on their popularity and relies on their users’ trust to steal information or deliver payloads. Cybercriminals typically use third-party app marketplaces to distribute their malicious apps, but in operations such as the ones that distributed CPUMINER, BankBot, and MilkyDoor, they would try to get their apps published on Google Play or App Store. We’ve also seen others take a more subtle approach that involves SmiShing to direct potential victims to malicious pages. Case in point: a campaign we recently observed that uses SMS as an entry point to deliver an information stealer we called FakeSpy (Trend Micro detects this threat ANDROIDOS_FAKESPY.HRX).

FakeSpy is capable of stealing text messages, as well as account information, contacts, and call records stored in the infected device. FakeSpy can also serve as a vector for a banking trojan (ANDROIDOS_LOADGFISH.HRX). While the malware is currently limited to infecting Japanese and Korean-speaking users, we won't be surprised if it expands its reach given the way FakeSpy’s authors actively fine-tune the malware’s configurations.

The post FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users appeared first on .

Continue reading...

North American Malware Trends: Taking a Proactive Approach to Modern Threats

19 June 2018

To help IT teams decide where their points of focus should be to create an effective security strategy, we took a look at data in North America in the first quarter of 2018 to determine the trends in the threat landscape and paint a picture of the main types of threats that both individuals and organizations face today.

The post North American Malware Trends: Taking a Proactive Approach to Modern Threats appeared first on .

Continue reading...

Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor

14 June 2018

we found a new sample that may be related to the MuddyWater campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell scripts leading to a backdoor payload. One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script and PowerShell component files, and instead encode all the scripts on the document itself.

The post Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor appeared first on .

Continue reading...

Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor

14 June 2018

we found a new sample that may be related to the MuddyWater campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell scripts leading to a backdoor payload. One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script and PowerShell component files, and instead encode all the scripts on the document itself.

The post Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor appeared first on .

Continue reading...

How Machine Learning Techniques Helped Us Find Massive Certificate Abuse by BrowseFox

11 June 2018

By employing machine learning algorithms, we were able to discover an enormous certificate signing abuse by BrowseFox, a potentially unwanted application (PUA) detected by Trend Micro as PUA_BROWSEFOX.SMC. BrowseFox is a marketing adware plugin that illicitly injects pop-up ads and discount deals. While it uses a legitimate software process, the adware plugin may be exploited...

The post How Machine Learning Techniques Helped Us Find Massive Certificate Abuse by BrowseFox appeared first on .

Continue reading...