Martijn Lammerts
My own digital place with a little of everything

Autodesk’s A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs

Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications.

We saw a similar—albeit a lot simpler and less creative—attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host malware. Abusing A360 as a malware delivery platform can enable attacks that are less likely to raise red flags. It resembled the way Google Drive was misused as a repository of stolen data, for instance.

The payloads we saw during our research—remote access tools (RATs)—are also notable. We found that after they were downloaded and executed, the RATs/backdoors would phone back to their respective command-and-control servers, which are resolvable via free DNS services. It’s not a novel technique, but our correlation of the indicators of compromise (IoCs) suggests that a potentially sustained, cybercriminal operation took advantage of this platform.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Autodesk’s A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs

Continue reading...

USB Malware Implicated in Fileless Attacks

In early August we discussed a case where a backdoor (BKDR_ANDROM.ETIN) was being installed filelessly onto a target system using JS_POWMET.DE, a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

USB Malware Implicated in Fileless Attacks

Continue reading...

Android Mobile Ransomware: Bigger, Badder, Better?

By Lorin Wu (Mobile Threat Analyst) The mobile threat landscape isn’t just rife with information stealers and rooting malware. There’s also mobile ransomware. While it seems they’re not as mature as their desktop counterparts, what with the likes of WannaCry and Petya, the increasing usage of mobile devices, particularly by businesses, will naturally draw more...

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Android Mobile Ransomware: Bigger, Badder, Better?

Continue reading...

Malicous Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord

Recently, we discussed how cyber criminals are using the popular voice/chat client Discord to steal cookies from the running Roblox process on a Windows PC. Since then, we’ve noticed another attack going after the same information, only this time it is via Chrome extensions (CRX files). While currently it is targeting only Roblox users, the...

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Malicous Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord

Continue reading...

Cryptocurrency Miner Uses WMI and EternalBlue To Spread Filelessly

Fileless malware can be a difficult threat analyze and detect. It shouldn’t be a surprise that an increasing number of new malware threats are fileless, as threat actors use this technique to make both detection and forensic investigation more difficult. We recently found a new cryptocurrency miner (which we detect as TROJ64_COINMINER.QO) that uses this particular technique as well.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Cryptocurrency Miner Uses WMI and EternalBlue To Spread Filelessly

Continue reading...

New Disdain Exploit Kit Detected in the Wild

The exploit kit landscape has been rocky since 2016, and we've observed several of the major players—Angler, Nuclear, Neutrino, Sundown—take a dip in operations or go private. New kits have popped up sporadically since then, sometimes revamped from old sources, but none have really gained traction. Despite that fact, cybercriminals continue to develop more of them.

On August 9, we detected a new exploit kit in the wild, being distributed through a malvertising campaign. With additional analysis of the code and activity, we can confirm that it is the Disdain exploit kit, which started to advertise their services in underground forums starting August 8. We found the “disdain” keyword contained in its JavaScript code.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New Disdain Exploit Kit Detected in the Wild

Continue reading...

GhostClicker Adware is a Phantomlike Android Click Fraud

We’ve uncovered a pervasive auto-clicking adware from as much as 340 apps from Google Play, one of which, named “Aladdin’s Adventure’s World”, was downloaded 5 million times. These adware-embedded applications include recreational games, device performance utilities like cleaners and boosters, and file managers, QR and barcode scanners, multimedia recorders and players, device charger, and GPS/navigation-related apps.

While the majority of the said apps have been taken down, 101 were still downloadable as of August 7, 2017. Our detections/sensors saw the prevalence of this adware in Southeast Asian countries as well as Brazil, Japan, Taiwan, Russia, Italy, and the U.S.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

GhostClicker Adware is a Phantomlike Android Click Fraud

Continue reading...

GhostClicker Adware is a Phantomlike Android Click Fraud

We’ve uncovered a pervasive auto-clicking adware from as much as 340 apps from Google Play, one of which, named “Aladdin’s Adventure’s World”, was downloaded 5 million times. These adware-embedded applications include recreational games, device performance utilities like cleaners and boosters, and file managers, QR and barcode scanners, multimedia recorders and players, device charger, and GPS/navigation-related apps.

While the majority of the said apps have been taken down, 101 were still downloadable as of August 7, 2017. Our detections/sensors saw the prevalence of this adware in Southeast Asian countries as well as Brazil, Japan, Taiwan, Russia, Italy, and the U.S.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

GhostClicker Adware is a Phantomlike Android Click Fraud

Continue reading...