Martijn Lammerts
My own digital place with a little of everything

Backdoor-carrying Emails Set Sights on Russian-speaking Businesses

A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.

We’ve observed at least five runs from June 23 to July 27, 2017, each of which sent several malicious emails per target. Affected industries were financial institutions, including banks, and mining firms. Of note is how the attackers diversified their tactic—sending different emails for each run, per target.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Backdoor-carrying Emails Set Sights on Russian-speaking Businesses

Continue reading...

Cerber Ransomware Evolves Again, Now Steals From Bitcoin Wallets

Cerber ransomware has acquired the reputation of being one of the most rapidly evolving ransomware families to date. Just in May, we pointed out how it had gone through six separate versions with various differences in its routines. Several months later and it seems to have evolved again, this time adding cryptocurrency theft to its routines. This is on top of its normal ransomware routines, giving the attackers two ways to profit off of one infection.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Cerber Ransomware Evolves Again, Now Steals From Bitcoin Wallets

Continue reading...

New WannaCry-Mimicking SLocker Abuses QQ Services

Trend Micro researchers detected a new SLocker variant that mimics the GUI of the WannaCry crypto-ransomware on the Android platform. Detected as ANDROIDOS_SLOCKER.OPSCB, this new SLocker mobile ransomware variant features new routines that utilize features of the Chinese social network QQ, along with persistent screen-locking capabilities.

SLocker, an Android file-encrypting ransomware first detected and analyzed in July, was found mimicking WannaCry's GUI. Although Chinese police already arrested the ransomware's alleged creator, other SLocker operators clearly remained unfazed.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New WannaCry-Mimicking SLocker Abuses QQ Services

Continue reading...

LeakerLocker Mobile Ransomware Threatens to Expose User Information

While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims' worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

LeakerLocker Mobile Ransomware Threatens to Expose User Information

Continue reading...

DefPloreX: A Machine-Learning Toolkit for Large-scale eCrime Forensics

The security industry as a whole loves collecting data, and researchers are no different. With more data, they commonly become more confident in their statements about a threat. However, large volumes of data require more processing resources, as extracting meaningful and useful information from highly unstructured data is particularly difficult. As a result, manual data analysis is often the only choice, forcing security professionals like investigators, penetration testers, reverse engineers, and analysts to process data through tedious and repetitive operations.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

DefPloreX: A Machine-Learning Toolkit for Large-scale eCrime Forensics

Continue reading...

How HTML Attachments and Phishing Are Used In BEC Attacks

Traditionally, BEC attacks have used keyloggers to steal saved account information from target machines. However, using an executable file for the attachment usually flags a user not to click them as there is a high chance that the file is malicious. As a result, we’ve seen a trend wherein the attached files are no longer executable files but HTML pages.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

How HTML Attachments and Phishing Are Used In BEC Attacks

Continue reading...

ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer

We’ve uncovered a new exploit kit in the wild through a malvertising campaign we’ve dubbed “ProMediads”. We call this new exploit kit Sundown-Pirate, as it’s indeed a bootleg of its precursors and actually named so by its back panel.

ProMediads has been active as early as 2016, employing Rig and Sundown exploit kits to deliver malware. Its activities dropped off in mid-February this year, but suddenly welled on June 16 via Rig. However, we noticed that ProMediads eschewed Rig in favor of Sundown-Pirate on June 25.

It’s worth noting that Sundown-Pirate is only employed by ProMediads so far. This could mean that it’s yet another private exploit kit, like the similarly styled GreenFlash Sundown exploit kit that was exclusively used by the ShadowGate campaign.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer

Continue reading...

Linux Users Urged to Update as a New Threat Exploits SambaCry 

A seven-year old vulnerability in Samba—an open-source implementation of the SMB protocol used by Windows for file and printer sharing—was patched last May but continues to be exploited. According to a security advisory released by the company, the vulnerability allows a malicious actor to upload a shared library to a writable share, causing the server to load and execute it. If leveraged successfully, an attacker could open a command shell in a vulnerable device and take control of it. It affects all versions of Samba since 3.5.0.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Linux Users Urged to Update as a New Threat Exploits SambaCry 

Continue reading...