Martijn Lammerts
My own digital place with a little of everything

Ransomware as a Service Princess Evolution Looking for Affiliates

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig's traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.

The post Ransomware as a Service Princess Evolution Looking for Affiliates appeared first on .

Continue reading...

Ransomware as a Service Princess Evolution Looking for Affiliates

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig's traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.

The post Ransomware as a Service Princess Evolution Looking for Affiliates appeared first on .

Continue reading...

How Machine Learning Can Help Identify Web Defacement Campaigns

Website defacement — the act of visibly altering the pages of a website, notably in the aftermath of a political event to advance the political agenda of a threat actor— has been explored in our various research works. We broke down top defacement campaigns in a previous paper and, in another post, emphasized how machine learning in our security research tool can help Computer Emergency Readiness Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs) and web administrators prepare for such attacks. The latter took off from the analysis done in our most recent paper, Web Defacement Campaigns Uncovered: Gaining Insights From Deface Pages Using DefPloreX-NG. Here we expound on why machine learning (ML) was an ideal method for our analysis to better understand how web defacers operate and organize themselves.

The post How Machine Learning Can Help Identify Web Defacement Campaigns appeared first on .

Continue reading...

Malware Targeting Bitcoin ATMs Pops Up in the Underground

With the increasing popularity and real-world use of cryptocurrencies and the fact that cybercriminals will always try to exploit something that can make money for them, it shouldn’t come as a surprise that malware targeting Bitcoin ATMs have started appearing in underground markets.

The post Malware Targeting Bitcoin ATMs Pops Up in the Underground appeared first on .

Continue reading...

Adversarial Sample Generation: Making Machine Learning Systems Robust for Security

The history of antimalware security solutions has shown that malware detection is like a cat-and-mouse game. For every new detection technique, there’s a new evasion method. When signature detection was invented, cybercriminals used packers, compressors, metamorphism, polymorphism, and obfuscation to evade it. Meanwhile, API hooking and code injection methods were developed to evade behavior detection. By the time security solutions started using machine learning (ML)-based detection technologies, it was already expected that cybercriminals would develop new tricks to evade ML.

To be one step ahead of cybercriminals, one method of enhancing an ML system to counter evasion tactics is generating adversarial samples, which are input data modified to cause an ML system to incorrectly classify it. Interestingly, while adversarial samples can be designed to cause ML systems to malfunction, they can also, as a result, be used to improve the efficiency of ML systems.

The post Adversarial Sample Generation: Making Machine Learning Systems Robust for Security appeared first on .

Continue reading...

Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs

Trend Micro detected a spam campaign that drops the same FlawedAmmyy RAT (remote access tool) used by a Necurs module to install its final payload on bots under bank- and POS-related user domains. The spam campaign was also found abusing SettingContent-ms – an XML format shortcut file that opens Microsoft's Windows Settings panel. Malicious SettingContent-ms files were found embedded in a PDF document that drops the aforementioned RAT.

The post Spam Campaign Abusing SettingContent-ms Found Dropping Same FlawedAmmy RAT Distributed by Necurs appeared first on .

Continue reading...

The Need for Managed Detection and Response: Persistent and Prevalent Threats in North America’s Security Landscape

Compared to the first quarter of 2018, where the prevalence of threats was the most pronounced trend, the second quarter in North America’s security landscape this year showed notable techniques that we foresee will be further honed. These include: combining the capabilities of cryptocurrency-mining or information theft malware and ransomware; hiding in the system until the payload is triggered; and embedding more functionalities in malware tools to steal more data.

Indeed, the persistent as well as prevalent threats in North America — information stealers, cryptocurrency-mining malware, and ransomware — highlight the need for equipping organizations with actionable insights and contexts needed to prepare and defend themselves against tenacious and evolving threats.

The post The Need for Managed Detection and Response: Persistent and Prevalent Threats in North America’s Security Landscape appeared first on .

Continue reading...

New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel

We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze.

The post New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel appeared first on .

Continue reading...