Martijn Lammerts
My own digital place with a little of everything

Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware

18 October 2017

A new ransomware is being distributed by the Magnitude exploit kit: Magniber (detected by Trend Micro as RANSOM_MAGNIBER.A), which we found targeting South Korea via malvertisements on attacker-owned domains/sites. The development in Magnitude’s activity is notable not only because it eschewed Cerber—its usual ransomware payload—in favor of Magniber. Magnitude now also appears to have become an exploit kit expressly targeting South Korean end users.

The Magnitude exploit kit, which previously had a global reach, was offered as a service in the cybercriminal underground as early as 2013. It then left the market and became a private exploit kit that mainly distributed ransomware such as CryptoWall. At the start of the second half of 2016, Magnitude shifted focus to Asian countries, delivering various ransomware such as Locky and Cerber. More recently though, we noticed that Magnitude underwent a hiatus that began on September 23, 2017, and it then returned on October 15. With help from Kafeine and malc0de, we were able to uncover Magnitude’s new payload, Magniber.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware

Continue reading...

New Malicious Macro Evasion Tactics Exposed in URSNIF Spam Mail

18 October 2017

by John Anthony Bañes Malicious macros are commonly used to deliver malware payloads to victims, usually by coercing victims into enabling the macro sent via spam email. The macro then executes a PowerShell script to download ransomware or some other malware. Just this September EMOTET, an older banking malware, leveraged this method in a campaign that...

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New Malicious Macro Evasion Tactics Exposed in URSNIF Spam Mail

Continue reading...

A Closer Look at North Korea’s Internet

17 October 2017

This blog post summarizes our findings from studying internet traffic going in and out of North Korea. It reviews its small IP space of 1024 routable IP addresses. It will also cover spam waves that originate in part from spambots in the country, DDoS attacks against North Korean websites and their relation to real-world events, as well as recurring watering hole attacks on North Korean websites.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

A Closer Look at North Korea’s Internet

Continue reading...

From Cybercrime to Cyberpropaganda

16 October 2017

A couple of common questions that arise whenever cyberpropaganda and hacktivism issues come up: who engages in it? Where do the people acquire the tools, skills, and techniques used? As it turns out, in at least one case, it comes from the traditional world of cybercrime. We’ve come across a case where a cybercriminal based in Libya turned from cybercrime to cyberpropaganda. This highlights how the cybercrime underground in the Middle East/North African region (covered in our paper titled Digital Souks: A Glimpse into the Middle Eastern and North African Underground) can expand their activity into areas beyond their original area of expertise.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

From Cybercrime to Cyberpropaganda

Continue reading...

Microsoft’s October Patch Tuesday Fixes 63 Vulnerabilities, including an Office Zero-Day

11 October 2017

Microsoft’s Patch Tuesday for October addresses 62 vulnerabilities, 27 of which are critical and 35 important in terms of severity; many of these flaws can lead to remote code execution (RCE). Microsoft’s fixes are patches for features in the Windows operating system (OS) and Microsoft Office (including Office Web Apps), Skype for Business, Edge, Internet Explorer (including the Chakra Core browser engine), Exchange Server, and .NET development framework, among others. As per Microsoft’s previous advisories, this month’s Patch Tuesday also marks the end of support and patches/updates for Office 2007 and Outlook 2007.

Of note is Microsoft’s fix for CVE-2017-11826, a memory corruption vulnerability in Microsoft Office that was publicly disclosed and reported to be actively exploited in the wild.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Microsoft’s October Patch Tuesday Fixes 63 Vulnerabilities, including an Office Zero-Day

Continue reading...

Microsoft’s October Patch Tuesday Fixes 62 Vulnerabilities, including an Office Zero-Day

11 October 2017

Microsoft’s Patch Tuesday for October addresses 62 vulnerabilities, 27 of which are critical and 35 important in terms of severity; many of these flaws can lead to remote code execution (RCE). Microsoft’s fixes are patches for features in the Windows operating system (OS) and Microsoft Office (including Office Web Apps), Skype for Business, Edge, Internet Explorer (including the Chakra Core browser engine), Exchange Server, and .NET development framework, among others. As per Microsoft’s previous advisories, this month’s Patch Tuesday also marks the end of support and patches/updates for Office 2007 and Outlook 2007.

Of note is Microsoft’s fix for CVE-2017-11826, a memory corruption vulnerability in Microsoft Office that was publicly disclosed and reported to be actively exploited in the wild.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Microsoft’s October Patch Tuesday Fixes 62 Vulnerabilities, including an Office Zero-Day

Continue reading...

WannaCry Ransomware Sold in the Middle Eastern and North African Underground

10 October 2017

For $50, one could purportedly get a lifetime license to upgradeable variants of WannaCry. We saw this advertisement in an Arabic-speaking underground forum on May 14, two days after WannaCry’s outbreak. Indeed, a threat that left a trail of significant damage in its wake was objectified into a commodity, and even a starting point for others to launch their own cybercriminal businesses.

WannaCry’s relatively low price also reflects another unique aspect of the Middle Eastern and North African underground: a sense of brotherhood. Unlike marketplaces in Russia and North America, for instance, where its players aim to make a profit, the Middle East and North Africa’s underground scene is an ironic juncture where culture, ideology, and cybercrime meet.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

WannaCry Ransomware Sold in the Middle Eastern and North African Underground

Continue reading...

Dnsmasq: A Reality Check and Remediation Practices

9 October 2017

Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Dnsmasq: A Reality Check and Remediation Practices

Continue reading...