Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware we reported on in September of 2018. The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post. The samples described in this report were collected in October of 2018, and since that time the command and control servers they use have been shut down.
Attackers using commodity malware and living off the land tools against financial targets in Ivory Coast, Cameroon, Congo (DR), Ghana, and Equatorial Guinea.
In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our research, we’ve monitored a number of new malware samples. We also conducted additional research into infrastructure we believe Fancy Bear (APT28) operators use as part of their toolkit.
360 Threat Intelligence Center captured several lure Excel documents written in Arabic in January 9, 2019. A backdoor dropped by macro in the lure documents can communicate with C2 server through DNS tunnel, as well as Google Drive API. We confirmed that this is a DarkHydrus Group’s new attack targeting Middle East region.
Just days ago, Fortinet’s FortiGuard Labs captured a malicious MS Word document from the wild that contains auto-executable malicious VBA code that can spread and install NanoCore RAT software on a victim’s Windows system. NanoCore RAT was developed in the .Net framework, and the latest version is “220.127.116.11”. Its author, “Taylor Huddleston”, was captured by the FBI and sent to prison early last year . The sample we captured uses NanoCore to execute malicious behavior on a victim’s system.
RiskIQ has tracked Magecart and exposed their attacks for years. Now, the term is top-of-mind in the security community and beyond, with a Google search of ‘Magecart’ returning over 170,000 results. In fact, the group of digital credit card-skimming gangs gained such notoriety throughout last year that WIRED named Magecart in its list of “Most Dangerous People On The Internet In 2018.”
Flashpoint analysts believe that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked advanced persistent threat (APT) group Lazarus. Redbanc confirmed that the malware was installed on the company’s corporate network without triggering antivirus detection, however the threat has since been mitigated and did not impact company operations, services, or infrastructure.
Continuing attacks from the group known as Patchwork.
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org