Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware we reported on in September of 2018. The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post. The samples described in this report were collected in October of 2018, and since that time the command and control servers they use have been shut down.

REFERENCE:
https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/
ADVERSARY:

Attackers using commodity malware and living off the land tools against financial targets in Ivory Coast, Cameroon, Congo (DR), Ghana, and Equatorial Guinea.

REFERENCE:
https://www.symantec.com/blogs/threat-intelligence/african-financial-attacks
TARGETED COUNTRIES:

REFERENCE:

https://blog.elevenpaths.com/2019/01/extension-chrome-robo-tarjetas-ciberseguridad.html

In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our research, we’ve monitored a number of new malware samples. We also conducted additional research into infrastructure we believe Fancy Bear (APT28) operators use as part of their toolkit.

REFERENCE:
https://asert.arbornetworks.com/lojax-fancy-since-2016/
ADVERSARY:

360 Threat Intelligence Center captured several lure Excel documents written in Arabic in January 9, 2019. A backdoor dropped by macro in the lure documents can communicate with C2 server through DNS tunnel, as well as Google Drive API. We confirmed that this is a DarkHydrus Group’s new attack targeting Middle East region.

REFERENCE:
https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/
ADVERSARY:
INDUSTRY:

Just days ago, Fortinet’s FortiGuard Labs captured a malicious MS Word document from the wild that contains auto-executable malicious VBA code that can spread and install NanoCore RAT software on a victim’s Windows system. NanoCore RAT was developed in the .Net framework, and the latest version is “1.2.2.0”. Its author, “Taylor Huddleston”, was captured by the FBI and sent to prison early last year . The sample we captured uses NanoCore to execute malicious behavior on a victim’s system.

REFERENCE:
https://www.fortinet.com/blog/threat-research/-net-rat-malware-being-spread-by-ms-word-documents.html

RiskIQ has tracked Magecart and exposed their attacks for years. Now, the term is top-of-mind in the security community and beyond, with a Google search of ‘Magecart’ returning over 170,000 results. In fact, the group of digital credit card-skimming gangs gained such notoriety throughout last year that WIRED named Magecart in its list of “Most Dangerous People On The Internet In 2018.”

REFERENCES:
https://www.riskiq.com/blog/labs/magecart-adverline/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/
TAG:

Flashpoint analysts believe that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked advanced persistent threat (APT) group Lazarus. Redbanc confirmed that the malware was installed on the company’s corporate network without triggering antivirus detection, however the threat has since been mitigated and did not impact company operations, services, or infrastructure.

REFERENCE:
https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
ADVERSARY:
INDUSTRY:
TARGETED COUNTRY:

Malicious spam (malspam) using zipped JavaScript (.js) files as email attachments–this is a well-established tactic used by cyber criminals to distribute malware. I've written diaries discussing such malspam in July 2015, September 2015, and February 2016. I've run across plenty of examples since then, but I've focused more on Microsoft Office documents instead of .js files. I last documented .js-based malspam in May 2018.

REFERENCE:
https://isc.sans.edu/forums/diary/Heartbreaking+Emails+Love+You+Malspam/24512/
TAG:
ADVERSARY:

Continuing attacks from the group known as Patchwork.

REFERENCE:
https://twitter.com/shotgunner101/status/1084112825608536069
ADVERSARY: