Piece of malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes. However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection. It appears that the attackers are now expanding this botnet to other countries; TrendMicro telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/miner-malware-spreads-beyond-china-uses-multiple-propagation-methods-including-eternalblue-powershell-abuse/

In early March, Microsoft Security discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRar vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines.

REFERENCE:
https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

REFERENCE:
https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
TAG:
ADVERSARY:

Gaza Cybergang Group1, described in this post, is the least sophisticated of the three attack groups and relies heavily on the use of paste sites (with the operation name SneakyPastes) in order to gradually sneak a remote access Trojan (RAT) or multiple, onto victim systems. The group has been seen employing phishing, with several chained stages to evade detection and extend command and control server lifetimes. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

REFERENCE:
https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/
ADVERSARY:

‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.

REFERENCE:
https://securelist.com/project-tajmahal/90240/
GROUP:
ADVERSARY:

Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions. As the investigation progressed, Talos came to understand that this campaign was associated with the ChristinaMorrow text message spam scam previously spotted in Australia.

REFERENCE:
https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html
INDUSTRY:
TARGETED COUNTRY:

Over the past few months, Malwarebytes Labs has noticed increased activity and development of new stealers. One such new stealer, called Baldr, first appeared in January 2019, and their analysis of this malware finds that its authors were serious about making a long-lasting product. The indicators are also supplemented with Alien Labs research findings.

REFERENCE:
https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/

In late February 2019, Unit 42 discovered Mirai samples compiled for new processors/architectures not previously seen before. Despite the source code being publicly released In October of 2016, the malware has, until now, only been found targeting a fixed set of processors/architectures. Unit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. This is not the first time Mirai has been expanded for new processor architectures, samples targeting ARC CPUs were discovered in January 2018. Yet this development shows that Mirai developers continue to actively innovate, targeting a growing array of IoT devices.

REFERENCE:
https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/

Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data. The intent of the intrusion was initially unclear because the customer did not have or process payment card data. Fortunately, every investigation conducted by Managed Defense or Mandiant includes analysts from our FireEye Advanced Practices team who help correlate activity observed in our hundreds of investigations and voluminous threat intelligence holdings. Our team quickly linked this activity with some recent Mandiant investigations and enabled us to determine that FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.

REFERENCE:
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
ADVERSARY:

Few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malwares listed in 2017 and 2018. Today it constantly reaches several organization across Italy presenting itself in several ways, for instance as a malicious document delivered through email.

REFERENCES:
https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/
https://www.sentinelone.com/blog/ursnif-polymorphic-delivery-mechanism-explained/
ADVERSARY:
INDUSTRY: