2018 saw a continued increase in the emergence of campaigns involving variants incorporating several exploits within the same sample, allowing for the harvesting of several different kinds of IoT devices into the same botnet. Since then PaloAlto have also observed Mirai malware authors experimenting with new exploits, found on the publicly available exploit-db, to gauge gains in both count from the use of these exploits. This latest new variant we’ve observed and detailed in this post appears to be a continuation of the same trend.

REFERENCE:
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/

ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability in consumer-based routers from the end of April 2019 until the first half of May 2019. The attacks originated from Egypt and, based on the volume of exploit attempts against South African routers, appears targeted. The payload includes commands to download and execute a variant of the Hakai DDoS bot.

REFERENCE:
https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt

Abusing PowerShell to deliver malware isn’t new; it’s actually a prevalent technique that many fileless threats use. We regularly encounter these kinds of threats, and Trend Micro behavior monitoring technology proactively detects and blocks them. We have smart patterns, for instance, that actively detect scheduled tasks created by malicious PowerShell scripts. We also have network rules that detect, for example, indications of activities like Server Message Block (SMB) vulnerabilities being exploited, potential brute-force attempts, and illicit cryptocurrency mining-related communications.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/

Cisco Talos recently identified a series of documents that they believe are part of a coordinated series of cyber attacks that they are calling the “Frankenstein” campaign. They assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users’ machines via malicious documents. They assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.

REFERENCE:
https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html

In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.

REFERENCE:
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
ADVERSARY:

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy. Zebrocy is an active sub-group of victim profiling and access specialists. Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy. The past five years of Zebrocy infrastructure, malware set, and targeting have similarities and overlaps with both the Sofacy and BlackEnergy APTs, yet throughout that time it has remained different from both of those groups.

REFERENCE:
https://securelist.com/zebrocys-multilanguage-malware-salad/90680/
ADVERSARY:
TARGETED COUNTRIES:

Turla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk.

REFERENCE:
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
TAGS:
ADVERSARY:
INDUSTRIES:

We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices//
TAG:

Shade ransomware is a long-established family of ransomware first spotted in late 2014 targeting hosts running Microsoft Windows. It is also known as Troldesh. Shade has been distributed through malicious spam (malspam) and exploit kits. A recent report focused on Russian language emails that deliver Shade, but this ransomware is also distributed through English-language malspam.

REFERENCE:
https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/
GROUP:
TARGETED COUNTRIES:

According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities

REFERENCE:
https://www.stratosphereips.org/blog/2019/3/21/malware-capture-analysis-possible-coin-miner