LoudMiner is an unusual case of a persistent cryptocurrency miner, distributed for macOS and Windows since August 2018. It uses virtualization software – QEMU on macOS and VirtualBox on Windows – to mine cryptocurrency on a Tiny Core Linux virtual machine, making it cross platform. It comes bundled with pirated copies of VST software. The miner itself is based on XMRig (Monero) and uses a mining pool, thus it is impossible to retrace potential transactions.

REFERENCE:
https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/
TAG:
ADVERSARY:

The OceanLotus, an APT group said to have a Vietnamese background, was first exposed and named by SkyEye Labs (the predecessor of the RedDrip team of QiAnXin Threat Intelligence Center) in May 2015. Its attack activities can be traced back to April 2012 with initial targets including Chinese maritime institutions, maritime construction, scientific research institutes and shipping enterprises. Their targets expanded to almost all important organizations afterwards and related activities are still active now.

REFERENCE:
https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/
TAG:
ADVERSARY:
TARGETED COUNTRY:

TrendMicro uncovered a cyber espionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.” The malware involved, which Trend Micro detects as AndroidOS_GolfSpy.HRX, is notable for its wide range of cyber espionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications. Monitoring the command and control (C&C) servers used by Bouncing Golf, we’ve so far observed more than 660 Android devices infected with GolfSpy. Much of the information being stolen appear to be military-related.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/
ADVERSARY:
INDUSTRY:

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.

REFERENCE:
https://securelist.com/plurox-modular-backdoor/91213/

Since the release of the Mirai source code in October of 2016, there have been hundreds of variants. While publishing my own research, I noticed that Palo Alto Networks was also examining similar samples, and published their findings. Earlier this month, not too long after Palo Alto Networks published their report, discovered a newer version of Echobot that uses 26 different exploits for its infection vectors. In some cases I needed to reach out to MITRE in order to have them assign new CVEs as a result.

REFERENCE:
https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html
TAGS:

TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. We have been following TA505 closely and detected various related activities for the past two months. In the group’s latest campaign, they started using HTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyy, mostly to target users in South Korea.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/
ADVERSARY:

FortiGuard Labs has been monitoring the development on the e-commerce threat landscape, such as the stealthworker malware that brute-force its way to compromise e-commerce websites, and MageCart that steals payment card details from compromised websites. MageCart is the name given to numerous cybercriminal groups that embed digital skimmers on compromised e-commerce sites. The group made global headlines for a series of high-profile breaches on Ticketmaster, British Airways, and Newegg. These groups are still active and continue to target online stores to steal payment card details from unaware customers.

REFERENCE:
https://www.fortinet.com/blog/threat-research/payment-card-details-stolen-magecart.html
ADVERSARY:
INDUSTRY:

2018 saw a continued increase in the emergence of campaigns involving variants incorporating several exploits within the same sample, allowing for the harvesting of several different kinds of IoT devices into the same botnet. Since then PaloAlto have also observed Mirai malware authors experimenting with new exploits, found on the publicly available exploit-db, to gauge gains in both count from the use of these exploits. This latest new variant we’ve observed and detailed in this post appears to be a continuation of the same trend.

REFERENCE:
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/

ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability in consumer-based routers from the end of April 2019 until the first half of May 2019. The attacks originated from Egypt and, based on the volume of exploit attempts against South African routers, appears targeted. The payload includes commands to download and execute a variant of the Hakai DDoS bot.

REFERENCE:
https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt

Abusing PowerShell to deliver malware isn’t new; it’s actually a prevalent technique that many fileless threats use. We regularly encounter these kinds of threats, and Trend Micro behavior monitoring technology proactively detects and blocks them. We have smart patterns, for instance, that actively detect scheduled tasks created by malicious PowerShell scripts. We also have network rules that detect, for example, indications of activities like Server Message Block (SMB) vulnerabilities being exploited, potential brute-force attempts, and illicit cryptocurrency mining-related communications.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/