In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.

REFERENCE:
https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
INDUSTRY:

Trend Micro discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. Since this technique is new and unfamiliar, it can potentially evade detection. Like many TSS campaigns, it disguises itself as a legitimate or well-known brand’s service provider to lure its victims. This campaign in particular uses Microsoft.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/

Malwarebytes has been closely monitoring the situation involving the continued attacks against users of the popular Electrum Bitcoin wallet. Initially, victims were being tricked to download a fraudulent update that stole their cryptocurrencies. Later on, the threat actors launched a series of Distributed Denial of Service (DDoS) attacks in response to Electrum developers trying to protect their users. Since their last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing. Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.

REFERENCE:
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-ddos-botnet-reaches-152000-infected-hosts/

While the Buhtrap backdoor source code has been leaked in the past and can thus be used by anyone, RTM code has not, at least to our knowledge. In this blog, we will describe how the threat actors distributed their malware by abusing Yandex.Direct and hosted it on GitHub. We will conclude with a technical analysis of the malware used.

REFERENCE:
https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/
TAG:

SectorB06 is a state sponsored threat actor group active especially within Asia. They have been exploiting vulnerabilities in Microsoft Office’s Equation Editor which Microsoft removed in January 2018, which in this case seems to be a highly obfuscated version of CVE-2017-11882. The malware we analyzed in this case are sent seemingly only after they already have a basic foothold in their target organizations.

REFERENCE:
https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/
TARGETED COUNTRY:

Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called Sodinokibi. Sodinokibi attempts to encrypt data in a users directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Ciscos Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.

REFERENCE:
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected.

REFERENCE:
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lockergoga-ransomware-family-used-in-targeted-attacks/
ADVERSARY:

Retefe is a banking Trojan that historically has routed online banking traffic intended for targeted banks through a proxy instead of the web injects more typical of other bankers. In the past, Retefe campaigns have targeted Austria, Sweden, and Switzerland, among other regions, such as users of UK online banking sites. Retefe is generally delivered via zipped JavaScript as well as Microsoft Word documents.

REFERENCE:
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
ADVERSARY:
TARGETED COUNTRIES:

Qakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence. In this blog post, we will detail an update to these schedule tasks that allows Qakbot to maintain persistence and potentially evade detection.

REFERENCE:
https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html
TAG:

As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique.

REFERENCE:
https://www.zscaler.com/blogs/research/novaloader-yet-another-brazilian-banking-malware-family
TAG:
ADVERSARY: