Earlier this year, FortiGuard Labs shared their findings about a malware that was linked to a compromised e-commerce website serving a malicious JavaScript skimmer. The malware forms a botnet called Stealthworker or GoBrut. It can infect both Windows and Linux machines and perform brute force attacks on targets sent by the botmaster.

REFERENCE:
https://www.fortinet.com/blog/threat-research/unveiling-stealthworker-campaign.html
ADVERSARY:

In previous JPCERT / CC Eyes, we explained malware TSCookie and PLEAD used by attack group BlackTech . The attack group has also confirmed that it uses another malware called IconDown. Although it has not been confirmed by what means IconDown is installed / executed, according to the blog published by ESET, it has been confirmed that the update function of ASUS WebStorage is exploited. It is said that. This time, I will introduce the details of IconDown confirmed in the Japanese organization.

REFERENCE:
https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html
ADVERSARY:
TARGETED COUNTRY:

Mobile dropper Trojans are one of today’s most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers’ main task is to deliver payload while sidestepping the protective barriers, and their developers are fully bent on countering detection, this is probably one of the most dangerous classes of malware.

REFERENCE:
https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/
TAG:
ADVERSARY:

Cylance Threat Researchers recently discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).

REFERENCE:
https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html

It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks, to stay completely under the radar for several years. Yet, in the last three years that is what APT group the Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the Democratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against the Norwegian government that dates back to January 2017

REFERENCE:
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
TAG:
ADVERSARY:
MALWARE FAMILY:
MiniDuke
ATTACK IDS:
T1001 – Data ObfuscationT1005 – Data from Local SystemT1008 – Fallback ChannelsT1025 – Data from Removable MediaT1027 – Obfuscated Files or InformationT1035 – Service ExecutionT1039 – Data from Network Shared DriveT1041 – Exfiltration Over Command and Control ChannelT1045 – Software PackingT1049 – System Network Connections DiscoveryT1053 – Scheduled TaskT1057 – Process DiscoveryT1060 – Registry Run Keys / Startup FolderT1064 – ScriptingT1071 – Standard Application Layer ProtocolT1077 – Windows Admin SharesT1078 – Valid AccountsT1083 – File and Directory DiscoveryT1084 – Windows Management Instrumentation Event SubscriptionT1085 – Rundll32T1086 – PowerShellT1090 – Connection ProxyT1102 – Web ServiceT1106 – Execution through APIT1107 – File DeletionT1112 – Modify RegistryT1129 – Execution through Module LoadT1135 – Network Share DiscoveryT1140 – Deobfuscate/Decode Files or InformationT1193 – Spearphishing Attachment

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. This blog post is about the sophisticated passive backdoor we track as LOWKEY, mentioned in the APT41 report, and associated with ESETs recent Winnti Group related blog https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ .

REFERENCES:
https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/
GROUP:
ADVERSARY:

In our September 5, 2019, Threat Insight post, “Seems Phishy: Back To School Lures Target University Students and Staff,” we discussed the seasonal uptick of phishing campaigns that are directed at university students and staff, usually between June and October of every year. Since our blog post, colleagues at Secureworks have provided further details on one actor we highlighted, tracked by Proofpoint as TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute. In this blog, we provide additional insight into the actor and their evolving TTPs in ongoing, academia-focused campaigns.

REFERENCE:
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
ADVERSARY:
INDUSTRY:
TARGETED COUNTRY:

The Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.”

REFERENCE:
https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
ADVERSARY:
MALWARE FAMILY:
PlugX

Charming Kitten, an Iranian APT group, plays a role in the domain of cyber-attacks for the purpose of interfering with democratic procedures. On 4th of October 2019, Microsoft has announced that Phosphorus (known as Charming Kitten) attempted to attack email accounts that are associated with the following targets: U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics, and prominent Iranians living outside Iran.

REFERENCE:
https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2.pdf
ADVERSARY:
INDUSTRY:
TARGETED COUNTRY:

By monitoring the campaign primarily targeting Japanese service providers, FortiGuard Labs was able to identify this campaign and what, to the best of our knowledge, is a new malware family. During our analysis, we also encountered other samples that were not completely developed and lacked some of the functionalities discussed in this blogpost, suggesting that the malware is currently under development and is being tested in the wild. The capabilities of this family are limited at the moment, but the fact that we were able to find different samples that showed significant improvement in the span of a few weeks shows that this family should not be underestimated.

REFERENCE:
https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html
TARGETED COUNTRY:
MALWARE FAMILY:
FunkyBot
ATTACK ID:
T1045 – Software Packing