Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as “SaiGon version 3.50 rev 132,” and our analysis suggests it is likely based on the source code of the v3 (RM3) variant of Ursnif. Notably, rather than being a full-fledged banking malware, SAIGON's capabilities suggest it is a more generic backdoor, perhaps tailored for use in targeted cybercrime operations.

REFERENCE:
https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
ADVERSARY:
MALWARE FAMILIES:
UrsnifSaigon

The TrickBot cybercrime enterprise actively develops many of its offensive tools such as “PowerTrick” that are leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such as financial institutions. Their offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire. The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks.

REFERENCE:
https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
ADVERSARY:
MALWARE FAMILIES:
TrickBotPowerTrickTerraLoaderMore_eggs
ATT&CK ID:
T1086 – PowerShell

According to US-Cert, Iran has been an active adversary since late 2011 and has been responsible for a series of attacks including some large-scale distributed denial-of-service attacks against financial institutions, infiltration of a dam in New York state, and the destructive attacks against targets regionally and globally, including the large-scale Shamoon campaigns and the recent ZeroCleare wipers. They have also conducted a series of espionage campaigns against universities and companies to steal research, proprietary data, and intellectual property. Additionally, Talos has found several large-scale campaigns based in the region that have included attacks against DNS infrastructure and those leveraging watering hole and social engineering techniques. Since the actors are active in the region DNSpionage, Muddywater, and Tortoiseshell will be included in the coverage list below.

REFERENCE:
https://blog.talosintelligence.com/2020/01/mideast-tensions-preparations.html
GROUP:
ATT&CK IDS:
T1003 – Credential DumpingT1027 – Obfuscated Files or InformationT1002 – Data CompressedT1086 – PowerShellT1204 – User ExecutionT1064 – ScriptingT1060 – Registry Run Keys / Startup FolderT1105 – Remote File CopyT1192 – Spearphishing LinkT1193 – Spearphishing Attachment

Bitdefender researchers tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

REFERENCE:
https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/
MALWARE FAMILIES:
MiraiLiquorBot

During our threat intelligence source monitoring operations, we spotted a new sophisticated malware implant that seems to be unrelated to mainstream cyber weapons. In fact, the recovered sample raised many interrogatives into the malware research community due to the extensive usage of obfuscation anti-reverse techniques, hardening the investigative efforts.

REFERENCE:
https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/
TAG:
ADVERSARY:
MALWARE FAMILY:
JsOutProx

The Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims.

REFERENCE:
https://securelist.com/operation-applejeus-sequel/95596/
ADVERSARY:
INDUSTRY:
MALWARE FAMILY:
AppleJeus

We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability. Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
GROUP:
ADVERSARY:

As the value of cryptocurrencies increased (after a short dip in 2018), we observed increased activity from cryptocurrency mining malware this year, particularly infections and routines involving Monero miners. Over a span of a few months, we came across an infection routine that exploited vulnerabilities to propagate itself, and another that used fileless techniques to evade detection. Other routines involved the use of targeted attack tools to maximize profits, weaponized legitimate tools such as Windows Management Instrumentation to achieve persistence, and other sophisticated malware to hide cryptocurrency malware payloads to cash in on new platforms.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/almost-hollow-and-innocent-monero-miner-remains-undetected-via-process-hollowing/
TAG:

In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’.

REFERENCE:
https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/
ADVERSARY:

Discovered in 2014, Emotet is one of the most prolific malware families, infecting computer systems globally through its mass campaigns of spam email that delivers malware (AKA malspam). These campaigns have been widely documented by many organizations, including how Emotet evolved from being a banking Trojan, to a malware loader with modular functionalities. The modular functionality of the malware allows the Emotet operators to install additional malware onto machines that are part of the Emotet botnet. The Emotet operators also provide their botnet as “Malware-as-a-Service” to other cyber-criminal gangs, who install their own malware of choice to the infected systems. For example, Emotet was recently used to deliver the Trickbot Trojan, which was then used to deliver the Ryuk ransomware.

REFERENCE:
https://unit42.paloaltonetworks.com/apacs-compromised-domains-fuel-emotet-campaign/
TAG:
ADVERSARY:
MALWARE FAMILY:
Emotet