In November 2019, we published a blog analyzing an exploit kit we named Capesand that exploited Adobe Flash and Microsoft Internet Explorer flaws. During our analysis of the indicators of compromise (IoCs) in the deployed samples that were infecting the victim’s machines, we noticed some interesting characteristics: notably that these samples were making use of obfuscation tools that made them virtually undetectable.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/obfuscation-tools-found-in-the-capesand-exploit-kit-possibly-used-in-kurdishcoder-campaign/
MALWARE FAMILIES:
Trojan:MSIL/BladabindinjRAT – S0385Remcos – S0332Phoenix KeyloggerAgent Tesla – S0331HawkEye Keylogger
ATT&CK IDS:
T1045 – Software PackingT1055 – Process InjectionT1068 – Exploitation for Privilege EscalationT1056 – Input CaptureT1113 – Screen Capture

Security researchers have encountered a new macOS malware sample believed to be the work of the North Korean group of hackers known as Lazarus. The threat has a very low detection rate and comes with capabilities that allow it to retrieve a payload from a remote location and run it in memory, making the forensic analysis more difficult.

REFERENCES:
https://www.bleepingcomputer.com/news/security/new-macos-threat-served-from-cryptocurrency-trading-platform/
https://twitter.com/dineshdina04/status/1201834142704394242
https://objective-see.com/blog/blog_0x51.html
ADVERSARY:
INDUSTRY:

RiskIQ published insights into a criminal group that maximizes their profit by working in two ecosystems that are typically distinct, phishing and web skimming. By leveraging a tactic with which they had tons of experience, phishing, they could double-dip into one with which they had less expertise, web skimming. By combining tactics, this group was playing with a full deck when it came to stealing financial data. Introducing Full(z) House.

REFERENCES:
https://www.riskiq.com/blog/labs/fullz-house/
https://blog.malwarebytes.com/web-threats/2019/11/web-skimmer-phishes-credit-card-data-via-rogue-payment-service-platform/
ADVERSARY:

We recently wrote about the massive “sextortion” spam campaign carried out by the Phorpiex botnet. However, this is only a small part of this botnet’s malicious activity. Capable of acting like both a computer worm and a file virus, Phorpiex is spread through exploit kits and with the help of other malware and has infected more than 1,000,000 Windows computers to date. By our assessment, the annual criminal revenue generated by Phorpiex botnet is approximately half a million US dollars. Of course, to maintain such a large botnet, a reliable command and control (C&C) infrastructure is required. For malware with a small outreach, or if infected computers are not part of a single botnet, virtual private servers (VPS) are most often used. VPS hosting services can be purchased from legitimate companies. Many VPS hosting providers don’t require identity verification, and the services can be paid for anonymously.

REFERENCE:
https://research.checkpoint.com/phorpiex-breakdown/
TAG:
ADVERSARY:
MALWARE FAMILY:

Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).

REFERENCE:
https://securelist.com/titanium-the-platinum-group-strikes-again/94961/
TAG:
GROUP:
ADVERSARY:
INDUSTRY:
TARGETED COUNTRIES:

2019 has been a busy year for exploit kits, despite the fact that they haven’t been considered a potent threat vector for years, especially on the consumer side. This time, we discovered the Spelevo exploit kit with its virtual pants down, attempting to capitalize on the popularity of adult websites to compromise more devices.

REFERENCE:
https://blog.malwarebytes.com/threat-analysis/2019/12/spelevo-exploit-kit-debuts-new-social-engineering-trick/
ADVERSARY:
MALWARE FAMILY:
Spelevo

Earlier this year, FortiGuard Labs shared their findings about a malware that was linked to a compromised e-commerce website serving a malicious JavaScript skimmer. The malware forms a botnet called Stealthworker or GoBrut. It can infect both Windows and Linux machines and perform brute force attacks on targets sent by the botmaster.

REFERENCE:
https://www.fortinet.com/blog/threat-research/unveiling-stealthworker-campaign.html
ADVERSARY:

In previous JPCERT / CC Eyes, we explained malware TSCookie and PLEAD used by attack group BlackTech . The attack group has also confirmed that it uses another malware called IconDown. Although it has not been confirmed by what means IconDown is installed / executed, according to the blog published by ESET, it has been confirmed that the update function of ASUS WebStorage is exploited. It is said that. This time, I will introduce the details of IconDown confirmed in the Japanese organization.

REFERENCE:
https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html
ADVERSARY:
TARGETED COUNTRY:

Mobile dropper Trojans are one of today’s most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers’ main task is to deliver payload while sidestepping the protective barriers, and their developers are fully bent on countering detection, this is probably one of the most dangerous classes of malware.

REFERENCE:
https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/
TAG:
ADVERSARY:

Cylance Threat Researchers recently discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).

REFERENCE:
https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html