Early in August, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that Proofpoint dubbed “Lookback” [1]. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack.

REFERENCE:
https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals
INDUSTRY:
TARGETED COUNTRY:
MALWARE FAMILY:
ATTACK ID:
T1193 – Spearphishing Attachment

Unlike in the pre-internet era, when trading in the stock or commodities market involved a phone call to a broker — a move which often meant additional fees for would-be traders — the rise of trading apps placed the ability to trade in the hands of ordinary users. However, their popularity has led to their abuse by cybercriminals who create fake trading apps as lures for unsuspecting victims to steal their personal data. We recently found and analyzed an example of such an app, which had a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/
TAG:

FortiGuard Labs was investigating the Sodinokibi ransomware family, when we came across the newly discovered Nemty Ransomware. Interestingly, as we analyzed this new malware, we also encountered an artifact embedded in its binary that we were very much familiar with since it was also used by the GandCrab ransomware before the threat actors’ announced retirement. It is also interesting to see that the Nemty ransomware is being distributed using the same method as Sodinokibi, a malware that has strong similarities to GandCrab.

REFERENCES:
https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html
https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/
MALWARE FAMILY:
ATTACK ID:
T1486 – Data Encrypted for Impact

Thus far in 2019, the Cybereason Nocturnus team has encountered several variants of the trojan Glupteba. Glupteba was first spotted in 2011 as a malicious proxy generating spam and click-fraud traffic from a compromised machine. Since then, it has been distributed through several different methods and used in multiple attacks, including Operation Windigo until 2018. The majority of Glupteba’s history has revolved around Operation Windigo, though over the years the malware has matured significantly to be part of its own botnet and distributed via Adware.

REFERENCE:
https://www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit
MALWARE FAMILY:

The story of how we conquered WiryJMPer’s obfuscation begins with a simple binary file posing as an ABBC Coin wallet. We found the file suspicious, as the file size was three-times as big as it should be, and the strings in the file corresponded to other software WinBin2Iso (version 3.16) from SoftwareOK. ABBC Coin (originally Alibaba Coin, not affiliated with Alibaba Group) is an altcoin, one of many blockchain-based cryptocurrencies. WinBin2Iso, on the other hand, is software that converts various binary images of CD/DVD/Blu-ray media into the ISO format. Behavioral analysis revealed that the binary, posing as an ABBC Coin wallet, is a dropper, which we will, from now on, refer to as WiryJMPer. WiryJMPer hides a Netwire payload between two benign binaries.

REFERENCES:
https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/
https://www.bleepingcomputer.com/news/security/new-wiryjmper-dropper-hides-netwire-rat-payloads-in-plain-sight/

While we observed multiple iterations of this lure, metadata shows that the original document was created by a speaker at the Nuclear Deterrence Summit and then modified by the threat actors. The content of this lure suggests that it was likely targeted towards conference attendees and/or others who had an interest in what took place at the conference. This particular document was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). This indicates that the Autumn Aperture campaign was likely a continuation of a previously reported activity from this threat group.

REFERENCE:
https://blog.prevailion.com/2019/09/autumn-aperture-report.html?m=1
ADVERSARY:
INDUSTRIES:

We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild. The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in the underground, and were identified as using the EternalBlue exploit to move into local networks and run Monero (XMR) cryptocurrency miners.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/
ADVERSARY:

In June 2019, ThreatFabric analysts found a new Android malware, dubbed “Cerberus”, being rented out on underground forums. Its authors claim that it was used for private operations for two years preceding the start of the rental. They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan (such as the leaked Anubis source code that is now being resold) or at least borrow parts of other Trojans. After thorough analysis we can confirm that Cerberus was indeed not based on the Anubis source code.

REFERENCE:
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
TAG:

We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. These descriptive names thus show up in a PDB path when a malware project is compiled with symbol debugging information. Everyone loves an origin story, and debugging information gives us insight into the malware development environment, a small, but important keyhole into where and how a piece of malware was born. We can use our newfound insight to detect malicious activity based in part on PDB paths and other debug details.

REFERENCE:
https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html

Symantec recently spotted a new tactic being used by apps on the Google Play Store to stealthily perform ad-clicking on users’ devices. A developer known as Idea Master has published two popular apps on the Play Store in the past year, with a collective download count of approximately 1.5 million. Symantec has informed Google of the observed behavior and the apps have now been removed from the Play Store. The two apps, a notepad app (Idea Note: OCR Text Scanner, GTD, Color Notes) and a fitness app (Beauty Fitness: daily workout, best HIIT coach), are packed using legitimate packers originally developed to protect the intellectual property of Android applications. Android packers can change the entire structure and flow of an Android Package Kit (APK) file, which complicates things for security researchers who want to decipher the APK’s behavior. This also explains the developer’s ability to remain on the Play Store performing malicious acts under the radar for nearly a year before being detected.

REFERENCE:
https://www.symantec.com/blogs/threat-intelligence/stealthy-ad-clicking-apps-google-play