Shade ransomware is a long-established family of ransomware first spotted in late 2014 targeting hosts running Microsoft Windows. It is also known as Troldesh. Shade has been distributed through malicious spam (malspam) and exploit kits. A recent report focused on Russian language emails that deliver Shade, but this ransomware is also distributed through English-language malspam.

REFERENCE:
https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/
GROUP:
TARGETED COUNTRIES:

According to this blogpost by Palo Alto researchers, XBash targeted Linux and Windows systems. XBash is a botnet, coinminer, ransomware that has self-propagation capabilities. On Linux, this malware has ransomware and botnet capabilities. For Windows systems, coinmining and self-propagating capabilities

REFERENCE:
https://www.stratosphereips.org/blog/2019/3/21/malware-capture-analysis-possible-coin-miner

What happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets. The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in past years.

REFERENCE:
https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
ADVERSARY:

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called "BlackWater" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater's tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim's machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs.

REFERENCE:
https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
TAG:
ADVERSARY:

As the adoption of online banking within Brazil continues to grow, a corresponding rise in banking malware targeting this developing market is also being observed. The prolific Brazilian cybercrime group behind the banking malware “Banload” have implemented an interesting new driver component, internally called ‘FileDelete’, to remove software drivers and executables belonging to anti-malware and banking protection programs. The goal behind this driver is to enable fraud through credential theft and account-takeover operations on a victim’s machine. In this technical analysis, SentinelOne dissects the novel FileDelete driver to reveal how it works.

REFERENCE:
https://www.sentinelone.com/blog/cybercrime-banload-banking-malware-fraud/

KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software. Proofpoint researchers started seeing KPOT Stealer distributed via email campaigns and exploit kits in August 2018 (Figure 1). In addition, colleagues at Flashpoint Intel observed the malware targeting users of the Jaxx cryptocurrency wallet in September 2018.

REFERENCE:
https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal

The RobbinHood Ransomware is the latest player in the ransomware scene that is targeting companies and the computers on their network. This ransomware is not being distributed through spam but rather through other methods, which could include hacked remote desktop services or other Trojans that provide access to the attackers.

REFERENCES:
https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/
https://twitter.com/VK_Intel/status/1121440931759128576

As we have seen an ever-increasing number of ransomware cases that show a rather sophisticated modus operandi, we are publishing a warning via MELANI Newsletter along with this blog post, documenting technical details about the recent ransomware attacks against Swiss small and medium enterprises (SMEs). The goal of this blog post is to give you a better understanding of the various modus operandi of the most common ransomware families we have encountered hitting Swiss targets in the past months.

REFERENCE:
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
TAG:
TARGETED COUNTRY:

The Dharma ransomware has been around since 2016, but it has continued to target and successfully victimize users and organizations around the world. One high profile attack happened in November 2018 when the ransomware infected a hospital in Texas, encrypting many of their stored records; luckily the hospital was able to recover from the attack without paying the ransom. Trend Micro recently found new samples of Dharma ransomware using a new technique: using software installation as a distraction to help hide malicious activities.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/
TAG:
ADVERSARY:

In the first days of April, our threat monitoring operations spotted a new interesting malware sample possibly active in the wild since 2017. Its initial triage suggests it may be part of an advanced attacker arsenal targeting the Banking sector, possibly related to the same APT group Kaspersky Lab tracked two years ago after the compromise of a Russian bank, where a particular malware tool dubbed ATMitch has been unveiled. In the past, this piece of malware was manually installed on the victim ATM after a wide enterprise network intrusion, enabling the cyber-criminals to manipulate the cash-withdrawal process on the machine.

REFERENCE:
https://blog.yoroi.company/research/atmitch-new-evidence-spotted-in-the-wild/
TAGS:
INDUSTRY: