Light Dark
August 19, 2019 By David Bisson 3 min read

Last week in security news, researchers spotted threat actors renting out an Android Trojan called Cerberus on underground forums. That’s not the only malware that analysts spotted: They also came across new versions of a botnet, a well-known malware family, a new .NET-based sample, a previously unseen remote access Trojan (RAT) and a new cryptominer. They also discovered various phishing campaigns targeting the energy sector as well as organizations in various verticals.

Top Story of the Week: Cerberus Android Trojan

In June 2019, analysts at ThreatFabric found that a new Android Trojan named Cerberus was available for rent on underground forums. The creators of the malware used a dedicated Twitter profile and other channels to advertise how their threat did not borrow code snippets from other Trojan families. In response, ThreatFabric’s researchers took a closer look and indeed confirmed that Cerberus bore no code similarities to the Anubis source code.

In addition, the security firm found that the Trojan used a device’s accelerometer sensor as a pedometer to measure the user’s activity. This tactic helped the threat measure the user’s movements against a preconfigured threshold in an attempt to avoid running in a dynamic analysis environment.

Source: iStock

Also in Security News

  • New Version of GoBrut Detected in the Wild: Cybaze-Yoroi ZLAB discovered version 3.06 of the GoBrut botnet in the summer of 2019. The security firm found that this variant, which was compiled for Linux environments, relied on compromised websites for distribution and came equipped with a brute-forcing module.
  • DocuSign Branding Incorporated in Phishing Attack: Proofpoint uncovered a phishing campaign in July 2019 that used branding from electronic signature service DocuSign to selectively target organizations’ employees across multiple verticals. The operation’s attack emails redirected users to a landing page hosted on Amazon public cloud storage (S3).
  • New .NET-Based Malware Variant Spread by Emails, Exploit Kits: Not long thereafter, Proofpoint announced that it had detected a new variant of .NET-based malware known as PsiXBot. This version was more sophisticated than the malware family’s original iteration in that it arrived with the ability to dynamically fetch its own Domain Name System (DNS) infrastructure using a URL shortener.
  • CEOs Imitated by Phishers in Bid to Target Energy Sector: On August 13, Cofense disclosed a highly customized phishing campaign that was targeting an energy organization. Those behind this operation impersonated the organization’s CEO in their attack emails and used Google Drive as a threat vector to avoid detection.
  • Latest Ursnif Sample Arrived With Anti-Analysis Techniques: FortiGuard Labs spotted an attack campaign that used malicious Microsoft Word documents to distribute a new variant of the Ursnif Trojan. This version boasted various anti-analysis techniques, including the ability to dynamically parse its API functions and thereby evade static analysis.
  • Remcos RAT Distributed by Phishing Emails: In July, Trend Micro discovered a phishing campaign that directed users to open an order notification. In actuality, the malicious attachment used an AutoIt wrapper to deliver a sample of the Remcos RAT.
  • Norman Cryptominer Discovered in Large-Scale Infection: While investigating a large-scale cryptomining infection at a mid-size company, Varonis discovered a new cryptominer dubbed Norman. This malware followed the example of many other threats in disguising itself as svchost.exe, but Norman still differentiated itself by employing multiple evasion techniques.

Security Tip of the Week: Defending Against Malware

In its analysis of Remcos, Trend Micro urged organizations to educate users about phishing attacks:

“…we advise users to refrain from opening unsolicited emails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately.”

Security professionals can further help defend their organizations against phishing-borne malware by investing in robust artificial intelligence (AI)-based security solutions. These tools should ideally leverage both machine learning and deep learning to automatically replicate the accuracy of manual analysis on a large scale for the purpose of spotting potential threats. Organizations should also focus on improving their endpoint visibility with endpoint management capabilities so they can monitor critical assets for suspicious behavior and automatically remediate any issues.

Learn more about destructive malware on the latest episode of the SecurityIntelligence podcast

 |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature