Light Dark
November 25, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that the new Phoenix keylogger is steadily gaining traction among cybercriminals on underground web forums. They also found new attack campaigns distributing Cyborg and Maze ransomware. These threats weren’t alone in their activity. Two backdoors, including one capable of targeting Windows and Linux systems, had a busy week as well.

Top Story of the Week: Rise of the Phoenix Keylogger

Cybereason analyzed Phoenix and found that the keylogger first emerged in July 2019. Since then, the threat has claimed victims in North America, the United Kingdom, France, Germany and other parts of Europe and the Middle East.

Operating under a malware-as-a-service (MaaS) model, Phoenix is capable of stealing data from 20 web browsers, four mail clients, FTP clients and chat clients. It then exfiltrates its stolen data using Telegram along with the SMTP and FTP exfiltration protocols. All the while, the backdoor leverages its many anti-analysis techniques to avoid detection from more than 80 security products.

Source: iStock

Also in Security News

  • Windows Update Spam Emails Deliver Cyborg Ransomware: Trustwave SpiderLabs recently spotted attack emails using the subject lines “Install Latest Microsoft Windows Update now” and “Critical Microsoft Windows Update.” Those emails claimed to originate from Microsoft, but in actuality, they leveraged a fake update attachment to deliver samples of Cyborg ransomware.
  • Custom Droppers Used by Cybercriminals to Install Information Stealers: Researchers at Cisco Talos spotted multiple malware campaigns that relied on custom droppers to deliver their payloads. Those droppers arrived with multiple layers of obfuscation and allowed digital attackers to switch between several information-stealing malware families as their payloads.
  • Most H1 2019 Phishing Campaigns Used Shade Ransomware as Payload: Reporting on the findings of Group-IB, Bleeping Computer said that Shade ransomware had been the malware strain most often used by cybercriminals for their phishing campaigns in the first half of 2019. It also stated that ransomware activity had increased this year compared to 2018.
  • Malicious Emails From TA2101 Delivered Maze Ransomware: In October 2019, Proofpoint first spotted the malicious activity of a new threat actor called TA2101. Those emails impersonated government agencies in Germany, Italy and the U.S. to trick recipients into opening a malicious Word document that, in turn, infected them with Maze ransomware.
  • Spam, McDonald’s Malvertising Employed by Mispadu for Distribution: ESET found that a new Latin American banking Trojan called Mispadu relied on spam and malicious advertisements for McDonald’s coupons for distribution. Once loaded on a victim’s machine, Mispadu was able to display fake pop-up windows, take screenshots and steal keystrokes.
  • Linux and Windows Systems at Risk of ACBackdoor: Researchers at Intezer came across both a Windows and a Linux variant of the new ACBackdoor backdoor. They found that the Windows version used the Fallout exploit kit for distribution but that it was less sophisticated than the Linux version, whose distribution method could not be determined at the time of analysis.
  • Louisiana State Government Computer Systems Hit by Ransomware: According to ZDNet, Louisiana Governor John Bel Edwards revealed that a ransomware infection had taken down some of the IT systems and websites maintained by the state. Officials quickly restored many of the affected websites but said it might take a few days to recover some internal applications.
  • New Mac Backdoor Variant Used by Lazarus Group to Target Koreans: Trend Micro analyzed an attack launched by the digital criminal group Lazarus that targeted Korean users with a malicious Microsoft Excel document. Those who opened the document and enabled macros exposed themselves to a new variant of the Mac backdoor Backdoor.MacOS.NUKESPED.A.
  • Roboto Botnet’s True Purpose Still Unknown: In mid-October, 360Netlab’s honeypot captured the downloader of a P2P bot program it originally snagged back in August. Researchers attributed both resources to a new botnet called Roboto that’s capable of performing distributed denial-of-service (DDoS) attacks, but whose true purpose was unclear at the time of analysis.

Security Tip of the Week: Protect Your Organization’s Data

Security professionals can help secure data against ransomware and other threats by using artificial intelligence (AI)-driven solutions that improve their network visibility, proactively enforce security across endpoints and maintain compliance with relevant regulatory frameworks. With devices as their endpoints, infosec personnel should also treat human users as the “startpoint” and secure this element using security awareness training and access controls.

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature