Light Dark
December 9, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that a new loader named Buer relies on exploit kits, malicious emails and other malware for distribution. That wasn’t the only development in the realm of exploit kits and banking Trojans. Researchers also found a possible connection between the Capesand exploit kit and the KurdishCoder attack campaign. They also analyzed a new spam campaign that used steganography to deliver the IcedID banking Trojan.

Top Story of the Week: The Buer Loader’s Many Distribution Channels

In August 2019, Proofpoint began tracking the sale and development of Buer. It first observed this malware being dropped as the next-stage payload in a malspam campaign leveraging malicious Microsoft Word documents. Not long thereafter, its researchers noticed a malvertising campaign in Australia redirecting users to the Fallout exploit kit, a threat that exploited vulnerable browsers to infect users’ machines with the loader.

It was a short time later that the security firm uncovered 100 attack campaigns in which the Ostap loader exclusively loaded a banking Trojan called The Trick. Ostap eventually began distributing Buer, a modular loader that uses anti-analysis tools to maintain persistence on infected machines.

Source: iStock

Also in Security News

  • More Than Half of Recent Malicious Ads Targeted Windows Users: Devcon found that approximately 61 percent of malvertising campaigns’ malicious ads targeted Windows machines between July 11 and November 22, 2019. The company said that this finding in part reflected Windows’ disproportionately large market share among OS users.
  • New Chrome Infostealer Sends Stolen Data to MongoDB Database: According to Bleeping Computer, samples of a new family of malware called CStealer didn’t compile their stolen data into a file and send it to a command-and-control (C&C) server. Instead, they remotely connected to a MongoDB database and sent their information there.
  • Steganography Employed by IcedID Trojan for Distribution: Beginning in September 2019, Malwarebytes noticed a change in a spam campaign responsible for distributing the IcedID Trojan. The security firm specifically witnessed the malware mixing its encrypted and encoded content with a valid PNG image in an attempt to avoid detection.
  • More Than 20 Hotels’ Front Desk Systems Infected by RevengeHotels: Kaspersky Labs revealed that a malware campaign called RevengeHotels had succeeded in infecting the computer systems responsible for running the front desks of more than 20 hotels. Most of those infections occurred in Brazil with additional attacks recorded in South America and Europe.
  • Scammers Impersonated FTC to Send Intimidating Letters: In the beginning of December, the Federal Trade Commission (FTC) warned users to be on the lookout for letters using falsified FTC letterhead. Many of these letters claimed that the FTC had decided to review a recipient’s file after their online and financial activities raised red flags of terrorism and money laundering.
  • StrandHogg Vulnerability Exploited to Target Android Users With Malicious Code: Promon and Lookout found that the attacks began once users downloaded malicious apps through the Google Play store. Following the download of an app vulnerable to StrandHogg, attackers abused task reparenting to execute malicious code that displayed phishing pages and/or permission requests.
  • New MacOS Threat Linked to First-Stage Implant of Lazarus Group: In a post for Objective-See, security researcher Patrick Wardle disclosed a new macOS threat that masqueraded as a legitimate download on a cryptocurrency trading platform. Further analysis revealed that the threat shared some characteristics with an asset developed by the Lazarus Group.
  • Cobalt Strike, Trojanized Tetris App Leveraged to Spread PyXie RAT: In its analysis of the malware, Blackberry Cylance found that attackers were using a trojanized Tetris game to load an encrypted shellcode payload. That resource turned out to be a Cobalt Stage that connected back to one of four servers for the purpose of loading samples of the PyXie RAT.
  • Capesand EK’s Obfuscation Methods Possibly Used in KurdishCoder Campaign: Back in August 2019, Trend Micro first detected a campaign using samples that leveraged certain obfuscation techniques employed by the Capesand exploit kit. Those techniques each helped njRat, Capesand’s ultimate payload, avoid detection.

Security Tip of the Week: Take a Formalized Approach to Your Security Vulnerabilities

Security professionals can help defend their organizations against vulnerabilities like StrandHogg by examining where devices are placed on the network. This effort will help them prioritize vulnerabilities for remediation. As part of their patch management efforts, security professionals should also be sensitive to risks that could arise from the mitigation of vulnerabilities.

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature