December 9, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that a new loader named Buer relies on exploit kits, malicious emails and other malware for distribution. That wasn’t the only development in the realm of exploit kits and banking Trojans. Researchers also found a possible connection between the Capesand exploit kit and the KurdishCoder attack campaign. They also analyzed a new spam campaign that used steganography to deliver the IcedID banking Trojan.

Top Story of the Week: The Buer Loader’s Many Distribution Channels

In August 2019, Proofpoint began tracking the sale and development of Buer. It first observed this malware being dropped as the next-stage payload in a malspam campaign leveraging malicious Microsoft Word documents. Not long thereafter, its researchers noticed a malvertising campaign in Australia redirecting users to the Fallout exploit kit, a threat that exploited vulnerable browsers to infect users’ machines with the loader.

It was a short time later that the security firm uncovered 100 attack campaigns in which the Ostap loader exclusively loaded a banking Trojan called The Trick. Ostap eventually began distributing Buer, a modular loader that uses anti-analysis tools to maintain persistence on infected machines.

Source: iStock

Also in Security News

  • More Than Half of Recent Malicious Ads Targeted Windows Users: Devcon found that approximately 61 percent of malvertising campaigns’ malicious ads targeted Windows machines between July 11 and November 22, 2019. The company said that this finding in part reflected Windows’ disproportionately large market share among OS users.
  • New Chrome Infostealer Sends Stolen Data to MongoDB Database: According to Bleeping Computer, samples of a new family of malware called CStealer didn’t compile their stolen data into a file and send it to a command-and-control (C&C) server. Instead, they remotely connected to a MongoDB database and sent their information there.
  • Steganography Employed by IcedID Trojan for Distribution: Beginning in September 2019, Malwarebytes noticed a change in a spam campaign responsible for distributing the IcedID Trojan. The security firm specifically witnessed the malware mixing its encrypted and encoded content with a valid PNG image in an attempt to avoid detection.
  • More Than 20 Hotels’ Front Desk Systems Infected by RevengeHotels: Kaspersky Labs revealed that a malware campaign called RevengeHotels had succeeded in infecting the computer systems responsible for running the front desks of more than 20 hotels. Most of those infections occurred in Brazil with additional attacks recorded in South America and Europe.
  • Scammers Impersonated FTC to Send Intimidating Letters: In the beginning of December, the Federal Trade Commission (FTC) warned users to be on the lookout for letters using falsified FTC letterhead. Many of these letters claimed that the FTC had decided to review a recipient’s file after their online and financial activities raised red flags of terrorism and money laundering.
  • StrandHogg Vulnerability Exploited to Target Android Users With Malicious Code: Promon and Lookout found that the attacks began once users downloaded malicious apps through the Google Play store. Following the download of an app vulnerable to StrandHogg, attackers abused task reparenting to execute malicious code that displayed phishing pages and/or permission requests.
  • New MacOS Threat Linked to First-Stage Implant of Lazarus Group: In a post for Objective-See, security researcher Patrick Wardle disclosed a new macOS threat that masqueraded as a legitimate download on a cryptocurrency trading platform. Further analysis revealed that the threat shared some characteristics with an asset developed by the Lazarus Group.
  • Cobalt Strike, Trojanized Tetris App Leveraged to Spread PyXie RAT: In its analysis of the malware, Blackberry Cylance found that attackers were using a trojanized Tetris game to load an encrypted shellcode payload. That resource turned out to be a Cobalt Stage that connected back to one of four servers for the purpose of loading samples of the PyXie RAT.
  • Capesand EK’s Obfuscation Methods Possibly Used in KurdishCoder Campaign: Back in August 2019, Trend Micro first detected a campaign using samples that leveraged certain obfuscation techniques employed by the Capesand exploit kit. Those techniques each helped njRat, Capesand’s ultimate payload, avoid detection.

Security Tip of the Week: Take a Formalized Approach to Your Security Vulnerabilities

Security professionals can help defend their organizations against vulnerabilities like StrandHogg by examining where devices are placed on the network. This effort will help them prioritize vulnerabilities for remediation. As part of their patch management efforts, security professionals should also be sensitive to risks that could arise from the mitigation of vulnerabilities.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today