December 9, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that a new loader named Buer relies on exploit kits, malicious emails and other malware for distribution. That wasn’t the only development in the realm of exploit kits and banking Trojans. Researchers also found a possible connection between the Capesand exploit kit and the KurdishCoder attack campaign. They also analyzed a new spam campaign that used steganography to deliver the IcedID banking Trojan.

Top Story of the Week: The Buer Loader’s Many Distribution Channels

In August 2019, Proofpoint began tracking the sale and development of Buer. It first observed this malware being dropped as the next-stage payload in a malspam campaign leveraging malicious Microsoft Word documents. Not long thereafter, its researchers noticed a malvertising campaign in Australia redirecting users to the Fallout exploit kit, a threat that exploited vulnerable browsers to infect users’ machines with the loader.

It was a short time later that the security firm uncovered 100 attack campaigns in which the Ostap loader exclusively loaded a banking Trojan called The Trick. Ostap eventually began distributing Buer, a modular loader that uses anti-analysis tools to maintain persistence on infected machines.

Source: iStock

Also in Security News

  • More Than Half of Recent Malicious Ads Targeted Windows Users: Devcon found that approximately 61 percent of malvertising campaigns’ malicious ads targeted Windows machines between July 11 and November 22, 2019. The company said that this finding in part reflected Windows’ disproportionately large market share among OS users.
  • New Chrome Infostealer Sends Stolen Data to MongoDB Database: According to Bleeping Computer, samples of a new family of malware called CStealer didn’t compile their stolen data into a file and send it to a command-and-control (C&C) server. Instead, they remotely connected to a MongoDB database and sent their information there.
  • Steganography Employed by IcedID Trojan for Distribution: Beginning in September 2019, Malwarebytes noticed a change in a spam campaign responsible for distributing the IcedID Trojan. The security firm specifically witnessed the malware mixing its encrypted and encoded content with a valid PNG image in an attempt to avoid detection.
  • More Than 20 Hotels’ Front Desk Systems Infected by RevengeHotels: Kaspersky Labs revealed that a malware campaign called RevengeHotels had succeeded in infecting the computer systems responsible for running the front desks of more than 20 hotels. Most of those infections occurred in Brazil with additional attacks recorded in South America and Europe.
  • Scammers Impersonated FTC to Send Intimidating Letters: In the beginning of December, the Federal Trade Commission (FTC) warned users to be on the lookout for letters using falsified FTC letterhead. Many of these letters claimed that the FTC had decided to review a recipient’s file after their online and financial activities raised red flags of terrorism and money laundering.
  • StrandHogg Vulnerability Exploited to Target Android Users With Malicious Code: Promon and Lookout found that the attacks began once users downloaded malicious apps through the Google Play store. Following the download of an app vulnerable to StrandHogg, attackers abused task reparenting to execute malicious code that displayed phishing pages and/or permission requests.
  • New MacOS Threat Linked to First-Stage Implant of Lazarus Group: In a post for Objective-See, security researcher Patrick Wardle disclosed a new macOS threat that masqueraded as a legitimate download on a cryptocurrency trading platform. Further analysis revealed that the threat shared some characteristics with an asset developed by the Lazarus Group.
  • Cobalt Strike, Trojanized Tetris App Leveraged to Spread PyXie RAT: In its analysis of the malware, Blackberry Cylance found that attackers were using a trojanized Tetris game to load an encrypted shellcode payload. That resource turned out to be a Cobalt Stage that connected back to one of four servers for the purpose of loading samples of the PyXie RAT.
  • Capesand EK’s Obfuscation Methods Possibly Used in KurdishCoder Campaign: Back in August 2019, Trend Micro first detected a campaign using samples that leveraged certain obfuscation techniques employed by the Capesand exploit kit. Those techniques each helped njRat, Capesand’s ultimate payload, avoid detection.

Security Tip of the Week: Take a Formalized Approach to Your Security Vulnerabilities

Security professionals can help defend their organizations against vulnerabilities like StrandHogg by examining where devices are placed on the network. This effort will help them prioritize vulnerabilities for remediation. As part of their patch management efforts, security professionals should also be sensitive to risks that could arise from the mitigation of vulnerabilities.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today