Weekly Security News Roundup: Buer Loader Distributed by Malvertising Campaigns

December 9, 2019 @ 8:00 AM
| |
3 min read

Last week in security news, researchers revealed that a new loader named Buer relies on exploit kits, malicious emails and other malware for distribution. That wasn’t the only development in the realm of exploit kits and banking Trojans. Researchers also found a possible connection between the Capesand exploit kit and the KurdishCoder attack campaign. They also analyzed a new spam campaign that used steganography to deliver the IcedID banking Trojan.

Top Story of the Week: The Buer Loader’s Many Distribution Channels

In August 2019, Proofpoint began tracking the sale and development of Buer. It first observed this malware being dropped as the next-stage payload in a malspam campaign leveraging malicious Microsoft Word documents. Not long thereafter, its researchers noticed a malvertising campaign in Australia redirecting users to the Fallout exploit kit, a threat that exploited vulnerable browsers to infect users’ machines with the loader.

It was a short time later that the security firm uncovered 100 attack campaigns in which the Ostap loader exclusively loaded a banking Trojan called The Trick. Ostap eventually began distributing Buer, a modular loader that uses anti-analysis tools to maintain persistence on infected machines.

Source: iStock

Also in Security News

  • More Than Half of Recent Malicious Ads Targeted Windows Users: Devcon found that approximately 61 percent of malvertising campaigns’ malicious ads targeted Windows machines between July 11 and November 22, 2019. The company said that this finding in part reflected Windows’ disproportionately large market share among OS users.
  • New Chrome Infostealer Sends Stolen Data to MongoDB Database: According to Bleeping Computer, samples of a new family of malware called CStealer didn’t compile their stolen data into a file and send it to a command-and-control (C&C) server. Instead, they remotely connected to a MongoDB database and sent their information there.
  • Steganography Employed by IcedID Trojan for Distribution: Beginning in September 2019, Malwarebytes noticed a change in a spam campaign responsible for distributing the IcedID Trojan. The security firm specifically witnessed the malware mixing its encrypted and encoded content with a valid PNG image in an attempt to avoid detection.
  • More Than 20 Hotels’ Front Desk Systems Infected by RevengeHotels: Kaspersky Labs revealed that a malware campaign called RevengeHotels had succeeded in infecting the computer systems responsible for running the front desks of more than 20 hotels. Most of those infections occurred in Brazil with additional attacks recorded in South America and Europe.
  • Scammers Impersonated FTC to Send Intimidating Letters: In the beginning of December, the Federal Trade Commission (FTC) warned users to be on the lookout for letters using falsified FTC letterhead. Many of these letters claimed that the FTC had decided to review a recipient’s file after their online and financial activities raised red flags of terrorism and money laundering.
  • StrandHogg Vulnerability Exploited to Target Android Users With Malicious Code: Promon and Lookout found that the attacks began once users downloaded malicious apps through the Google Play store. Following the download of an app vulnerable to StrandHogg, attackers abused task reparenting to execute malicious code that displayed phishing pages and/or permission requests.
  • New MacOS Threat Linked to First-Stage Implant of Lazarus Group: In a post for Objective-See, security researcher Patrick Wardle disclosed a new macOS threat that masqueraded as a legitimate download on a cryptocurrency trading platform. Further analysis revealed that the threat shared some characteristics with an asset developed by the Lazarus Group.
  • Cobalt Strike, Trojanized Tetris App Leveraged to Spread PyXie RAT: In its analysis of the malware, Blackberry Cylance found that attackers were using a trojanized Tetris game to load an encrypted shellcode payload. That resource turned out to be a Cobalt Stage that connected back to one of four servers for the purpose of loading samples of the PyXie RAT.
  • Capesand EK’s Obfuscation Methods Possibly Used in KurdishCoder Campaign: Back in August 2019, Trend Micro first detected a campaign using samples that leveraged certain obfuscation techniques employed by the Capesand exploit kit. Those techniques each helped njRat, Capesand’s ultimate payload, avoid detection.

Security Tip of the Week: Take a Formalized Approach to Your Security Vulnerabilities

Security professionals can help defend their organizations against vulnerabilities like StrandHogg by examining where devices are placed on the network. This effort will help them prioritize vulnerabilities for remediation. As part of their patch management efforts, security professionals should also be sensitive to risks that could arise from the mitigation of vulnerabilities.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more