Last week in security news, researchers revealed that a new loader named Buer relies on exploit kits, malicious emails and other malware for distribution. That wasn’t the only development in the realm of exploit kits and banking Trojans. Researchers also found a possible connection between the Capesand exploit kit and the KurdishCoder attack campaign. They also analyzed a new spam campaign that used steganography to deliver the IcedID banking Trojan.

Top Story of the Week: The Buer Loader’s Many Distribution Channels

In August 2019, Proofpoint began tracking the sale and development of Buer. It first observed this malware being dropped as the next-stage payload in a malspam campaign leveraging malicious Microsoft Word documents. Not long thereafter, its researchers noticed a malvertising campaign in Australia redirecting users to the Fallout exploit kit, a threat that exploited vulnerable browsers to infect users’ machines with the loader.

It was a short time later that the security firm uncovered 100 attack campaigns in which the Ostap loader exclusively loaded a banking Trojan called The Trick. Ostap eventually began distributing Buer, a modular loader that uses anti-analysis tools to maintain persistence on infected machines.

Source: iStock

Also in Security News

  • More Than Half of Recent Malicious Ads Targeted Windows Users: Devcon found that approximately 61 percent of malvertising campaigns’ malicious ads targeted Windows machines between July 11 and November 22, 2019. The company said that this finding in part reflected Windows’ disproportionately large market share among OS users.
  • New Chrome Infostealer Sends Stolen Data to MongoDB Database: According to Bleeping Computer, samples of a new family of malware called CStealer didn’t compile their stolen data into a file and send it to a command-and-control (C&C) server. Instead, they remotely connected to a MongoDB database and sent their information there.
  • Steganography Employed by IcedID Trojan for Distribution: Beginning in September 2019, Malwarebytes noticed a change in a spam campaign responsible for distributing the IcedID Trojan. The security firm specifically witnessed the malware mixing its encrypted and encoded content with a valid PNG image in an attempt to avoid detection.
  • More Than 20 Hotels’ Front Desk Systems Infected by RevengeHotels: Kaspersky Labs revealed that a malware campaign called RevengeHotels had succeeded in infecting the computer systems responsible for running the front desks of more than 20 hotels. Most of those infections occurred in Brazil with additional attacks recorded in South America and Europe.
  • Scammers Impersonated FTC to Send Intimidating Letters: In the beginning of December, the Federal Trade Commission (FTC) warned users to be on the lookout for letters using falsified FTC letterhead. Many of these letters claimed that the FTC had decided to review a recipient’s file after their online and financial activities raised red flags of terrorism and money laundering.
  • StrandHogg Vulnerability Exploited to Target Android Users With Malicious Code: Promon and Lookout found that the attacks began once users downloaded malicious apps through the Google Play store. Following the download of an app vulnerable to StrandHogg, attackers abused task reparenting to execute malicious code that displayed phishing pages and/or permission requests.
  • New MacOS Threat Linked to First-Stage Implant of Lazarus Group: In a post for Objective-See, security researcher Patrick Wardle disclosed a new macOS threat that masqueraded as a legitimate download on a cryptocurrency trading platform. Further analysis revealed that the threat shared some characteristics with an asset developed by the Lazarus Group.
  • Cobalt Strike, Trojanized Tetris App Leveraged to Spread PyXie RAT: In its analysis of the malware, Blackberry Cylance found that attackers were using a trojanized Tetris game to load an encrypted shellcode payload. That resource turned out to be a Cobalt Stage that connected back to one of four servers for the purpose of loading samples of the PyXie RAT.
  • Capesand EK’s Obfuscation Methods Possibly Used in KurdishCoder Campaign: Back in August 2019, Trend Micro first detected a campaign using samples that leveraged certain obfuscation techniques employed by the Capesand exploit kit. Those techniques each helped njRat, Capesand’s ultimate payload, avoid detection.

Security Tip of the Week: Take a Formalized Approach to Your Security Vulnerabilities

Security professionals can help defend their organizations against vulnerabilities like StrandHogg by examining where devices are placed on the network. This effort will help them prioritize vulnerabilities for remediation. As part of their patch management efforts, security professionals should also be sensitive to risks that could arise from the mitigation of vulnerabilities.

More from

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…