Light Dark
August 19, 2019 By David Bisson 3 min read

Last week in security news, researchers spotted threat actors renting out an Android Trojan called Cerberus on underground forums. That’s not the only malware that analysts spotted: They also came across new versions of a botnet, a well-known malware family, a new .NET-based sample, a previously unseen remote access Trojan (RAT) and a new cryptominer. They also discovered various phishing campaigns targeting the energy sector as well as organizations in various verticals.

Top Story of the Week: Cerberus Android Trojan

In June 2019, analysts at ThreatFabric found that a new Android Trojan named Cerberus was available for rent on underground forums. The creators of the malware used a dedicated Twitter profile and other channels to advertise how their threat did not borrow code snippets from other Trojan families. In response, ThreatFabric’s researchers took a closer look and indeed confirmed that Cerberus bore no code similarities to the Anubis source code.

In addition, the security firm found that the Trojan used a device’s accelerometer sensor as a pedometer to measure the user’s activity. This tactic helped the threat measure the user’s movements against a preconfigured threshold in an attempt to avoid running in a dynamic analysis environment.

Source: iStock

Also in Security News

  • New Version of GoBrut Detected in the Wild: Cybaze-Yoroi ZLAB discovered version 3.06 of the GoBrut botnet in the summer of 2019. The security firm found that this variant, which was compiled for Linux environments, relied on compromised websites for distribution and came equipped with a brute-forcing module.
  • DocuSign Branding Incorporated in Phishing Attack: Proofpoint uncovered a phishing campaign in July 2019 that used branding from electronic signature service DocuSign to selectively target organizations’ employees across multiple verticals. The operation’s attack emails redirected users to a landing page hosted on Amazon public cloud storage (S3).
  • New .NET-Based Malware Variant Spread by Emails, Exploit Kits: Not long thereafter, Proofpoint announced that it had detected a new variant of .NET-based malware known as PsiXBot. This version was more sophisticated than the malware family’s original iteration in that it arrived with the ability to dynamically fetch its own Domain Name System (DNS) infrastructure using a URL shortener.
  • CEOs Imitated by Phishers in Bid to Target Energy Sector: On August 13, Cofense disclosed a highly customized phishing campaign that was targeting an energy organization. Those behind this operation impersonated the organization’s CEO in their attack emails and used Google Drive as a threat vector to avoid detection.
  • Latest Ursnif Sample Arrived With Anti-Analysis Techniques: FortiGuard Labs spotted an attack campaign that used malicious Microsoft Word documents to distribute a new variant of the Ursnif Trojan. This version boasted various anti-analysis techniques, including the ability to dynamically parse its API functions and thereby evade static analysis.
  • Remcos RAT Distributed by Phishing Emails: In July, Trend Micro discovered a phishing campaign that directed users to open an order notification. In actuality, the malicious attachment used an AutoIt wrapper to deliver a sample of the Remcos RAT.
  • Norman Cryptominer Discovered in Large-Scale Infection: While investigating a large-scale cryptomining infection at a mid-size company, Varonis discovered a new cryptominer dubbed Norman. This malware followed the example of many other threats in disguising itself as svchost.exe, but Norman still differentiated itself by employing multiple evasion techniques.

Security Tip of the Week: Defending Against Malware

In its analysis of Remcos, Trend Micro urged organizations to educate users about phishing attacks:

“…we advise users to refrain from opening unsolicited emails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately.”

Security professionals can further help defend their organizations against phishing-borne malware by investing in robust artificial intelligence (AI)-based security solutions. These tools should ideally leverage both machine learning and deep learning to automatically replicate the accuracy of manual analysis on a large scale for the purpose of spotting potential threats. Organizations should also focus on improving their endpoint visibility with endpoint management capabilities so they can monitor critical assets for suspicious behavior and automatically remediate any issues.

Learn more about destructive malware on the latest episode of the SecurityIntelligence podcast

 |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature