Last week in security news, researchers spotted threat actors renting out an Android Trojan called Cerberus on underground forums. That’s not the only malware that analysts spotted: They also came across new versions of a botnet, a well-known malware family, a new .NET-based sample, a previously unseen remote access Trojan (RAT) and a new cryptominer. They also discovered various phishing campaigns targeting the energy sector as well as organizations in various verticals.

Top Story of the Week: Cerberus Android Trojan

In June 2019, analysts at ThreatFabric found that a new Android Trojan named Cerberus was available for rent on underground forums. The creators of the malware used a dedicated Twitter profile and other channels to advertise how their threat did not borrow code snippets from other Trojan families. In response, ThreatFabric’s researchers took a closer look and indeed confirmed that Cerberus bore no code similarities to the Anubis source code.

In addition, the security firm found that the Trojan used a device’s accelerometer sensor as a pedometer to measure the user’s activity. This tactic helped the threat measure the user’s movements against a preconfigured threshold in an attempt to avoid running in a dynamic analysis environment.

Source: iStock

Also in Security News

  • New Version of GoBrut Detected in the Wild: Cybaze-Yoroi ZLAB discovered version 3.06 of the GoBrut botnet in the summer of 2019. The security firm found that this variant, which was compiled for Linux environments, relied on compromised websites for distribution and came equipped with a brute-forcing module.
  • DocuSign Branding Incorporated in Phishing Attack: Proofpoint uncovered a phishing campaign in July 2019 that used branding from electronic signature service DocuSign to selectively target organizations’ employees across multiple verticals. The operation’s attack emails redirected users to a landing page hosted on Amazon public cloud storage (S3).
  • New .NET-Based Malware Variant Spread by Emails, Exploit Kits: Not long thereafter, Proofpoint announced that it had detected a new variant of .NET-based malware known as PsiXBot. This version was more sophisticated than the malware family’s original iteration in that it arrived with the ability to dynamically fetch its own Domain Name System (DNS) infrastructure using a URL shortener.
  • CEOs Imitated by Phishers in Bid to Target Energy Sector: On August 13, Cofense disclosed a highly customized phishing campaign that was targeting an energy organization. Those behind this operation impersonated the organization’s CEO in their attack emails and used Google Drive as a threat vector to avoid detection.
  • Latest Ursnif Sample Arrived With Anti-Analysis Techniques: FortiGuard Labs spotted an attack campaign that used malicious Microsoft Word documents to distribute a new variant of the Ursnif Trojan. This version boasted various anti-analysis techniques, including the ability to dynamically parse its API functions and thereby evade static analysis.
  • Remcos RAT Distributed by Phishing Emails: In July, Trend Micro discovered a phishing campaign that directed users to open an order notification. In actuality, the malicious attachment used an AutoIt wrapper to deliver a sample of the Remcos RAT.
  • Norman Cryptominer Discovered in Large-Scale Infection: While investigating a large-scale cryptomining infection at a mid-size company, Varonis discovered a new cryptominer dubbed Norman. This malware followed the example of many other threats in disguising itself as svchost.exe, but Norman still differentiated itself by employing multiple evasion techniques.

Security Tip of the Week: Defending Against Malware

In its analysis of Remcos, Trend Micro urged organizations to educate users about phishing attacks:

“…we advise users to refrain from opening unsolicited emails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately.”

Security professionals can further help defend their organizations against phishing-borne malware by investing in robust artificial intelligence (AI)-based security solutions. These tools should ideally leverage both machine learning and deep learning to automatically replicate the accuracy of manual analysis on a large scale for the purpose of spotting potential threats. Organizations should also focus on improving their endpoint visibility with endpoint management capabilities so they can monitor critical assets for suspicious behavior and automatically remediate any issues.

Learn more about destructive malware on the latest episode of the SecurityIntelligence podcast

More from

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read