Last week in security news, researchers spotted threat actors renting out an Android Trojan called Cerberus on underground forums. That’s not the only malware that analysts spotted: They also came across new versions of a botnet, a well-known malware family, a new .NET-based sample, a previously unseen remote access Trojan (RAT) and a new cryptominer. They also discovered various phishing campaigns targeting the energy sector as well as organizations in various verticals.
Top Story of the Week: Cerberus Android Trojan
In June 2019, analysts at ThreatFabric found that a new Android Trojan named Cerberus was available for rent on underground forums. The creators of the malware used a dedicated Twitter profile and other channels to advertise how their threat did not borrow code snippets from other Trojan families. In response, ThreatFabric’s researchers took a closer look and indeed confirmed that Cerberus bore no code similarities to the Anubis source code.
In addition, the security firm found that the Trojan used a device’s accelerometer sensor as a pedometer to measure the user’s activity. This tactic helped the threat measure the user’s movements against a preconfigured threshold in an attempt to avoid running in a dynamic analysis environment.
Also in Security News
- New Version of GoBrut Detected in the Wild: Cybaze-Yoroi ZLAB discovered version 3.06 of the GoBrut botnet in the summer of 2019. The security firm found that this variant, which was compiled for Linux environments, relied on compromised websites for distribution and came equipped with a brute-forcing module.
- DocuSign Branding Incorporated in Phishing Attack: Proofpoint uncovered a phishing campaign in July 2019 that used branding from electronic signature service DocuSign to selectively target organizations’ employees across multiple verticals. The operation’s attack emails redirected users to a landing page hosted on Amazon public cloud storage (S3).
- New .NET-Based Malware Variant Spread by Emails, Exploit Kits: Not long thereafter, Proofpoint announced that it had detected a new variant of .NET-based malware known as PsiXBot. This version was more sophisticated than the malware family’s original iteration in that it arrived with the ability to dynamically fetch its own Domain Name System (DNS) infrastructure using a URL shortener.
- CEOs Imitated by Phishers in Bid to Target Energy Sector: On August 13, Cofense disclosed a highly customized phishing campaign that was targeting an energy organization. Those behind this operation impersonated the organization’s CEO in their attack emails and used Google Drive as a threat vector to avoid detection.
- Latest Ursnif Sample Arrived With Anti-Analysis Techniques: FortiGuard Labs spotted an attack campaign that used malicious Microsoft Word documents to distribute a new variant of the Ursnif Trojan. This version boasted various anti-analysis techniques, including the ability to dynamically parse its API functions and thereby evade static analysis.
- Remcos RAT Distributed by Phishing Emails: In July, Trend Micro discovered a phishing campaign that directed users to open an order notification. In actuality, the malicious attachment used an AutoIt wrapper to deliver a sample of the Remcos RAT.
- Norman Cryptominer Discovered in Large-Scale Infection: While investigating a large-scale cryptomining infection at a mid-size company, Varonis discovered a new cryptominer dubbed Norman. This malware followed the example of many other threats in disguising itself as svchost.exe, but Norman still differentiated itself by employing multiple evasion techniques.
Security Tip of the Week: Defending Against Malware
In its analysis of Remcos, Trend Micro urged organizations to educate users about phishing attacks:
“…we advise users to refrain from opening unsolicited emails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately.”
Security professionals can further help defend their organizations against phishing-borne malware by investing in robust artificial intelligence (AI)-based security solutions. These tools should ideally leverage both machine learning and deep learning to automatically replicate the accuracy of manual analysis on a large scale for the purpose of spotting potential threats. Organizations should also focus on improving their endpoint visibility with endpoint management capabilities so they can monitor critical assets for suspicious behavior and automatically remediate any issues.
Learn more about destructive malware on the latest episode of the SecurityIntelligence podcast