August 19, 2019 By David Bisson 3 min read

Last week in security news, researchers spotted threat actors renting out an Android Trojan called Cerberus on underground forums. That’s not the only malware that analysts spotted: They also came across new versions of a botnet, a well-known malware family, a new .NET-based sample, a previously unseen remote access Trojan (RAT) and a new cryptominer. They also discovered various phishing campaigns targeting the energy sector as well as organizations in various verticals.

Top Story of the Week: Cerberus Android Trojan

In June 2019, analysts at ThreatFabric found that a new Android Trojan named Cerberus was available for rent on underground forums. The creators of the malware used a dedicated Twitter profile and other channels to advertise how their threat did not borrow code snippets from other Trojan families. In response, ThreatFabric’s researchers took a closer look and indeed confirmed that Cerberus bore no code similarities to the Anubis source code.

In addition, the security firm found that the Trojan used a device’s accelerometer sensor as a pedometer to measure the user’s activity. This tactic helped the threat measure the user’s movements against a preconfigured threshold in an attempt to avoid running in a dynamic analysis environment.

Source: iStock

Also in Security News

  • New Version of GoBrut Detected in the Wild: Cybaze-Yoroi ZLAB discovered version 3.06 of the GoBrut botnet in the summer of 2019. The security firm found that this variant, which was compiled for Linux environments, relied on compromised websites for distribution and came equipped with a brute-forcing module.
  • DocuSign Branding Incorporated in Phishing Attack: Proofpoint uncovered a phishing campaign in July 2019 that used branding from electronic signature service DocuSign to selectively target organizations’ employees across multiple verticals. The operation’s attack emails redirected users to a landing page hosted on Amazon public cloud storage (S3).
  • New .NET-Based Malware Variant Spread by Emails, Exploit Kits: Not long thereafter, Proofpoint announced that it had detected a new variant of .NET-based malware known as PsiXBot. This version was more sophisticated than the malware family’s original iteration in that it arrived with the ability to dynamically fetch its own Domain Name System (DNS) infrastructure using a URL shortener.
  • CEOs Imitated by Phishers in Bid to Target Energy Sector: On August 13, Cofense disclosed a highly customized phishing campaign that was targeting an energy organization. Those behind this operation impersonated the organization’s CEO in their attack emails and used Google Drive as a threat vector to avoid detection.
  • Latest Ursnif Sample Arrived With Anti-Analysis Techniques: FortiGuard Labs spotted an attack campaign that used malicious Microsoft Word documents to distribute a new variant of the Ursnif Trojan. This version boasted various anti-analysis techniques, including the ability to dynamically parse its API functions and thereby evade static analysis.
  • Remcos RAT Distributed by Phishing Emails: In July, Trend Micro discovered a phishing campaign that directed users to open an order notification. In actuality, the malicious attachment used an AutoIt wrapper to deliver a sample of the Remcos RAT.
  • Norman Cryptominer Discovered in Large-Scale Infection: While investigating a large-scale cryptomining infection at a mid-size company, Varonis discovered a new cryptominer dubbed Norman. This malware followed the example of many other threats in disguising itself as svchost.exe, but Norman still differentiated itself by employing multiple evasion techniques.

Security Tip of the Week: Defending Against Malware

In its analysis of Remcos, Trend Micro urged organizations to educate users about phishing attacks:

“…we advise users to refrain from opening unsolicited emails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately.”

Security professionals can further help defend their organizations against phishing-borne malware by investing in robust artificial intelligence (AI)-based security solutions. These tools should ideally leverage both machine learning and deep learning to automatically replicate the accuracy of manual analysis on a large scale for the purpose of spotting potential threats. Organizations should also focus on improving their endpoint visibility with endpoint management capabilities so they can monitor critical assets for suspicious behavior and automatically remediate any issues.

Learn more about destructive malware on the latest episode of the SecurityIntelligence podcast

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today