December 3, 2019 By David Bisson 3 min read

Last week in security news, researchers detailed the multiple layers of obfuscation, fileless tactics and polymorphism techniques employed by the Dexphot malware campaign. Researchers also uncovered a new family of ransomware that attempts to disable several security solutions on infected Windows PCs. A Netflix account freeze scam rounded out the holiday weekend.

Top Story of the Week: The Dexphot Campaign’s Complex Attack Chain

The Microsoft Defender APT Research Team first learned of the Dexphot campaign back in October 2018. It found that the attack employed a complex attack chain for which it wrote five files to disk. Many of those files used various obfuscation techniques including encryption and living-off-the-land (LOL) tactics to help the campaign evade detection.

Dexphot’s sophistication didn’t end there, however. The campaign also used polymorphism across its malware binaries and regularly scheduled malware updates to further lead security tools astray.

Source: iStock

Also in Security News

  • DePriMon Uses Port Monitors Installation Technique to Avoid Detection: ESET analyzed DePriMon and found that the threat downloaded its third-stage DLL as a port monitor. Researchers observed that the malicious downloader likely used this installation technique, which is described in the MITRE ATT&CK framework, as a means to evade detection.
  • New Fullz House Actor Engages in Phishing Attacks, Card Skimming: RiskIQ observed that a threat actor named Fullz House began conducting card skimming in addition to maintaining its phishing activity. For these new attacks, Fullz House developed its own card skimmer and used man-in-the-middle (MitM) attacks in e-commerce transactions.
  • Malwarebytes, Native Windows Security Tools Targeted by Clop Ransomware: In its analysis of Clop, Bleeping Computer found that the ransomware targeted several security solutions so that it could successfully encrypt a victim’s data. For instance, it configured the Registry values to disable Windows Defender on infected machines.
  • Phishing Scam Uses Threat of Fake Account Freeze to Steal Netflix Credentials: The editor-in-chief at Naked Security received a phishing message that informed them of an overdue Netflix invoice. The email used this premise as a lure to trick recipients into clicking on a button that redirected them to a Netflix phishing website.
  • Security Threat Aimed at Apache Soir Reclassified to “High Severity Status”: According to Tenable, researchers reclassified a security threat affecting Apache Soir, a Linux enterprise search tool, to “high severity status” following the release of exploit code. That code, in turn, put affected hardware at risk of remote code execution attacks.
  • Legitimate Email Accounts Leveraged by TICK to Deliver New Malware: In its analysis of TICK’s new campaign, Trend Micro observed the digital espionage group using new malware that elevated privileges and employed evasion tactics. TICK delivered these new malware threats using legitimate email accounts and credentials.
  • YouTube Descriptions Used by Stantinko Botnet to Hide Cryptominers: Researchers at ESET examined Stantinko and found that the botnet embedded the IP addresses for its command-and-control (C&C) servers within multiple YouTube video descriptions. This technique helped the botnet conceal the communication channels used for its cryptomining attacks.

Security Tip of the Week: How to Defend Against Fileless Attacks

Security professionals can help their organizations defend against fileless attacks by disabling PowerShell and other legitimate services that aren’t necessary to the business. Doing so will prevent malicious actors from abusing those services to prey upon the company. Security teams should also consider using endpoint protection solutions to defend their assets against more sophisticated attacks, such as those that use fileless techniques to distribute ransomware.

More from

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today