December 3, 2019 By David Bisson 3 min read

Last week in security news, researchers detailed the multiple layers of obfuscation, fileless tactics and polymorphism techniques employed by the Dexphot malware campaign. Researchers also uncovered a new family of ransomware that attempts to disable several security solutions on infected Windows PCs. A Netflix account freeze scam rounded out the holiday weekend.

Top Story of the Week: The Dexphot Campaign’s Complex Attack Chain

The Microsoft Defender APT Research Team first learned of the Dexphot campaign back in October 2018. It found that the attack employed a complex attack chain for which it wrote five files to disk. Many of those files used various obfuscation techniques including encryption and living-off-the-land (LOL) tactics to help the campaign evade detection.

Dexphot’s sophistication didn’t end there, however. The campaign also used polymorphism across its malware binaries and regularly scheduled malware updates to further lead security tools astray.

Source: iStock

Also in Security News

  • DePriMon Uses Port Monitors Installation Technique to Avoid Detection: ESET analyzed DePriMon and found that the threat downloaded its third-stage DLL as a port monitor. Researchers observed that the malicious downloader likely used this installation technique, which is described in the MITRE ATT&CK framework, as a means to evade detection.
  • New Fullz House Actor Engages in Phishing Attacks, Card Skimming: RiskIQ observed that a threat actor named Fullz House began conducting card skimming in addition to maintaining its phishing activity. For these new attacks, Fullz House developed its own card skimmer and used man-in-the-middle (MitM) attacks in e-commerce transactions.
  • Malwarebytes, Native Windows Security Tools Targeted by Clop Ransomware: In its analysis of Clop, Bleeping Computer found that the ransomware targeted several security solutions so that it could successfully encrypt a victim’s data. For instance, it configured the Registry values to disable Windows Defender on infected machines.
  • Phishing Scam Uses Threat of Fake Account Freeze to Steal Netflix Credentials: The editor-in-chief at Naked Security received a phishing message that informed them of an overdue Netflix invoice. The email used this premise as a lure to trick recipients into clicking on a button that redirected them to a Netflix phishing website.
  • Security Threat Aimed at Apache Soir Reclassified to “High Severity Status”: According to Tenable, researchers reclassified a security threat affecting Apache Soir, a Linux enterprise search tool, to “high severity status” following the release of exploit code. That code, in turn, put affected hardware at risk of remote code execution attacks.
  • Legitimate Email Accounts Leveraged by TICK to Deliver New Malware: In its analysis of TICK’s new campaign, Trend Micro observed the digital espionage group using new malware that elevated privileges and employed evasion tactics. TICK delivered these new malware threats using legitimate email accounts and credentials.
  • YouTube Descriptions Used by Stantinko Botnet to Hide Cryptominers: Researchers at ESET examined Stantinko and found that the botnet embedded the IP addresses for its command-and-control (C&C) servers within multiple YouTube video descriptions. This technique helped the botnet conceal the communication channels used for its cryptomining attacks.

Security Tip of the Week: How to Defend Against Fileless Attacks

Security professionals can help their organizations defend against fileless attacks by disabling PowerShell and other legitimate services that aren’t necessary to the business. Doing so will prevent malicious actors from abusing those services to prey upon the company. Security teams should also consider using endpoint protection solutions to defend their assets against more sophisticated attacks, such as those that use fileless techniques to distribute ransomware.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today