December 3, 2019 By David Bisson 3 min read

Last week in security news, researchers detailed the multiple layers of obfuscation, fileless tactics and polymorphism techniques employed by the Dexphot malware campaign. Researchers also uncovered a new family of ransomware that attempts to disable several security solutions on infected Windows PCs. A Netflix account freeze scam rounded out the holiday weekend.

Top Story of the Week: The Dexphot Campaign’s Complex Attack Chain

The Microsoft Defender APT Research Team first learned of the Dexphot campaign back in October 2018. It found that the attack employed a complex attack chain for which it wrote five files to disk. Many of those files used various obfuscation techniques including encryption and living-off-the-land (LOL) tactics to help the campaign evade detection.

Dexphot’s sophistication didn’t end there, however. The campaign also used polymorphism across its malware binaries and regularly scheduled malware updates to further lead security tools astray.

Source: iStock

Also in Security News

  • DePriMon Uses Port Monitors Installation Technique to Avoid Detection: ESET analyzed DePriMon and found that the threat downloaded its third-stage DLL as a port monitor. Researchers observed that the malicious downloader likely used this installation technique, which is described in the MITRE ATT&CK framework, as a means to evade detection.
  • New Fullz House Actor Engages in Phishing Attacks, Card Skimming: RiskIQ observed that a threat actor named Fullz House began conducting card skimming in addition to maintaining its phishing activity. For these new attacks, Fullz House developed its own card skimmer and used man-in-the-middle (MitM) attacks in e-commerce transactions.
  • Malwarebytes, Native Windows Security Tools Targeted by Clop Ransomware: In its analysis of Clop, Bleeping Computer found that the ransomware targeted several security solutions so that it could successfully encrypt a victim’s data. For instance, it configured the Registry values to disable Windows Defender on infected machines.
  • Phishing Scam Uses Threat of Fake Account Freeze to Steal Netflix Credentials: The editor-in-chief at Naked Security received a phishing message that informed them of an overdue Netflix invoice. The email used this premise as a lure to trick recipients into clicking on a button that redirected them to a Netflix phishing website.
  • Security Threat Aimed at Apache Soir Reclassified to “High Severity Status”: According to Tenable, researchers reclassified a security threat affecting Apache Soir, a Linux enterprise search tool, to “high severity status” following the release of exploit code. That code, in turn, put affected hardware at risk of remote code execution attacks.
  • Legitimate Email Accounts Leveraged by TICK to Deliver New Malware: In its analysis of TICK’s new campaign, Trend Micro observed the digital espionage group using new malware that elevated privileges and employed evasion tactics. TICK delivered these new malware threats using legitimate email accounts and credentials.
  • YouTube Descriptions Used by Stantinko Botnet to Hide Cryptominers: Researchers at ESET examined Stantinko and found that the botnet embedded the IP addresses for its command-and-control (C&C) servers within multiple YouTube video descriptions. This technique helped the botnet conceal the communication channels used for its cryptomining attacks.

Security Tip of the Week: How to Defend Against Fileless Attacks

Security professionals can help their organizations defend against fileless attacks by disabling PowerShell and other legitimate services that aren’t necessary to the business. Doing so will prevent malicious actors from abusing those services to prey upon the company. Security teams should also consider using endpoint protection solutions to defend their assets against more sophisticated attacks, such as those that use fileless techniques to distribute ransomware.

More from

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today