Last week in security news, researchers detailed the multiple layers of obfuscation, fileless tactics and polymorphism techniques employed by the Dexphot malware campaign. Researchers also uncovered a new family of ransomware that attempts to disable several security solutions on infected Windows PCs. A Netflix account freeze scam rounded out the holiday weekend.
Top Story of the Week: The Dexphot Campaign’s Complex Attack Chain
The Microsoft Defender APT Research Team first learned of the Dexphot campaign back in October 2018. It found that the attack employed a complex attack chain for which it wrote five files to disk. Many of those files used various obfuscation techniques including encryption and living-off-the-land (LOL) tactics to help the campaign evade detection.
Dexphot’s sophistication didn’t end there, however. The campaign also used polymorphism across its malware binaries and regularly scheduled malware updates to further lead security tools astray.
Also in Security News
- DePriMon Uses Port Monitors Installation Technique to Avoid Detection: ESET analyzed DePriMon and found that the threat downloaded its third-stage DLL as a port monitor. Researchers observed that the malicious downloader likely used this installation technique, which is described in the MITRE ATT&CK framework, as a means to evade detection.
- New Fullz House Actor Engages in Phishing Attacks, Card Skimming: RiskIQ observed that a threat actor named Fullz House began conducting card skimming in addition to maintaining its phishing activity. For these new attacks, Fullz House developed its own card skimmer and used man-in-the-middle (MitM) attacks in e-commerce transactions.
- Malwarebytes, Native Windows Security Tools Targeted by Clop Ransomware: In its analysis of Clop, Bleeping Computer found that the ransomware targeted several security solutions so that it could successfully encrypt a victim’s data. For instance, it configured the Registry values to disable Windows Defender on infected machines.
- Phishing Scam Uses Threat of Fake Account Freeze to Steal Netflix Credentials: The editor-in-chief at Naked Security received a phishing message that informed them of an overdue Netflix invoice. The email used this premise as a lure to trick recipients into clicking on a button that redirected them to a Netflix phishing website.
- Security Threat Aimed at Apache Soir Reclassified to “High Severity Status”: According to Tenable, researchers reclassified a security threat affecting Apache Soir, a Linux enterprise search tool, to “high severity status” following the release of exploit code. That code, in turn, put affected hardware at risk of remote code execution attacks.
- Legitimate Email Accounts Leveraged by TICK to Deliver New Malware: In its analysis of TICK’s new campaign, Trend Micro observed the digital espionage group using new malware that elevated privileges and employed evasion tactics. TICK delivered these new malware threats using legitimate email accounts and credentials.
- YouTube Descriptions Used by Stantinko Botnet to Hide Cryptominers: Researchers at ESET examined Stantinko and found that the botnet embedded the IP addresses for its command-and-control (C&C) servers within multiple YouTube video descriptions. This technique helped the botnet conceal the communication channels used for its cryptomining attacks.
Security Tip of the Week: How to Defend Against Fileless Attacks
Security professionals can help their organizations defend against fileless attacks by disabling PowerShell and other legitimate services that aren’t necessary to the business. Doing so will prevent malicious actors from abusing those services to prey upon the company. Security teams should also consider using endpoint protection solutions to defend their assets against more sophisticated attacks, such as those that use fileless techniques to distribute ransomware.