Last week in security news, security researchers spotted the Mailto ransomware targeting enterprise networks and encrypting their connected Windows devices. Speaking of ransomware, the EKANS family attracted the security community’s attention for its ability to stop ICS-related processes. Additionally, a security researcher found a vulnerability in the WhatsApp desktop app that could have allowed malicious actors to remotely access files on a local computer.
Top Story of the Week: Mailto Ransomware Sets Its Sights on Enterprise Networks
In August 2019, ID Ransomware spotted a new ransomware family appending the “Mailto” extension to the files that it had successfully encrypted. Fast forward to February 2020, when an Australian transportation and logistics company revealed that the same ransomware had encrypted its network. This security incident was the first public indication that Mailto (or Netwalker) ransomware had begun going after enterprise networks.
Bleeping Computer analyzed a recent Mailto sample and found that its executable attempted to impersonate the “Sticky Password” software. This analysis also revealed that the sample had arrived with a configuration that was more sophisticated and granular than those employed by other ransomware families.
Also in Security News
- Diabetic Patients Targeted by Android Malware: FortiGuard Labs spotted a new form of Android malware called “Android/FakePlayer.X!tr” back in September 2019. The malware masqueraded as an Android app that provided users with information about diabetes, but in actuality, it leveraged a Trojan dialer to send SMS messages to users presumably in an effort to steal funds from its victims.
- Financial Institutions Caught in Metamorfo’s Crosshairs: Researchers at FortiGuard Labs spotted two different variants of Metamorfo, a malware family known for targeting online customers of financial institutions. The first targeted only the customers of Brazilian financial organizations, while the second targeted customers of institutions located in multiple countries.
- Flaw in WhatsApp Desktop App Allowed Attackers to Access Local Files: Security researcher Gal Weizman of PerimeterX uncovered a vulnerability (CVE-2019-18426) that enabled a malicious actor to perform cross-site scripting attacks and read local files. The flaw, which affected WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10, required users to click on a link preview from a specially crafted text message.
- Phishing Campaign Delivered Versatile Anubis Malware to Android Users: Cofense spotted a phishing campaign that preyed on Android devices that permitted the installation of unsigned Android applications. The campaign ultimately delivered Anubis, a banking Trojan that is also capable of hijacking infected devices, encrypting a victim’s files and holding that data for ransom.
- ICS-Related Process Appeared on EKANS Ransomware’s Kill List: Researchers at Dragos spotted a sample of EKANS ransomware using a hardcoded “kill” list to terminate several processes associated with organizations’ industrial control systems (ICS). If executed on the right type of system, such functionality could disrupt the view condition of the network.
- Malicious Android Apps Used for Downloading Malware, Performing Ad Fraud: Researchers at Trend Micro discovered several malicious optimizer, booster and utility apps that could perform ad fraud and download as many as 3,000 malware variants and payloads onto an infected Android device. At the time of writing, the apps were no longer available on the Google Play store.
- Phishing Campaign Targeting Financial Services Organizations Delivered MINEBRIDGE: In January 2020, FireEye began tracking a phishing campaign targeting financial services organizations primarily located in the U.S. That campaign used carefully crafted phishing documents to download and deploy the MINEBRIDGE backdoor.
Security Tip of the Week: Minimize the Damage of a Ransomware Infection
Security personnel can help their organizations minimize the impact of a ransomware infection by implementing a data backup strategy and regularly testing those backups. They should perform these backups as part of a layered defense strategy that includes anti-virus solutions and security awareness training.