Last week in security news, researchers spotted a phishing campaign that used evasion tactics to target utility organizations with Adwind. Analysts also observed evasive adware that hid itself within dozens of apps available for download on the Google Play store and a botnet variant that likely evaded detection for two years. Finally, security professionals uncovered vulnerabilities affecting a smart camera, along with a ransomware strain targeting Fortnite users.

Top Story of the Week: A New Adwind Campaign

In the summer of 2019, Cofense detected an attack email that originated from a hijacked account at Friary Shoes. The attack also abused the domain of Fletcher Specs to host the campaign’s payload.

With these elements in place, the attack email asked recipients from organizations who serve the national grid utilities infrastructure to open an attachment containing remittance advice. The attachment appeared to be a PDF document, but it was actually a JPEG file that redirected victims to the domain hosting Adwind. Once it was installed, the malware granted its handlers the ability to take screenshots, harvest browser credentials and record audio from the microphone.

Source: iStock

Also in Security News

• Adware Uses Dozens of Apps to Infiltrate Play Store: Trend Micro discovered that a piece of adware called AndroidOS_Hidenad.HRXH had found its way onto the Google Play Store by concealing itself within 85 photography and gaming apps. The adware used various techniques to help avoid time-based detection systems.
• Multiple Vulnerabilities Found in Smart Camera: Over the summer of 2019, Cisco Talos uncovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. These weaknesses enabled attackers to create a denial-of-service condition and, in certain situations, gain control of an infected device to create more malicious outcomes.
• Botnet Variant Evaded Detection for Up to Two Years: Trend Micro also came across a variant of the MyKings botnet during an investigation of changes made to the machine registry of a server owned by an electronics company in the Asia-Pacific region. The researchers discovered that the threat had been using the task scheduler, registry, Windows Management Instrumentation and bootkit of each machine it infected, which helped the botnet remain hidden for the previous two years.
• Asruex Uses Old Bugs to Infect Word Docs and PDF Files: Trend Micro detected a variant of the Asruex botnet masquerading as a PDF file. This version arrived with the ability to abuse two older vulnerabilities, CVE-2012-0158 and CVE-2010-2883, and inject code into Word documents and PDF files.
• Funds Stolen by APT Increased Fivefold: Group-IB observed that Silence, a Russian-speaking advanced persistent threat (APT), has increased the geography and frequency of its attacks. This helped Silence steal a total of $4.2 million, a fivefold increase since the firm issued its original report in September 2018.
• Ransomware Family Targets Fortnite Players: Researchers at Cyren discovered that cyberattackers have been targeting Fortnite players with a fake game hack tool. The utility actually turned out to be a Syrk, a variant of the open-source Hidden-Cry ransomware.
• Visa Adds Threat Detection and Disruption Capabilities: Visa announced a series of capabilities designed to help financial institutions and merchants protect against fraud and other cyberthreats. The multinational financial services corporation noted that it will scan the front ends of e-commerce websites for signs of payment card skimmers and use deep learning to monitor for automated attacks.

Security Tip of the Week: Protect Against Evasive Attacks and Known Vulnerabilities

The security news stories covered above highlight just how important it is for security professionals to help their organizations defend against malware. To do so, professionals should make the case for investing in artificial intelligence (AI) capabilities to defend against evasive attacks and monitor apps for anomalous behavior. A comprehensive vulnerability management program is also critical, as it can help keep critical enterprise assets up to date with known patches.