September 16, 2019 By David Bisson 3 min read

Last week in security news, four malvertising campaigns leveraged exploit kits to prey on users with ransomware and Trojans. Researchers also discovered a ransomware family that infected thousands of Linux web servers and a cryptomalware threat that relied on a fake PayPal scam for distribution. Finally, security teams observed both phishing and malware campaigns that employed various evasion-based tactics to avoid detection.

Top Story of the Week: Four Malvertising Campaigns at Large

According to Bleeping Computer, researchers detected four malvertising campaigns over the span of three days that redirected users to landing pages for exploit kits distributing infostealers, ransomware and clipboard hijackers.

They spotted the first campaign on Sept. 7. In that operation, the GrandSoft exploit kit distributed Ramnit, a Trojan that goes after users’ banking credentials. The second campaign, which researchers spotted a day later, used the RIG exploit kit to pass along clipboard hijackers and install the Amadey Trojan.

Then, on Sept. 9, one analyst spotted two separate malvertising campaigns. The first relied on the Fallout exploit kit to spread a clipboard hijacker, while the second used the Radio exploit kit to install Nemty ransomware.

Source: iStock

Also in Security News

  • Linux Servers Infected With Lilocked Ransomware: Users began uploading ransom notes/demands for a new strain of ransomware called Lilocked in mid-July 2019. This threat encrypted a small subset of files hosted on Linux web servers and then demanded victims pay 0.03 Bitcoin (worth just over $300 at the time of writing) in exchange for the decryption key.
  • Fake PayPal Site Used to Distribute Nemty: In early September, Bleeping Computer reported on a fake PayPal site that lured users with the promise of a 3–5 percent return on all purchases made through its payment system. Those who took the bait ended up downloading and running cashback.exe, an executable that loaded Nemty ransomware.
  • TrickBot Dropper Uses Thousands of Lines of Obfuscated Code: Researchers at Yoroi recently examined a malicious Microsoft Word document spread by TrickBot actors in their various attack campaigns. In the process, the analysts found a malware dropper that contained several thousands of lines of obfuscated code and abused the Alternate Data Stream (ADS).
  • Path Exclusion Lets GootKit Slip by Undetected: Bleeping Computer also covered a malware researcher’s discovery of a GootKit malware sample that arrived with a bypass for Windows Defender. This sample executed a series of commands to whitelist its own executable path, thereby shielding it from analysis by Windows Defender on infected PCs.
  • Phishing Campaign Uses CAPTCHA to Bypass Email Gateway: In early September, Cofense detected a phishing email that originated from the compromised account @avis.ne.jp. It masqueraded as a message from a voip2mail service, but in actuality, it used a CAPTCHA to bypass email gateway technology so that it could steal recipients’ Microsoft credentials.
  • RIG Exploit Kit Spreads Purple Fox, Which Abuses PowerShell: Trend Micro detected an attack chain that directed users to a malicious site hosting the RIG exploit kit. This software package then used one of three methods to redirect users to a malicious PowerShell command that, in turn, downloaded a variant of the Purple Fox downloader malware family.
  • LokiBot Attackers Target Large U.S. Manufacturing Company: On Aug. 21, the FortiGuard Labs SE team uncovered a new spam campaign after analyzing information uploaded to VirusTotal. This campaign leveraged the LokiBot infostealer malware family to target a large manufacturing company located in the U.S.

Security Tip of the Week: Protect Against Evasive Attack Campaigns

The attacks described above highlight the importance of security professionals taking steps to defend their organizations against evasive tactics. By enabling application whitelisting and disabling PowerShell on machines that don’t need it, you can counter fileless threats.

Security teams should also seek to integrate their phishing intelligence with their security information and event management (SIEM) solutions to stay on top of the latest social engineering attacks targeting their organization’s workforce.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today