September 16, 2019 By David Bisson 3 min read

Last week in security news, four malvertising campaigns leveraged exploit kits to prey on users with ransomware and Trojans. Researchers also discovered a ransomware family that infected thousands of Linux web servers and a cryptomalware threat that relied on a fake PayPal scam for distribution. Finally, security teams observed both phishing and malware campaigns that employed various evasion-based tactics to avoid detection.

Top Story of the Week: Four Malvertising Campaigns at Large

According to Bleeping Computer, researchers detected four malvertising campaigns over the span of three days that redirected users to landing pages for exploit kits distributing infostealers, ransomware and clipboard hijackers.

They spotted the first campaign on Sept. 7. In that operation, the GrandSoft exploit kit distributed Ramnit, a Trojan that goes after users’ banking credentials. The second campaign, which researchers spotted a day later, used the RIG exploit kit to pass along clipboard hijackers and install the Amadey Trojan.

Then, on Sept. 9, one analyst spotted two separate malvertising campaigns. The first relied on the Fallout exploit kit to spread a clipboard hijacker, while the second used the Radio exploit kit to install Nemty ransomware.

Source: iStock

Also in Security News

  • Linux Servers Infected With Lilocked Ransomware: Users began uploading ransom notes/demands for a new strain of ransomware called Lilocked in mid-July 2019. This threat encrypted a small subset of files hosted on Linux web servers and then demanded victims pay 0.03 Bitcoin (worth just over $300 at the time of writing) in exchange for the decryption key.
  • Fake PayPal Site Used to Distribute Nemty: In early September, Bleeping Computer reported on a fake PayPal site that lured users with the promise of a 3–5 percent return on all purchases made through its payment system. Those who took the bait ended up downloading and running cashback.exe, an executable that loaded Nemty ransomware.
  • TrickBot Dropper Uses Thousands of Lines of Obfuscated Code: Researchers at Yoroi recently examined a malicious Microsoft Word document spread by TrickBot actors in their various attack campaigns. In the process, the analysts found a malware dropper that contained several thousands of lines of obfuscated code and abused the Alternate Data Stream (ADS).
  • Path Exclusion Lets GootKit Slip by Undetected: Bleeping Computer also covered a malware researcher’s discovery of a GootKit malware sample that arrived with a bypass for Windows Defender. This sample executed a series of commands to whitelist its own executable path, thereby shielding it from analysis by Windows Defender on infected PCs.
  • Phishing Campaign Uses CAPTCHA to Bypass Email Gateway: In early September, Cofense detected a phishing email that originated from the compromised account @avis.ne.jp. It masqueraded as a message from a voip2mail service, but in actuality, it used a CAPTCHA to bypass email gateway technology so that it could steal recipients’ Microsoft credentials.
  • RIG Exploit Kit Spreads Purple Fox, Which Abuses PowerShell: Trend Micro detected an attack chain that directed users to a malicious site hosting the RIG exploit kit. This software package then used one of three methods to redirect users to a malicious PowerShell command that, in turn, downloaded a variant of the Purple Fox downloader malware family.
  • LokiBot Attackers Target Large U.S. Manufacturing Company: On Aug. 21, the FortiGuard Labs SE team uncovered a new spam campaign after analyzing information uploaded to VirusTotal. This campaign leveraged the LokiBot infostealer malware family to target a large manufacturing company located in the U.S.

Security Tip of the Week: Protect Against Evasive Attack Campaigns

The attacks described above highlight the importance of security professionals taking steps to defend their organizations against evasive tactics. By enabling application whitelisting and disabling PowerShell on machines that don’t need it, you can counter fileless threats.

Security teams should also seek to integrate their phishing intelligence with their security information and event management (SIEM) solutions to stay on top of the latest social engineering attacks targeting their organization’s workforce.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today