Last week in security news, four malvertising campaigns leveraged exploit kits to prey on users with ransomware and Trojans. Researchers also discovered a ransomware family that infected thousands of Linux web servers and a cryptomalware threat that relied on a fake PayPal scam for distribution. Finally, security teams observed both phishing and malware campaigns that employed various evasion-based tactics to avoid detection.
Top Story of the Week: Four Malvertising Campaigns at Large
According to Bleeping Computer, researchers detected four malvertising campaigns over the span of three days that redirected users to landing pages for exploit kits distributing infostealers, ransomware and clipboard hijackers.
They spotted the first campaign on Sept. 7. In that operation, the GrandSoft exploit kit distributed Ramnit, a Trojan that goes after users’ banking credentials. The second campaign, which researchers spotted a day later, used the RIG exploit kit to pass along clipboard hijackers and install the Amadey Trojan.
Then, on Sept. 9, one analyst spotted two separate malvertising campaigns. The first relied on the Fallout exploit kit to spread a clipboard hijacker, while the second used the Radio exploit kit to install Nemty ransomware.
Also in Security News
- Linux Servers Infected With Lilocked Ransomware: Users began uploading ransom notes/demands for a new strain of ransomware called Lilocked in mid-July 2019. This threat encrypted a small subset of files hosted on Linux web servers and then demanded victims pay 0.03 Bitcoin (worth just over $300 at the time of writing) in exchange for the decryption key.
- Fake PayPal Site Used to Distribute Nemty: In early September, Bleeping Computer reported on a fake PayPal site that lured users with the promise of a 3–5 percent return on all purchases made through its payment system. Those who took the bait ended up downloading and running cashback.exe, an executable that loaded Nemty ransomware.
- TrickBot Dropper Uses Thousands of Lines of Obfuscated Code: Researchers at Yoroi recently examined a malicious Microsoft Word document spread by TrickBot actors in their various attack campaigns. In the process, the analysts found a malware dropper that contained several thousands of lines of obfuscated code and abused the Alternate Data Stream (ADS).
- Path Exclusion Lets GootKit Slip by Undetected: Bleeping Computer also covered a malware researcher’s discovery of a GootKit malware sample that arrived with a bypass for Windows Defender. This sample executed a series of commands to whitelist its own executable path, thereby shielding it from analysis by Windows Defender on infected PCs.
- Phishing Campaign Uses CAPTCHA to Bypass Email Gateway: In early September, Cofense detected a phishing email that originated from the compromised account @avis.ne.jp. It masqueraded as a message from a voip2mail service, but in actuality, it used a CAPTCHA to bypass email gateway technology so that it could steal recipients’ Microsoft credentials.
- RIG Exploit Kit Spreads Purple Fox, Which Abuses PowerShell: Trend Micro detected an attack chain that directed users to a malicious site hosting the RIG exploit kit. This software package then used one of three methods to redirect users to a malicious PowerShell command that, in turn, downloaded a variant of the Purple Fox downloader malware family.
- LokiBot Attackers Target Large U.S. Manufacturing Company: On Aug. 21, the FortiGuard Labs SE team uncovered a new spam campaign after analyzing information uploaded to VirusTotal. This campaign leveraged the LokiBot infostealer malware family to target a large manufacturing company located in the U.S.
Security Tip of the Week: Protect Against Evasive Attack Campaigns
The attacks described above highlight the importance of security professionals taking steps to defend their organizations against evasive tactics. By enabling application whitelisting and disabling PowerShell on machines that don’t need it, you can counter fileless threats.
Security teams should also seek to integrate their phishing intelligence with their security information and event management (SIEM) solutions to stay on top of the latest social engineering attacks targeting their organization’s workforce.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...