November 25, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that the new Phoenix keylogger is steadily gaining traction among cybercriminals on underground web forums. They also found new attack campaigns distributing Cyborg and Maze ransomware. These threats weren’t alone in their activity. Two backdoors, including one capable of targeting Windows and Linux systems, had a busy week as well.

Top Story of the Week: Rise of the Phoenix Keylogger

Cybereason analyzed Phoenix and found that the keylogger first emerged in July 2019. Since then, the threat has claimed victims in North America, the United Kingdom, France, Germany and other parts of Europe and the Middle East.

Operating under a malware-as-a-service (MaaS) model, Phoenix is capable of stealing data from 20 web browsers, four mail clients, FTP clients and chat clients. It then exfiltrates its stolen data using Telegram along with the SMTP and FTP exfiltration protocols. All the while, the backdoor leverages its many anti-analysis techniques to avoid detection from more than 80 security products.

Source: iStock

Also in Security News

  • Windows Update Spam Emails Deliver Cyborg Ransomware: Trustwave SpiderLabs recently spotted attack emails using the subject lines “Install Latest Microsoft Windows Update now” and “Critical Microsoft Windows Update.” Those emails claimed to originate from Microsoft, but in actuality, they leveraged a fake update attachment to deliver samples of Cyborg ransomware.
  • Custom Droppers Used by Cybercriminals to Install Information Stealers: Researchers at Cisco Talos spotted multiple malware campaigns that relied on custom droppers to deliver their payloads. Those droppers arrived with multiple layers of obfuscation and allowed digital attackers to switch between several information-stealing malware families as their payloads.
  • Most H1 2019 Phishing Campaigns Used Shade Ransomware as Payload: Reporting on the findings of Group-IB, Bleeping Computer said that Shade ransomware had been the malware strain most often used by cybercriminals for their phishing campaigns in the first half of 2019. It also stated that ransomware activity had increased this year compared to 2018.
  • Malicious Emails From TA2101 Delivered Maze Ransomware: In October 2019, Proofpoint first spotted the malicious activity of a new threat actor called TA2101. Those emails impersonated government agencies in Germany, Italy and the U.S. to trick recipients into opening a malicious Word document that, in turn, infected them with Maze ransomware.
  • Spam, McDonald’s Malvertising Employed by Mispadu for Distribution: ESET found that a new Latin American banking Trojan called Mispadu relied on spam and malicious advertisements for McDonald’s coupons for distribution. Once loaded on a victim’s machine, Mispadu was able to display fake pop-up windows, take screenshots and steal keystrokes.
  • Linux and Windows Systems at Risk of ACBackdoor: Researchers at Intezer came across both a Windows and a Linux variant of the new ACBackdoor backdoor. They found that the Windows version used the Fallout exploit kit for distribution but that it was less sophisticated than the Linux version, whose distribution method could not be determined at the time of analysis.
  • Louisiana State Government Computer Systems Hit by Ransomware: According to ZDNet, Louisiana Governor John Bel Edwards revealed that a ransomware infection had taken down some of the IT systems and websites maintained by the state. Officials quickly restored many of the affected websites but said it might take a few days to recover some internal applications.
  • New Mac Backdoor Variant Used by Lazarus Group to Target Koreans: Trend Micro analyzed an attack launched by the digital criminal group Lazarus that targeted Korean users with a malicious Microsoft Excel document. Those who opened the document and enabled macros exposed themselves to a new variant of the Mac backdoor Backdoor.MacOS.NUKESPED.A.
  • Roboto Botnet’s True Purpose Still Unknown: In mid-October, 360Netlab’s honeypot captured the downloader of a P2P bot program it originally snagged back in August. Researchers attributed both resources to a new botnet called Roboto that’s capable of performing distributed denial-of-service (DDoS) attacks, but whose true purpose was unclear at the time of analysis.

Security Tip of the Week: Protect Your Organization’s Data

Security professionals can help secure data against ransomware and other threats by using artificial intelligence (AI)-driven solutions that improve their network visibility, proactively enforce security across endpoints and maintain compliance with relevant regulatory frameworks. With devices as their endpoints, infosec personnel should also treat human users as the “startpoint” and secure this element using security awareness training and access controls.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today