November 25, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that the new Phoenix keylogger is steadily gaining traction among cybercriminals on underground web forums. They also found new attack campaigns distributing Cyborg and Maze ransomware. These threats weren’t alone in their activity. Two backdoors, including one capable of targeting Windows and Linux systems, had a busy week as well.

Top Story of the Week: Rise of the Phoenix Keylogger

Cybereason analyzed Phoenix and found that the keylogger first emerged in July 2019. Since then, the threat has claimed victims in North America, the United Kingdom, France, Germany and other parts of Europe and the Middle East.

Operating under a malware-as-a-service (MaaS) model, Phoenix is capable of stealing data from 20 web browsers, four mail clients, FTP clients and chat clients. It then exfiltrates its stolen data using Telegram along with the SMTP and FTP exfiltration protocols. All the while, the backdoor leverages its many anti-analysis techniques to avoid detection from more than 80 security products.

Source: iStock

Also in Security News

  • Windows Update Spam Emails Deliver Cyborg Ransomware: Trustwave SpiderLabs recently spotted attack emails using the subject lines “Install Latest Microsoft Windows Update now” and “Critical Microsoft Windows Update.” Those emails claimed to originate from Microsoft, but in actuality, they leveraged a fake update attachment to deliver samples of Cyborg ransomware.
  • Custom Droppers Used by Cybercriminals to Install Information Stealers: Researchers at Cisco Talos spotted multiple malware campaigns that relied on custom droppers to deliver their payloads. Those droppers arrived with multiple layers of obfuscation and allowed digital attackers to switch between several information-stealing malware families as their payloads.
  • Most H1 2019 Phishing Campaigns Used Shade Ransomware as Payload: Reporting on the findings of Group-IB, Bleeping Computer said that Shade ransomware had been the malware strain most often used by cybercriminals for their phishing campaigns in the first half of 2019. It also stated that ransomware activity had increased this year compared to 2018.
  • Malicious Emails From TA2101 Delivered Maze Ransomware: In October 2019, Proofpoint first spotted the malicious activity of a new threat actor called TA2101. Those emails impersonated government agencies in Germany, Italy and the U.S. to trick recipients into opening a malicious Word document that, in turn, infected them with Maze ransomware.
  • Spam, McDonald’s Malvertising Employed by Mispadu for Distribution: ESET found that a new Latin American banking Trojan called Mispadu relied on spam and malicious advertisements for McDonald’s coupons for distribution. Once loaded on a victim’s machine, Mispadu was able to display fake pop-up windows, take screenshots and steal keystrokes.
  • Linux and Windows Systems at Risk of ACBackdoor: Researchers at Intezer came across both a Windows and a Linux variant of the new ACBackdoor backdoor. They found that the Windows version used the Fallout exploit kit for distribution but that it was less sophisticated than the Linux version, whose distribution method could not be determined at the time of analysis.
  • Louisiana State Government Computer Systems Hit by Ransomware: According to ZDNet, Louisiana Governor John Bel Edwards revealed that a ransomware infection had taken down some of the IT systems and websites maintained by the state. Officials quickly restored many of the affected websites but said it might take a few days to recover some internal applications.
  • New Mac Backdoor Variant Used by Lazarus Group to Target Koreans: Trend Micro analyzed an attack launched by the digital criminal group Lazarus that targeted Korean users with a malicious Microsoft Excel document. Those who opened the document and enabled macros exposed themselves to a new variant of the Mac backdoor Backdoor.MacOS.NUKESPED.A.
  • Roboto Botnet’s True Purpose Still Unknown: In mid-October, 360Netlab’s honeypot captured the downloader of a P2P bot program it originally snagged back in August. Researchers attributed both resources to a new botnet called Roboto that’s capable of performing distributed denial-of-service (DDoS) attacks, but whose true purpose was unclear at the time of analysis.

Security Tip of the Week: Protect Your Organization’s Data

Security professionals can help secure data against ransomware and other threats by using artificial intelligence (AI)-driven solutions that improve their network visibility, proactively enforce security across endpoints and maintain compliance with relevant regulatory frameworks. With devices as their endpoints, infosec personnel should also treat human users as the “startpoint” and secure this element using security awareness training and access controls.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today