Light Dark
November 25, 2019 By David Bisson 3 min read

Last week in security news, researchers revealed that the new Phoenix keylogger is steadily gaining traction among cybercriminals on underground web forums. They also found new attack campaigns distributing Cyborg and Maze ransomware. These threats weren’t alone in their activity. Two backdoors, including one capable of targeting Windows and Linux systems, had a busy week as well.

Top Story of the Week: Rise of the Phoenix Keylogger

Cybereason analyzed Phoenix and found that the keylogger first emerged in July 2019. Since then, the threat has claimed victims in North America, the United Kingdom, France, Germany and other parts of Europe and the Middle East.

Operating under a malware-as-a-service (MaaS) model, Phoenix is capable of stealing data from 20 web browsers, four mail clients, FTP clients and chat clients. It then exfiltrates its stolen data using Telegram along with the SMTP and FTP exfiltration protocols. All the while, the backdoor leverages its many anti-analysis techniques to avoid detection from more than 80 security products.

Source: iStock

Also in Security News

  • Windows Update Spam Emails Deliver Cyborg Ransomware: Trustwave SpiderLabs recently spotted attack emails using the subject lines “Install Latest Microsoft Windows Update now” and “Critical Microsoft Windows Update.” Those emails claimed to originate from Microsoft, but in actuality, they leveraged a fake update attachment to deliver samples of Cyborg ransomware.
  • Custom Droppers Used by Cybercriminals to Install Information Stealers: Researchers at Cisco Talos spotted multiple malware campaigns that relied on custom droppers to deliver their payloads. Those droppers arrived with multiple layers of obfuscation and allowed digital attackers to switch between several information-stealing malware families as their payloads.
  • Most H1 2019 Phishing Campaigns Used Shade Ransomware as Payload: Reporting on the findings of Group-IB, Bleeping Computer said that Shade ransomware had been the malware strain most often used by cybercriminals for their phishing campaigns in the first half of 2019. It also stated that ransomware activity had increased this year compared to 2018.
  • Malicious Emails From TA2101 Delivered Maze Ransomware: In October 2019, Proofpoint first spotted the malicious activity of a new threat actor called TA2101. Those emails impersonated government agencies in Germany, Italy and the U.S. to trick recipients into opening a malicious Word document that, in turn, infected them with Maze ransomware.
  • Spam, McDonald’s Malvertising Employed by Mispadu for Distribution: ESET found that a new Latin American banking Trojan called Mispadu relied on spam and malicious advertisements for McDonald’s coupons for distribution. Once loaded on a victim’s machine, Mispadu was able to display fake pop-up windows, take screenshots and steal keystrokes.
  • Linux and Windows Systems at Risk of ACBackdoor: Researchers at Intezer came across both a Windows and a Linux variant of the new ACBackdoor backdoor. They found that the Windows version used the Fallout exploit kit for distribution but that it was less sophisticated than the Linux version, whose distribution method could not be determined at the time of analysis.
  • Louisiana State Government Computer Systems Hit by Ransomware: According to ZDNet, Louisiana Governor John Bel Edwards revealed that a ransomware infection had taken down some of the IT systems and websites maintained by the state. Officials quickly restored many of the affected websites but said it might take a few days to recover some internal applications.
  • New Mac Backdoor Variant Used by Lazarus Group to Target Koreans: Trend Micro analyzed an attack launched by the digital criminal group Lazarus that targeted Korean users with a malicious Microsoft Excel document. Those who opened the document and enabled macros exposed themselves to a new variant of the Mac backdoor Backdoor.MacOS.NUKESPED.A.
  • Roboto Botnet’s True Purpose Still Unknown: In mid-October, 360Netlab’s honeypot captured the downloader of a P2P bot program it originally snagged back in August. Researchers attributed both resources to a new botnet called Roboto that’s capable of performing distributed denial-of-service (DDoS) attacks, but whose true purpose was unclear at the time of analysis.

Security Tip of the Week: Protect Your Organization’s Data

Security professionals can help secure data against ransomware and other threats by using artificial intelligence (AI)-driven solutions that improve their network visibility, proactively enforce security across endpoints and maintain compliance with relevant regulatory frameworks. With devices as their endpoints, infosec personnel should also treat human users as the “startpoint” and secure this element using security awareness training and access controls.

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature