Last week in security news, researchers revealed that the new Phoenix keylogger is steadily gaining traction among cybercriminals on underground web forums. They also found new attack campaigns distributing Cyborg and Maze ransomware. These threats weren’t alone in their activity. Two backdoors, including one capable of targeting Windows and Linux systems, had a busy week as well.
Top Story of the Week: Rise of the Phoenix Keylogger
Cybereason analyzed Phoenix and found that the keylogger first emerged in July 2019. Since then, the threat has claimed victims in North America, the United Kingdom, France, Germany and other parts of Europe and the Middle East.
Operating under a malware-as-a-service (MaaS) model, Phoenix is capable of stealing data from 20 web browsers, four mail clients, FTP clients and chat clients. It then exfiltrates its stolen data using Telegram along with the SMTP and FTP exfiltration protocols. All the while, the backdoor leverages its many anti-analysis techniques to avoid detection from more than 80 security products.
Also in Security News
- Windows Update Spam Emails Deliver Cyborg Ransomware: Trustwave SpiderLabs recently spotted attack emails using the subject lines “Install Latest Microsoft Windows Update now” and “Critical Microsoft Windows Update.” Those emails claimed to originate from Microsoft, but in actuality, they leveraged a fake update attachment to deliver samples of Cyborg ransomware.
- Custom Droppers Used by Cybercriminals to Install Information Stealers: Researchers at Cisco Talos spotted multiple malware campaigns that relied on custom droppers to deliver their payloads. Those droppers arrived with multiple layers of obfuscation and allowed digital attackers to switch between several information-stealing malware families as their payloads.
- Most H1 2019 Phishing Campaigns Used Shade Ransomware as Payload: Reporting on the findings of Group-IB, Bleeping Computer said that Shade ransomware had been the malware strain most often used by cybercriminals for their phishing campaigns in the first half of 2019. It also stated that ransomware activity had increased this year compared to 2018.
- Malicious Emails From TA2101 Delivered Maze Ransomware: In October 2019, Proofpoint first spotted the malicious activity of a new threat actor called TA2101. Those emails impersonated government agencies in Germany, Italy and the U.S. to trick recipients into opening a malicious Word document that, in turn, infected them with Maze ransomware.
- Spam, McDonald’s Malvertising Employed by Mispadu for Distribution: ESET found that a new Latin American banking Trojan called Mispadu relied on spam and malicious advertisements for McDonald’s coupons for distribution. Once loaded on a victim’s machine, Mispadu was able to display fake pop-up windows, take screenshots and steal keystrokes.
- Linux and Windows Systems at Risk of ACBackdoor: Researchers at Intezer came across both a Windows and a Linux variant of the new ACBackdoor backdoor. They found that the Windows version used the Fallout exploit kit for distribution but that it was less sophisticated than the Linux version, whose distribution method could not be determined at the time of analysis.
- Louisiana State Government Computer Systems Hit by Ransomware: According to ZDNet, Louisiana Governor John Bel Edwards revealed that a ransomware infection had taken down some of the IT systems and websites maintained by the state. Officials quickly restored many of the affected websites but said it might take a few days to recover some internal applications.
- New Mac Backdoor Variant Used by Lazarus Group to Target Koreans: Trend Micro analyzed an attack launched by the digital criminal group Lazarus that targeted Korean users with a malicious Microsoft Excel document. Those who opened the document and enabled macros exposed themselves to a new variant of the Mac backdoor Backdoor.MacOS.NUKESPED.A.
- Roboto Botnet’s True Purpose Still Unknown: In mid-October, 360Netlab’s honeypot captured the downloader of a P2P bot program it originally snagged back in August. Researchers attributed both resources to a new botnet called Roboto that’s capable of performing distributed denial-of-service (DDoS) attacks, but whose true purpose was unclear at the time of analysis.
Security Tip of the Week: Protect Your Organization’s Data
Security professionals can help secure data against ransomware and other threats by using artificial intelligence (AI)-driven solutions that improve their network visibility, proactively enforce security across endpoints and maintain compliance with relevant regulatory frameworks. With devices as their endpoints, infosec personnel should also treat human users as the “startpoint” and secure this element using security awareness training and access controls.