Today’s reality means that organizations need to be constantly vigilant against security breaches. Having a robust incident response plan in place is vital. IBM Security X-Force is a team dedicated to delivering the latest threat intelligence, research and analysis reports that help you manage risk in your organization.

This monthly malware roundup offers a summary of the threats IBM X-Force has seen in the recent weeks to allow your team to prioritize defenses. Each section is based on a more elaborate report that can be accessed on X-Force Exchange.

A popular JavaScript library breach spreads malware

A popular open-source JavaScript library known as ua-parser-js (and hosted on Github) was recently compromised as part of a supply chain attack. The purpose of the compromise is to attempt to install an XMRig crypto miner variant on Windows and Linux hosts as well as infect Windows hosts with the DanaBot banking Trojan. Compromised versions of the package contain code that downloads and executes malware on Windows and Linux hosts when the library is installed or updated.

The legitimate purpose of the library is to “abstract away the hassle of User-Agent detection”. To date, versions 0.7.29, 0.8.0 and 1.0.0 of ua-parser-js have been reported as compromised.

Click to read the extended analysis

Mozi IoT Botnet – Golang goes everywhere

X-Force has recently analyzed a Mozi botnet variant that is a UPX-packed Golang version of the malware. The variant spreads by brute-forcing weak secure shell (SSH) passwords and is used for crypto mining after installation. It does not have data exfiltration or lateral movement capabilities; however, the malware can download additional files, execute commands, spread via SSH, run as a daemon and kill existing crypto miner processes.

Some security vendors refer to Mozi as WorkMiner or Mozi_ssh. It is a peer-to-peer botnet deployed based on the distributed hash table protocol. The botnet spreads via Internet of Things exploits and weak telnet or SSH passwords.

Click to read the extended analysis

FontOnLake malware used in targeted attacks

A new modular malware family dubbed FontOnLake has emerged in a number of reports in the past couple of months. The malware is notable for a kernel-level rootkit that is based on the open-source Suterusu project. Most identified targets are based in Southeast Asia. FontOnLake is apparently used in targeted attacks, potentially by nation-state groups.

The malware was observed spreading via Trojanized apps that were modified on the source-code level. The bad apps are then used to infiltrate devices, implant malware and collect information.

In operation, FontOnLake provides remote access to attackers, collects credentials and enables attackers to use it as a proxy server.

Previous related research named this malware HCRootkit and Suterusu Linux Rootkit.

Click to read the extended analysis

New version of Apostle ransomware hits organizations in Israel

The Apostle ransomware is back with an updated version that is being used against higher education institutions in Israel. Apostle is custom malware used by an Iran-based threat group known as Agrius. The group targets organizations in the Middle East, launching espionage and destructive attacks.

Apostle uses AES-256-CFB PKCS7 file encryption where the encryption key is randomly generated per the encrypted file. It then uses an RSA key to encrypt the randomly generated encryption key with the public key supplied as an argument earlier. It appends the encrypted result in the encrypted file. As such, the encryption cannot be broken.

When infected, users receive a ransom note and see their desktops fitted with new wallpaper.

“Hello RAK

Please, check this message in detail and contact a person from the IT department.

Your personal computer has been infected by a ransomware virus.

All your personal files (Passport, visas, etc.) are encrypted.

If you want to restore your files including your client’s personal data, you will need to make the payment.

Otherwise, all your files will be posted on the internet which may lead you to the loss of reputation and cause troubles for your business.

Let us know if you have any questions.

Our email address: [email protected]

If you don’t get an answer from us within one day, we will contact you at [email protected]”

Other tools used in the attack include the Jennlog Loader, a .NET compiled executable whose sole purpose is to deobfuscate, decompress, decrypt and load another .NET executable that is embedded in its resources. In the Apostle attack, Jennlog was used to load payloads such as Apostle ransomware and OrcusRAT. OrcusRAT is a modular backdoor written in C# .NET framework that allows attackers to remotely control compromised devices. OrcusRAT supports several built-in command features like audio control, keylogging, password harvesting, file execution, hidden virtual network computing/remote desktop and many other capabilities.

Click to read the extended analysis

Keeping up to date with X-Force Threat Intelligence

Nowadays, every organization in the world could benefit from better-informed decisions about managing risk. With the rapid and continuous evolution of threats, X-Force helps organizations keep up to date on emerging threats and attacks through actionable threat intelligence. For more research and intelligence from X-Force, visit: https://securityintelligence.com/category/x-force and join our intelligence sharing platform, X-Force Exchange: https://exchange.xforce.ibmcloud.com.