We really appreciate your time and we're definitely interested in hearing your thoughts on what we have here so far. Thanks!!
Inside This Issue:
Q3 2015 Malware Support Trends.
JS/Nemucod Downloader - malicious spam campaign.
Malware Advanced Persistence Technique.
The real cost of cybercrime - Do the crime, do the time.
Whispers from the Underground Black Market Q3 2015.
Q3 2015 Malware News at a glance.
1. Q3 2015 Malware Support Trends
In 2015 Q3, the Document-based malware - W97M/Downloader remained the highest incident generating malware followed by Generic Trojan and W97M/Bartallex. The W97M/Bartallex being a strain of macro malware clears the contents in a Word document once the macro is enabled. It also generally downloads its payload in the %temp% folder. The infection chain starts with the spammed email. The email is carefully designed to lure users and has a legitimate feel. After executing, Bartallex drops a .bat file and a .vbs file onto the victim’s system, these will download further malware.
Throughout Q3 2015, W97M/Downloader malware support incidents remained high in July and August but had a sharp drop in September, it is possible that the actor decided to take a step back, followed downgrade tactics to stay under the radar or is looking for an alternate distribution technique. The number of Generic Trojan remained consistent throughout Q3 2015.
The highest JS/Nemucod Downloader submission & escalation activity was in the month of August 2015, moderate activity in July & September months. The spam campaign was most active during August with the highest spike in APAC and EMEA regions utilizing the one hit kill technique, whilst Japan and North America experienced consistent spam campaign. The overall submission for the quarter came from Japan & APAC region, followed by EMEA and North America.
The interesting thing to point out is that some variants of the JS/Nemucod downloader download the malware file as a .gif extension. The .gif that is downloaded is converted by the .js file to a .exe file for execution.
3. Malware Advanced Persistence Technique
In the good old days, we only needed to check a certain number of known locations to cover 99% of the infections. Nowadays, there are thousands of ways malware can start and survive a reboot. Below are examples of some current known techniques used to stay persistent:
4. The real cost of cybercrime - Do the crime, do the time
So, what is the real cost of cybercrime? Who is the real loser? The effect of cybercrime can be extremely upsetting for victims, and not necessarily just for financial reasons. A New Zealand writer Loses Part Of His Life's Work By Ransomware (http://malwarebattle.blogspot.my/2015/09/writer-loses-part-of-his-lifes-work-by. html). For the cybercriminal, it is time behind bars. It’s definitely a no-win situation, like the old saying goes “do not do something risky unless you are willing and able to accept the full weight of the consequences”. Common types of cybercrime include hacking, online scams and frauds, identity theft, attacks on computer systems and illegal or prohibited online content.
DNSChanger An Estonian man has pleaded guilty to wire fraud and computer intrusion charges arising from his operation of a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. The malware, known as DNSChanger, altered DNS settings on the infected PC redirected to specific websites. The malware replaced ads in browsers with ads that generated revenue for a particular company. The Malware also prevented the infected computers from receiving anti-virus software updates or operating system updates. http://www.justice.gov/usao-sdny/pr/estonian-national-pleads-guilty-manhattan-fe deral-court-charges-arising-massive-cyber
Man who helped code Gozi Banking Malware Charged A man responsible for helping to code malware known as Gozi has pleaded guilty to commit computer intrusion. Gozi stole tens of millions of dollars from bank accounts around the world by smuggling itself onto hard drives in a benign PDF, then collecting bank account usernames, passwords and other security information. Hackers would then use the information to fraudulently transfer money out of victims’ bank accounts. http://www.nbcnews.com/tech/security/latvian-man-charged-massive-gozi-computer-v irus-scheme-pleads-guilty-n421971
Darkode Takedown - More Than 70 Arrests Operation Shrouded Horizon, cooperative effort involving the FBI, the US Justice Department, and law enforcement agencies in nearly 20 countries around the globe has brought down a crime ring known as Darkode More than 70 people have been arrested in the US, Europe, Asia and the Middle East. US law enforcement. https://www.fbi.gov/news/stories/2015/july/cyber-criminal-forum-taken-down
Q. What is Steganography? Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. More and more malware authors are taking advantage of steganography in a number of ways. It was first noticed with a piece of malware dubbed Duqu. Duqu uses a 54×54 pixel jpeg file and encrypted dummy files as containers to send data to its C&C server, bypassing content filtering. A variant of the Zeus malware (ZeusVM) was using steganography to hide the commands it was sending to infected machines. As more malware authors see tangible benefits from leveraging steganographic techniques, they quickly become widespread. To date, we’ve seen steganography used to transfer malware, hide data leaving an organization and send commands to infected machines.
Q. Why is it difficult to detect Steganography? Since Steganography uses slack space and different areas of common file formats, but doesn’t affect the content itself, it is hard to distinguish and difficult to detect. There are various ways to examine the hidden content but they are exceptionally tedious and don’t guarantee detection. Given these imperatives, it basically isn't reasonable to filter each record entering or leaving an association for concealed material. This makes steganography an effective system to get information past existing safeguards
6. Whispers from the Underground Black Market Q3 2015
Vendor is selling Gmail reset account and change password 0 day for a whopping $12,000 USD.
Vendor is increasingly selling ransomware customizable control panel. Price is approximately $45 - $60 USD.
Neutrino Bot is increasingly gaining momentum in the underground. Priced at $290 USD.
McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks. This malware arrives as a file dropped by other malware or as a file downloaded.
XcodeGhost Pulled from App Store After a Good Scare A group of hackers found a way to access hundreds of iOS apps in Apple’s App Store in China, and potentially compromise user information. A wide variety of apps were found vulnerable, some of which held users’ banking and credit card information.
'GSMem' malware designed to infiltrate air-gapped computers, steal data
Newly designed malware could allow an attacker to pick up the data of air-gapped computers. The attack would require malware to be on both the air-gapped computer and the device capable of intercepting RF signals. GSMem, exploits electromagnetic radiation (EMR) emissions and forces a computer's memory bus to function similarly to an antenna in order to wirelessly transmit data to a phone over cellular frequencies.
HAMMERTOSS malware A new malware called HAMMERTOSS looks for this programmed handle to receive instructions every day and maintain a covert presence in victims' systems. The URL directs the malware to a webpage containing an image, and the hashtag offers a number that represents a location within the image file and characters for appending to an encryption key in order to decrypt instructions embedded in the image.