Malware and AntiVirus News

TrendLabs Security Intelligence Blog

Threat News and Information Direct from the Experts

ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer Wednesday, 19 July 2017, 2:22 pm

We’ve uncovered a new exploit kit in the wild through a malvertising campaign we’ve dubbed “ProMediads”. We call this new exploit kit Sundown-Pirate, as it’s indeed a bootleg of its precursors and actually named so by its back panel.

ProMediads has been active as early as 2016, employing Rig and Sundown exploit kits to deliver malware. Its activities dropped off in mid-February this year, but suddenly welled on June 16 via Rig. However, we noticed that ProMediads eschewed Rig in favor of Sundown-Pirate on June 25.

It’s worth noting that Sundown-Pirate is only employed by ProMediads so far. This could mean that it’s yet another private exploit kit, like the similarly styled GreenFlash Sundown exploit kit that was exclusively used by the ShadowGate campaign.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Joseph C Chen (Fraud Researcher)

Linux Users Urged to Update as a New Threat Exploits SambaCry  Tuesday, 18 July 2017, 2:10 pm

A seven-year old vulnerability in Samba—an open-source implementation of the SMB protocol used by Windows for file and printer sharing—was patched last May but continues to be exploited. According to a security advisory released by the company, the vulnerability allows a malicious actor to upload a shared library to a writable share, causing the server to load and execute it. If leveraged successfully, an attacker could open a command shell in a vulnerable device and take control of it. It affects all versions of Samba since 3.5.0.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Linux Users Urged to Update as a New Threat Exploits SambaCry 

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More Monday, 17 July 2017, 10:55 am

The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.

Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.

There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. The third iteration combines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we can only expect it to further evolve.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

Are Your Online Mainframes Exposing You to Business Process Compromise? Thursday, 13 July 2017, 6:01 pm

Legacy mainframes are still used by enterprises to handle big data transactions across a range of industries, from financial institutions, telecoms, and internet service providers (ISPs) to airlines and government agencies.

Why are they still in use? As the saying goes: “if it ain’t broke, don’t fix it”. But what if they’re not necessarily “broken”—but unsecure? Exposing a mainframe online, even unintentionally, can be detrimental to the security not only of the company’s crown jewels, but also their customers. This is what we found using data from Shodan, a public search engine for internet-connected devices.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Are Your Online Mainframes Exposing You to Business Process Compromise?

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

Examining CVE-2017-9791: New Apache Struts Remote Code Execution Vulnerability Thursday, 13 July 2017, 2:00 pm

The Apache Struts framework is useful for building modern Java-based web applications, with two major versions, Apache Struts 1 and Apache Struts 2, released so far. Support for Apache Struts 1 ended in 2008 with the adoption of Apache Struts 2, which reached its first full release at the start of 2007. A Struts 1 plugin is available that allows developer to use existing Struts 1 Actions and ActionForms in Struts 2 web applications. A vulnerability has been found in this plugin that could allow remote code execution on the affected server, if used with Struts 2.3.x. (Versions 2.5.x are not affected.)

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Examining CVE-2017-9791: New Apache Struts Remote Code Execution Vulnerability

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

July Patch Tuesday Addresses Critical Vulnerability in Microsoft HoloLens Wednesday, 12 July 2017, 11:06 am

Last month’s Patch Tuesday highlighted updates for older Windows versions to address vulnerabilities responsible for the WannaCry outbreak. This July, Patch Tuesday shifts its focus to other technologies, with an update that addresses 54 vulnerabilities – including one in the augmented reality sphere.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

July Patch Tuesday Addresses Critical Vulnerability in Microsoft HoloLens

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Ronaldo Mangahas (Technical Communications)

Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind Tuesday, 11 July 2017, 10:00 am

Cybercriminals are opportunists. As other operating systems (OS) are more widely used, they, too, would diversify their targets, tools, and techniques in order to cash in on more victims. That’s the value proposition of malware that can adapt and cross over different platforms. And when combined with a business model that can commercially peddle this malware to other bad guys, the impact becomes more pervasive.

Case in point: Adwind/jRAT, which Trend Micro detects as JAVA_ADWIND. It’s a cross-platform remote access Trojan (RAT) that can be run on any machine installed with Java, including Windows, Mac OSX, Linux, and Android.

Unsurprisingly we saw it resurface in another spam campaign. This time, however, it’s mainly targeting enterprises in the aerospace industry, with Switzerland, Ukraine, Austria, and the US the most affected countries.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Rubio Wu and Marshall Chen (Threats Analysts)

OSX Malware Linked to Operation Emmental Hijacks User Network Traffic Monday, 10 July 2017, 2:00 pm

The OSX_DOK malware showcases sophisticated features such as certificate abuse and security software evasion that affects machines using Apple’s OS X operating system. This malware, which specifically targets Swiss banking users, uses a phishing campaign to drop its payload, which eventually results in the hijacking of a user’s network traffic using a Man-in-the- Middle (MitM) attack. OSX_DOK seems to be another version of WERDLOD, which is a malware that was used during the Operation Emmental campaigns.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

OSX Malware Linked to Operation Emmental Hijacks User Network Traffic

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Rubio Wu (Threats Analyst)

July’s Android Security Bulletin Addresses Continuing Mediaserver and Qualcomm Issues Friday, 7 July 2017, 11:34 am

Google has released their Android security bulletin for July in two security patch level strings: the first dated 2017-07-01 and the succeeding one dated 2017-07-05. As always, Google urges users to update and avoid any potential security issues. Owners of native Android devices should apply the latest over-the-air (OTA) updates, and non-native Android device users…

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

July’s Android Security Bulletin Addresses Continuing Mediaserver and Qualcomm Issues

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Giannina Escueta (Technical Communications)

SLocker Mobile Ransomware Starts Mimicking WannaCry Wednesday, 5 July 2017, 2:00 pm

Early this month, a new variant of mobile ransomware SLocker (detected by Trend Micro as ANDROIDOS_SLOCKER.OPST) was detected, copying the GUI of the now-infamous WannaCry. The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May. This particular SLocker variant is notable for being one of the first Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

SLocker Mobile Ransomware Starts Mimicking WannaCry

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Mobile Threat Response Team