Malware and AntiVirus News

TrendLabs Security Intelligence Blog

Threat News and Information Direct from the Experts

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner Friday, 22 September 2017, 4:01 pm

We’ve uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance.

The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or  . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Joseph C Chen (Fraud Researcher)

OptionsBleed – The Apache HTTP Server Now Bleeds Friday, 22 September 2017, 11:04 am

A new vulnerability in the Apache HTTP server was found recently. Designated as CVE-2017-9798, this vulnerability lies in how Apache handles certain settings in its configuration files, resulting in memory leaks. This vulnerability is named OptionsBleed, based on its similarities with the Heartbleed vulnerability. Patches to Apache are now available.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

OptionsBleed – The Apache HTTP Server Now Bleeds

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Pavan Thorat (Vulnerability Research)

a-PATCH-e: Struts Vulnerabilities Run Rampant Thursday, 21 September 2017, 4:01 pm

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that these Trend Micro customers can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

a-PATCH-e: Struts Vulnerabilities Run Rampant

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining Wednesday, 20 September 2017, 2:43 pm

Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals. We also learned that an Android malware known as “GhostCtrl” was stored in their infrastructure, which might be used for cyberespionage or cybercrime.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Cyber Safety Solutions Team

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns Monday, 18 September 2017, 4:00 pm

In the beginning of September, a sizeable spam campaign was detected distributing a new Locky variant. Locky is a notorious ransomware that was first detected in the early months of 2016 and has continued to evolve and spread through different methods, particularly spam mail. A thorough look at samples from recent campaigns shows that cybercriminals are using sophisticated distribution methods, affecting users in more than 70 countries.

In the specific campaigns discussed below, both Locky and the ransomware FakeGlobe were being distributed—but the two were rotated. The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices Monday, 18 September 2017, 10:05 am

While iOS devices generally see relatively fewer threats because of the platform’s walled garden approach in terms of how apps are installed, it’s not entirely unbreachable. We saw a number of threats that successfully scaled the walls in 2016, from those that abused enterprise certificates to ones that exploited vulnerabilities to curtail Apple’s stringent control over its platforms.

This is further exemplified by iXintpwn/YJSNPI (detected by Trend Micro as TROJ_YJSNPI.A), a malicious profile that can render the iOS device unresponsive. It was part of the remnants of the work of a Japanese script kiddie who was arrested in early June this year.

While iXintpwn/YJSNPI seems currently concentrated in Japan, it won’t surprise anyone if it spreads beyond the country given how it proliferated in social media.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices Friday, 15 September 2017, 1:00 pm

BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s any available, or to switch off the device’s Bluetooth connection if not needed.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro Cyber Safety Solutions Team

Hangul Word Processor and PostScript Abused Via Malicious Attachments Thursday, 14 September 2017, 12:00 pm

The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachments.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Hangul Word Processor and PostScript Abused Via Malicious Attachments

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

BankBot Found on Google Play and Targets Ten New UAE Banking Apps Wednesday, 13 September 2017, 10:30 am

The Android-targeting BankBot malware (all variants detected by Trend Micro as ANDROIDOS_BANKBOT) first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum. BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials. BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

BankBot Found on Google Play and Targets Ten New UAE Banking Apps

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Trend Micro

Microsoft Office Zero-Day Vulnerability Addressed in September Patch Tuesday Wednesday, 13 September 2017, 9:56 am

Microsoft has released their monthly security bulletin—colloquially known as Patch Tuesday—for September. The most important update is one that addresses a zero-day vulnerability that exploits Microsoft Word to potentially allow attackers to execute code on the target system remotely.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Microsoft Office Zero-Day Vulnerability Addressed in September Patch Tuesday

Source: TrendLabs Security Intelligence Blog TrendLabs Security Intelligence Blog | Ronaldo Mangahas (Technical Communications)