X-Force Threat Intelligence: Monthly Malware Roundup – Security Intelligence

IBM X Force ProxyEgg X-Force Threat Intelligence: Monthly Malware Roundup - Security Intelligence

X-Force Threat Intelligence: Monthly Malware Roundup




Today’s reality means that organizations need to be constantly vigilant against security breaches. Having a robust incident response plan in place is vital. IBM Security X-Force is a team dedicated to delivering the latest threat intelligence, research and analysis reports that help you manage risk in your organization.

This monthly malware roundup offers a summary of the threats IBM X-Force has seen in the recent weeks to allow your team to prioritize defenses. Each section is based on a more elaborate report that can be accessed on X-Force Exchange.

A Popular JavaScript Library Breach Spreads Malware

A popular open-source JavaScript library known as ua-parser-js (and hosted on Github) was recently compromised as part of a supply chain attack. The purpose of the compromise is to attempt to install an XMRig crypto miner variant on Windows and Linux hosts as well as infect Windows hosts with the DanaBot banking Trojan. Compromised versions of the package contain code that downloads and executes malware on Windows and Linux hosts when the library is installed or updated.

The legitimate purpose of the library is to “abstract away the hassle of User-Agent detection”. To date, versions 0.7.29, 0.8.0 and 1.0.0 of ua-parser-js have been reported as compromised.

Click to read the extended analysis

Mozi IoT Botnet – Golang Goes Everywhere

X-Force has recently analyzed a Mozi botnet variant that is a UPX-packed Golang version of the malware. The variant spreads by brute-forcing weak secure shell (SSH) passwords and is used for crypto mining after installation. It does not have data exfiltration or lateral movement capabilities; however, the malware can download additional files, execute commands, spread via SSH, run as a daemon and kill existing crypto miner processes.

Some security vendors refer to Mozi as WorkMiner or Mozi_ssh. It is a peer-to-peer botnet deployed based on the distributed hash table protocol. The botnet spreads via Internet of Things exploits and weak telnet or SSH passwords.

Click to read the extended analysis

FontOnLake Malware Used in Targeted Attacks

A new modular malware family dubbed FontOnLake has emerged in a number of reports in the past couple of months. The malware is notable for a kernel-level rootkit that is based on the open-source Suterusu project. Most identified targets are based in Southeast Asia. FontOnLake is apparently used in targeted attacks, potentially by nation-state groups.

The malware was observed spreading via Trojanized apps that were modified on the source-code level. The bad apps are then used to infiltrate devices, implant malware and collect information.

In operation, FontOnLake provides remote access to attackers, collects credentials and enables attackers to use it as a proxy server.

Previous related research named this malware HCRootkit and Suterusu Linux Rootkit.

Click to read the extended analysis

New Version of Apostle Ransomware Hits Organizations in Israel

The Apostle ransomware is back with an updated version that is being used against higher education institutions in Israel. Apostle is custom malware used by an Iran-based threat group known as Agrius. The group targets organizations in the Middle East, launching espionage and destructive attacks.

Apostle uses AES-256-CFB PKCS7 file encryption where the encryption key is randomly generated per the encrypted file. It then uses an RSA key to encrypt the randomly generated encryption key with the public key supplied as an argument earlier. It appends the encrypted result in the encrypted file. As such, the encryption cannot be broken.

When infected, users receive a ransom note and see their desktops fitted with new wallpaper.

“Hello RAK

Please, check this message in detail and contact a person from the IT department.

Your personal computer has been infected by a ransomware virus.

All your personal files (Passport, visas, etc.) are encrypted.

If you want to restore your files including your client’s personal data, you will need to make the payment.

Otherwise, all your files will be posted on the internet which may lead you to the loss of reputation and cause troubles for your business.

Let us know if you have any questions.

Our email address: [email protected]

If you don’t get an answer from us within one day, we will contact you at [email protected]

Other tools used in the attack include the Jennlog Loader, a .NET compiled executable whose sole purpose is to deobfuscate, decompress, decrypt and load another .NET executable that is embedded in its resources. In the Apostle attack, Jennlog was used to load payloads such as Apostle ransomware and OrcusRAT. OrcusRAT is a modular backdoor written in C# .NET framework that allows attackers to remotely control compromised devices. OrcusRAT supports several built-in command features like audio control, keylogging, password harvesting, file execution, hidden virtual network computing/remote desktop and many other capabilities.

Click to read the extended analysis

Keeping up to Date With X-Force Threat Intelligence

Nowadays, every organization in the world could benefit from better-informed decisions about managing risk. With the rapid and continuous evolution of threats, X-Force helps organizations keep up to date on emerging threats and attacks through actionable threat intelligence. For more research and intelligence from X-Force, visit: https://securityintelligence.com/category/x-force and join our intelligence sharing platform, X-Force Exchange: https://exchange.xforce.ibmcloud.com.

Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is an Executive Security Advisor at IBM Security. She is a widely sought-after security expert, speaker and author and a strong advocate for wom…
read more

Source of this news: https://securityintelligence.com/posts/x-force-threat-intelligence-monthly-malware-roundup/

Related posts:

Stroman's Dud against Pirates is Worrisome Sign for Mets - metsmerizedonline.com
Marcus Stroman‘s recent skid continued in an alarming 6-2 loss to the Pirates on Saturday at Citi Field. Playing at an All-Star caliber level, Stroman has been a key cog in a Mets rotation that has ...
Rainbow Six Siege ranked tips: 5 to help you succeed - TheTech52
Rainbow Six Siege (RSS) is one of the most popular online tactical shooters in the gaming market. It offers both a first and third-person perspective for the players based on their preferred style wh...
Monetizing email ads will be difficult on iOS 15 - Illinoisnewstoday.com
“”Sell ​​cider“” Is a column written by the sellers of the digital media community. Today’s column is written by Chris Suptoline, Vice President of Marketing at Kebel. With the official release of i...
Roshan adds Azure capabilities with Windows Server 2022 guidebook IT Brief Australia
Barely a month just like the launch of Windows Internet protokol 2022, users are looking into everything the new platform supplies, including new features like Hyper-V virtual machine support&nbs...
Using DW and Psiphon to circumvent internet censorship - Deutsche Welle
One of the main missions of DW is to advocate for freedom of expression and free access to information around the world. One of the growing threats to these tenets is internet censorship. Countries a...
10 best proxy server services (free & paid) in 2021/2022 - FingerLakes1.com
Your online activities are not saved on your computer when utilizing a proxy server; instead, they are sent to the proxy server. It improves the security and anonymity of your web browsing.However, b...
Israeli study on viral load, Delta infections, vaccinations and boosters - News-Medical.Net
Scientists from Israel have recently explored the effectiveness of two-dose and three-dose regimens of the BNT162b2 coronavirus disease 2019 (COVID-19) vaccine (Pfizer/BioNTech) to reduce viral load ...
ATG Danmon designs and integrates newsroom facilities for Alaraby TV - BroadcastProME.com
ATG Danmon upgraded the production control gallery and master control room, providing cabling, racks and interfaces where necessary. ATG Danmon has announced the completion of a large-scale upgrade t...
Fix 'There Is Something Wrong With the Proxy Server' Issue in Chrome on Windows - BollyInside
This tutorial is about the Fix ‘There Is Something Wrong With the Proxy Server’ Issue in Chrome on Windows. We will try our best so that you understand this guide. I hope you like this blog Fix ‘Ther...
Use and Use Curl via Debian 11 Bullseye Linux - H2S Media
cURL is an open-source command-line program integrated into Linux systems for a long time. It probable files to be transferred beyond or to a server while avoiding user interaction. In addition...
Best Proxies for the United Kingdom - About Manchester
Internet may seem like a great place to find and browse content, but there is no guarantee that while you are doing it, nobody is watching you. Hackers can place malware anywhere on the internet and...
Microsoft-exchange Servers Hacked by Contemporary Ransomware Gang via ProxyShells Vulnerabilities—Ho...
Microsoft Exchange's servers currently being hacked by the new ransomware group that goes by the information LockFile via the ProxyShell vulnerabilities that were recently discovered. (Photo: by...
Climate change has weakened the Gulf Stream System 'close to tipping point' - Daily Mail
The Atlantic Ocean current that drives the Gulf Stream is at its weakest for more than 1,000 years - and human-induced climate change is to blame.  Known formally as the Atlantic Merid...
Privacy Policy | Site | gatesvillemessenger.com - Gatesville Messenger and Star
PRIVACY NOTICELast updated September 10, 2020Thank you for choosing to be part of our community at Hyde Media Group LLC, doing business as The Gatesville Messenger ("Gatesville Messenger", "we", "us"...
The world's worst kept secret and the truth behind passwordless technology - Help Net Security
One of the biggest security risks of modern-day business is the mass use of passwords as the prime authentication method for different applications. When the technology was first developed, passwords...
Thoughts After a Busy Day in Yankeeland - Views from 314 ft.
Yesterday was a very busy day in Yankeeland. The busiest it will get until the Winter Meetings, most likely, or until they make a big splash in free agency. First, the Yankees re-signed Aaron Boon...
Fix Epic Games connection error, issues and problems on Windows 11/10 - TWCN Tech News
This post lists some general fixes for Epic Games connection errors, issues and problems on Windows 11/10. You may, sometimes, encounter connection issues while playing Fortnite or signing into the E...
Rapid7 : For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy - Marketscreener.com
If you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft acknowledged ...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30