IT threat evolution Q1 2020

[harlan4096]

Contents

• Targeted attacks and malware campaigns
  
• Operation AppleJeus: the sequel
  
• Roaming Mantis turns to SMiShing and enhances anti-researcher techniques
  
• WildPressure on industrial networks in the Middle East
  
• TwoSail Junk
  
• A sprinkling of Holy Water in Asia
  
• Threat hunting with Bitscout
  
• Hunting APTs with YARA
  
• Other security news
  
• Shlayer Trojan attacks macOS users
  
• Blast from the past
  
• Cybercriminals exploiting fears about data breaches
  
• … and coronavirus
  
• AZORult campaign abuses popular VPN service to steal crypto-currency
  
• Distributing malware under the guise of security certificates
  
• Mobile malware sending offensive messages
  
• The use and abuse of the Android AccessibilityService
  
• Everyone loves cookies – including cybercriminals
  
• Stalkerware: no place to hide
  

Roaming Mantis turns to SMiShing and enhances anti-researcher techniques

Kaspersky continues to track the Roaming Mantis campaign. This threat actor was first reported in 2017, when it used SMS to distribute its malware to Android devices in just one country – South Korea. Since then, the scope of the group’s activities has widened considerably. Roaming Mantis now supports 27 languages, targets iOS as well as Android and includes cryptocurrency mining for PCs in its arsenal.

Roaming Mantis is strongly motivated by financial gain and is continuously looking for new targets. The group has also put a lot of effort into evading tracking by researchers, including implementing obfuscation techniques and using whitelisting to avoid infecting researchers who navigate to the malicious landing page.

While the group is currently applying whitelisting only to Korean pages, we think it is only a matter of time before Roaming Mantis implements this for other languages.

Roaming Mantis has also added new malware families, including Fakecop and Wroba.j. The actor is still very active in using ‘SMiShing‘ for Android malware distribution. This is particularly alarming, because it means that the attackers could combine infected mobile devices into a botnet for malware delivery, SMiShing, and so on. In one of the more recent methods used by the group, a downloaded malicious APK file contains an icon that impersonates a major courier company brand: the spoofed brand icon is customized for the country it targets – for example, Sagawa Express for Japan, Yamato Transport and FedEx for Taiwan, CJ Logistics for South Korea and Econt Express for Russia.

WildPressure on industrial networks in the Middle East

In March, we reported a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. We detected the first signs of this operation, which we have dubbed WildPressure, in August 2019; and the campaign remains active.

The Milum samples that we have seen so far do not share any code similarities with any known APT campaigns. All of them allow the attackers to control infected devices remotely: letting them download and execute commands, collect information from the compromised computer and send it to the C2 server and install upgrades to the malware.
...

Continue Reading