• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Archives for April 2018

FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation
  • Posted on:April 30, 2018 at 6:03 am
  • Posted in:Bad Sites, Malware
  • Author:
    Joseph C Chen (Fraud Researcher)
0

Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger.

FacexWorm isn’t new. It was uncovered in August 2017, though its whys and hows were still unclear at the time. Last April 8, however, we noticed a spike in its activities that coincided with external reports of FacexWorm surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

Read More
Tags: ChromecryptocurrencyFacebookFacexWormMessengermining

Necurs Evolves to Evade Spam Detection via Internet Shortcut File
  • Posted on:April 26, 2018 at 6:00 am
  • Posted in:Malware, Spam
  • Author:
    Trend Micro
0

Necurs, a botnet malware that’s been around since 2012, has been improved with the hopes of better defeating cybersecurity measures — it was seen to evolve its second layer of infection using a .URL file (with remote script downloaders detected by Trend Micro as MAL_CERBER-JS03D, MAL_NEMUCOD-JS21B, VBS_SCARAB.SMJS02, and MAL_SCARAB-VBS30.

Necurs, a modular malware with variants that are capable of spam distribution, information theft, and disabling security services and elements, has been in around since 2012, propagating in the wild via the Necurs botnet.

Read More
Tags: NECURSQUANTLOADER

Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant
  • Posted on:April 23, 2018 at 6:01 am
  • Posted in:Botnets, Malware
  • Author:
    Trend Micro
0

We came across a new version of a cryptocurrency-mining RETADUP worm (detected by Trend Micro as WORM_RETADUP.G) through feedback from our managed detection and response-related monitoring. This new variant is coded in AutoHotKey, an open-source scripting language used in Windows for creating hotkeys (i.e., keyboard shortcuts, macros, software automation). AutoHotKey is relatively similar to the script automation utility AutoIt, from which RETADUP’s earlier variants were based on and used for both cybercrime and cyberespionage.

We identified this threat via an endpoint — from an organization in the public sector — that had related malware artifacts (as RETADUP was promptly blocked). Further analyzing and correlating them based on their C&C protocol and our own RETADUP detections, we found that they were similar to other samples we sourced. These indicate that, at least for now, RETADUP’s operators — despite their history in deploying their malware in targeted attacks — are focusing on cybercriminal cryptocurrency mining.

Read More
Tags: AutoHotKeyAutoITcryptocurrency minerManaged Detection and ResponseMoneroRETADUP

XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
  • Posted on:April 19, 2018 at 6:06 pm
  • Posted in:Bad Sites, Malware, Mobile
  • Author:
    Lorin Wu (Mobile Threats Analyst)
0

We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects these as ANDROIDOS_XLOADER.HRX.

These malware pose as legitimate Facebook or Chrome applications. They are distributed from polluted DNS domains that send a notification to an unknowing victim’s device. The malicious apps can steal personally identifiable and financial data and install additional apps. XLoader can also hijack the infected device (i.e., send SMSs) and sports self-protection/persistence mechanisms through device administrator privileges.

Read More
Tags: androidDNS SpoofingXLoader

XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
  • Posted on:April 19, 2018 at 6:00 am
  • Posted in:Malware, Spam
  • Author:
    Trend Micro
0

We discovered a spam campaign that delivers the notorious cross-platform remote access Trojan (RAT) Adwind a.k.a. jRAT (detected by Trend Micro as JAVA_ADWIND.WIL) alongside another well-known backdoor called XTRAT a.k.a XtremeRAT (BKDR_XTRAT.SMM). The spam campaign also delivered the info-stealer Loki (TSPY_HPLOKI.SM1).

DUNIHI (VBS_DUNIHI.ELDSAVJ), a known VBScript with backdoor and worm capabilities, was also seen being dropped with Adwind via spam mail in a separate incident. Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto[.]org. The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job.

Read More
Tags: AdwindbackdoorDUNIHILokiXTRAT
Page 1 of 3123

Security Predictions for 2018

  • Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.
    Read our security predictions for 2018.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Popular Posts

  • Malicious Edge and Chrome Extension Used to Deliver Backdoor
  • GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities
  • Confucius Update: New Tools and Techniques, Further Connections with Patchwork
  • Legitimate Application AnyDesk Bundled with New Ransomware Variant
  • Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.