In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and another threat actor called Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”Read More
Trend Micro recently saw increased abuse of the internet query file IQY, similar to the activity detected in June from a Necurs-distributed spam wave that delivered the FlawedAmmyy RAT. It appears cybercriminals are taking advantage of the simple structure of IQY files because they can be used to evade structure-based detection methods.
Our latest observation found the Cutwail botnet distributing spam mails abusing IQY files. The spam campaign specifically targets users in Japan, delivering either the BEBLOH (detected by Trend Micro as TSPY_BEBLOH.YMNPV) or URSNIF (TSPY_URSNIF.TIBAIDO) malware. The spam mails attempt to trick users into clicking the attachment using conventional social engineering baits such as “payment,” “photos sent,” “photos attached,” and “please confirm,” among others. The campaign’s activity was detected on August 6, 2018, and has managed to distribute approximately 500,000 spam mails. The spam distribution has since died down on August 9.Read More
Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.
The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations.
9002 RAT also installed additional malicious tools: an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper. These tools hint at how the attackers are also after data stored in their target’s web server and database.Read More
We discovered a high-risk Internet Explorer (IE) vulnerability in the wild on July 11, just a day after Microsoft’s July Patch Tuesday. We immediately sent Microsoft the details to help fix this flaw. While this vulnerability, now designated as CVE-2018-8373, affects the VBScript engine in the latest versions of Windows, Internet Explorer 11 is not vulnerable since VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default.Read More
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.Read More