At a glance.
- Coronavirus phishing activity continues to escalate.
- Unknown APT is targeting industrial entities in a Middle Eastern country.
- Mirai variant goes after unpatched Zyxel NAS devices.
- New Nefilim ransomware exfiltrates victims' data.
- 56 malicious apps pulled from Google Play Store.
Coronavirus phishing still rampant.
Widespread criminal activity using coronavirus-themed lures continues unabated, with Bitdefender reporting a 475% increase of this activity in March compared to February. The most-targeted sectors are hospitality, government, education and research, transportation, and healthcare. Italy and the United States have been targeted with the most malicious activity.
KnowBe4 says cybercriminals are recycling old phishing templates by plugging in coronavirus themes. Some of these simply contain the keywords "COVID-19" or "coronavirus" in order to catch the victim's attention, while others are more complex. KnowBe4 has also seen attempted business email compromise attacks that use the virus as an excuse to request favors.
BleepingComputer found that Trickbot and Emotet are both using text from coronavirus news reports in order to avoid detection by machine-learning-based security software. This text will appear in the Details tab of the malware file's properties, such as the file description, product name, and copyright. Vitali Kremez of SentinelLabs told BleepingComputer, "This "goodware" string addition technique allows the criminal crypter operators to create crypted binaries that might allow bypasses of AI/ML engines of certain anti-virus products as it was proved in the Cylance bypass method."
CrowdStrike released a threat intelligence report outlining activity by the China-linked threat actor Pirate Panda. The group used a lure document that purported to come from the Ministry of Health for Mongolia and listed known coronavirus cases inside and outside of China. The document would install the Poison Ivy RAT on the victim's machine.
Malwarebytes came across an odd phishing site purporting to offer antivirus software called "Corona Antivirus" that will supposedly protect the user from the real coronavirus. The site claims, "Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running." If a user downloads this file, they'll be infected with the BlackNET RAT and incorporated into the BlackNET botnet.
Check Point notes that criminals on the black market are offering "coronavirus discounts" on their products. One hacker-for-hire group is offering its services for 15% off if customers provide a "COVID-19 code." The researchers believe these discounts are more in the celebratory mood of Black Friday or Cyber Monday than they are motivated by any charitable impulse.
New threat actor targets industrial entities in the Middle East.
Kaspersky researchers are tracking an ongoing campaign they call "WildPressure" that's targeting entities in an unnamed Middle Eastern country with a new C++ Trojan. Some of the operation's victims were industrial organizations. The researchers found "three almost unique samples" of the malware, which they've dubbed "Milum," all three of which were used to target organizations in a single country. The Milum Trojan can exfiltrate data, execute commands, receive updates, and delete itself.
The operation has been running since "at least the end of May 2019." Kaspersky isn't sure who's behind the campaign or what their ultimate goal is, noting that they "haven’t observed any strong code- or victim-based similarities with any known actor or set of activity."
Mirai variant goes after unpatched Zyxel NAS devices.
Palo Alto Networks's Unit 42 warns that a new variant of Mirai, dubbed "Mukashi," is exploiting a recently patched vulnerability in Zyxel network-attached storage (NAS) devices (CVE-2020-9054). The vulnerability is an easily exploitable pre-authentication command injection flaw that can allow for unauthenticated remote code execution with root privileges. Unpatched Zyxel NAS devices don't sanitize the username parameter in its login executable, enabling attackers to send HTTP POST requests with commands that will run on the affected device.
Unit 42 notes that the Zyxel vulnerability was only discovered when a security researcher found the exploit code for sale in criminal circles, so Mukashi's operators likely aren't the only bad actors making use of the flaw. Zyxel recommends that users install the latest firmware patches immediately.
Nefilim ransomware pressures victims with stolen data.
BleepingComputer reports that a new ransomware strain called "Nefilim" is threatening to release victims' data. Nefilim was first spotted late last month, and it has significant code overlap with the Nemty ransomware. Unlike Nemty, however, Nefilim doesn't operate on a ransomware-as-a-service model, and its operators use email to communicate with victims. It's unclear if Nefilim is operated by the crooks behind Nemty, or if a new gang used Nemty's source code to develop their own malware.
The malware's ransom note instructs victims to email the attacker in order to receive proof that their data has been stolen, and it warns that the attackers will begin leaking the data if they aren't contacted within seven days.
Adware in the Google Play Store.
Researchers at Check Point found an ad-fraud malware family operating in fifty-six apps in the Google Play Store. Twenty-four of these apps posed as games targeted at children, while the others were various utility apps. Collectively, these apps received nearly a million downloads. The malware, which the researchers call "Tekya," used Android's MotionEvent component to mimic human activity when generating clicks. Google has removed all of the apps from its store.