InfoSec Week 13, 2017

Posted on 02 April 2017
SUBSCRIBE TO A WEEKLY NEWSLETTER!

The tale of a misunderstood malware author who has released banking malware - NukeBot- source code on a GitHub to get a track.
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

New Android ransomware is using third party stores (what else?) to propagate, mainly to the Russian-speaking users. It asks for 500 rubles (~5 EUR), then keeps screen locked forever.
https://www.bleepingcomputer.com/news/security/new-android-ransomware-evades-all-mobile-antivirus-solutions/

Palo Alto Networks analyzed the "Trochilus and MoonWind" RAT campaign targeting Thai organisations with the keylogger. Two different RATs share the same part of the infrastructure.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations

Eset published a detailed analysis of a Turlas second-stage payload, Carbon backdoor. Nice config file and serious pub key encryption in use with the C&C servers.
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

Phishing campaign targeting owners of GitHub repositories with the Dimnie malware able to log keystrokes and take screenshots.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/

Analysis of the GhostAdmin 2.0 RAT. Keylogger, screen capture, IRC based C&C, audio recording.
https://www.cylance.com/content/cylance/en_us/blog/threat-spotlight-ghostadmin.html

This stuff has been published for some time, but definitely worth reading. CIA tradecraft for the malware writers: "Development Tradecraft DOs and DON'Ts"
https://wikileaks.org/ciav7p1/cms/page_14587109.html

The Yeti is a threat intelligence platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats.
https://yeti-platform.github.io/

box.js is a utility to analyze malicious JavaScript. It uses Node, and create text reports.
https://github.com/CapacitorSet/box-js

CERT Société Générale published FAME - an open source malware analysis platform that is meant to facilitate analysis of malware-related files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
https://certsocietegenerale.github.io/fame/


Comments !