Search the Community
Showing results for tags 'campaign'.
Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign. Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of malware called "Grabit". "Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March," Noar says in a notice. "As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe. "Grabit threat actors did not use any sophisticated evasions or manoeuvres in their dynamic activity." Attackers did not commit much effort to conceal their command and control servers, nor hide from the local system. Noar discovered the locations of the servers by simply opening the malicious Grabit phishing document file in an editor. "During our research, dynamic analysis showed that the malicious software’s 'call home' functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry manoeuvres that would hide them from Windows Explorer," he says. The criminals could choose their favourite remote access trojan including DarkComet and the less complex HawkEye keylogger. Grabit should serve as a wake up call to admins in charge of protecting small businesses that coordinated attack campaigns are not confined to large enterprises and high-profile organisations. Source
Hackers are targeting a number of European businesses and organisations with a spear phishing campaign with the colourful codename Operation Woolen Goldfish. Trend Micro researchers reported uncovering the campaign in an Operation Woolen-Goldfish: When Kittens Go Phishing white paper, warning the attacks are likely a follow-up to the "Rocket Kitten" campaign discovered in December 2014. "In February 2015, the Trend Micro Smart Protection Network received an alert from Europe that triggered several targeted attack indicators related to a specific malware family, prompting our threat defence experts to investigate further," read the report. "The alert showed an infected Microsoft Excel file that soon proved to have been launched by Rocket Kitten." Rocket Kitten was an attack campaign that targeted victims with basic spear phishing messages designed to entice them to open malicious Office files loaded with a rare "Ghole" malware. Trend Micro said the follow-up Woolen Goldfish campaign is far more sophisticated. "By the end of 2014 we saw significant changes in the attack behavior of the Rocket Kitten group in terms of spear-phishing campaigns and malware infection schemes," read the paper. The firm highlighted a Woolen Goldfish attack targeting an Israeli engineer as proof of the group's evolution. "The attackers used a OneDrive link in their campaign. OneDrive is a free online cloud storage system from Microsoft that comes with several gigabytes of data storage capacity," explained the report. "The attackers probably decided to store their malicious binaries online rather than send them as an attachment to bypass email detection. "Once executed, the file drops a non-malicious PowerPoint file used as a decoy file, while silently infecting the system with a variant of the CWoolger keylogger." Trend Micro said the CWoolger keylogger malware appears to have been developed by a hacker operating under the "Wool3n.H4t" pseudonym. Wool3n.H4t is believed to have taken part in past Rocket Kitten attacks. "Consistent with the other malware used by the threat actors involved in Operation Woolen Goldfish, the command and control reference is hard-coded as an IP address in the binary," read the paper. "A domain name was not used. Moreover, it lands on the system with a name, which is very similar to some Ghole malware variants [used by Rocket Kitten]." The paper highlighted the malware as proof the Rocket Kitten hackers are developing new attack tools and could become an even bigger threat in the very near future. Rocket Kitten is one of many targeted attack groups currently active. On 12 March, researchers at Kaspersky reported finding evidence the Equation group has been developing and mounting sophisticated attacks since at least 2003. Source
DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case. Actual URL: hxxp://ad.doubleclick.net/N479/adi/abt.education/education_biology;p=1;svc=;site=biology;t=0;bt=9;bts=0;pc=4;oe=iso-8859-1;auc=1;fd=2;fs=1;sp2=0;go=9;a=;kw=;chan=education;syn=about;tile=1;r=1;dcopt=ist;sz=728×90;u=DBIIS70bOkWAXwch41309;dc_ref=http:/biology.about.com/library/glossary/bldefmenlawia.htm;ord=1DBIIS70bOkWAXwch41309 Malvertising domains/URLs/IPs involved in the campaign: adservinghost1.com – 18.104.22.168; 22.214.171.124 (known to have responded to the same IP is also cpmservice1.com); 126.96.36.199; 188.8.131.52; 184.108.40.206 ad.onlineadserv.com – 220.127.116.11; 18.104.22.168 hxxp://22.214.171.124/ad.php?id=31984&cuid=55093&vf=240 IP reconnaissance: 126.96.36.199 – The following domains are also known to have responded to the same IP: rimwaserver.com; notslead.com; adwenia.com – Email: email@example.com (also known to have responded to 188.8.131.52 in the past; as well as digenmedia.com) Based on BrightCloud’s database, not only is adservinghost1.com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec) is known to have phoned back to the same IP as the actual domain, hxxp://184.108.40.206/cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular. Here comes the interesting part. Apparently, the name servers of adservinghost1.com are currently responding to the same IPs as the name servers of the Epom ad platform. NS1.ADSERVINGHOST1.COM – 220.127.116.11 NS2.ADSERVINGHOST1.COM – 18.104.22.168 The following domains are also currently responding to 22.214.171.124, further confirming the connection: ns1.epom.com ads.epom.com api.epom.com directads.epom.com ns1.adshost1.com ns1.adshost2.com ns1.adshost3.com The following domains are also responding to the same IP as the Epom.com domain at 126.96.36.199: automob.com autos.net.ua epom.com formanka-masova.cz ipfire.com – Email: firstname.lastname@example.org; Email: email@example.com smartkevin.com We’ll be keeping an eye on this beneath the radar malvertising infrastructure, and post updates as soon as new developments emerge. Via DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure Webroot Threat Blog