Infoblox Explores Q3 Malware
November 24, 2020
Aims to soften blows dealt by threat actors
Channelnomics Staff
This is part 2 of a 2-part series.
The global cybersecurity market is expected to expand at a compound annual growth rate (CAGR) of 10% in the next seven years, according to Grand View Research.
In efforts to bring cyberthreats to light and help organizations ward them off, Infoblox has begun publishing a quarterly Cyberthreat Intelligence report. The vendor’s inaugural report covered the third calendar quarter of 2020.
In this blog, part 2 of a 2-parter, we’ll look at some data that Infoblox has shared about 10 malware campaigns that ran from August to September.
Qakbot Infostealer
This past summer, on Aug. 3, security researcher Brad Duncan reported a malspam campaign using compressed Visual Basic Script (VBScript) files to deliver the Qakbot (or Obot) infostealer. Qakbot, which can steal a victim’s banking info, credentials, and files, includes worm capabilities that allow it to spread itself to multiple systems on a single network and rootkit capabilities that help hide its presence and allow it to establish itself on infected clients.
MassLogger Infostealer Malspam Campaign
On Aug. 11, Infoblox observed malspam e-mail campaigns distributing malware known as MassLogger, an infostealer reportedly first observed in April 2020. Written using .NET, a programming framework developed by Microsoft, MassLogger can log keystrokes and clipboard data, take screenshots, and steal credentials from browsers including Chrome and Firefox; communications platforms such as Discord and Telegram; FTP app FileZilla; NordVPN, a VPN service provider; Outlook; Thunderbird, an e-mail app; and more.
Metamorfo Banking Trojan
On Aug. 18, cybersecurity researchers at Menlo Security reported an ongoing malware campaign using HTML smuggling techniques to deliver a banking trojan called Metamorfo, which attempts to steal sensitive financial information and exfiltrate it to a C&C server. What sets Metamorfo apart from other banking trojans is the wide variety of evasive techniques it employs to bypass security mechanisms and deliver its payload without being detected.
Cyberthreat Advisory — HIDDEN COBRA
BLINDINGCAN RAT Variants
On Aug. 19, the Department of Homeland Security (DHS), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report on malware variants, dubbed BLINDINGCAN, used by the North Korean government. Malicious cyberactivities associated with the North Korean government are commonly referred to as HIDDEN COBRA, and BLINDINGCAN refers to a series of RAT variants currently used by those threat actors to maintain persistent access inside a victim’s infrastructure. The target for this campaign includes government contractors that deal with key military and energy technologies. The threat actors used active job postings from contractors as lures to deliver one of the malware variants to the victim.
njRAT Malspam Campaign
On Aug. 24, a malspam e-mail campaign distributed njRAT, a remote access trojan (RAT) and infostealer first observed in January 2013. Also known as Bladabindi and Njw0rm, njRAT can maintain persistence and operate undetected on victims’ machines while transmitting sensitive information back to its command and control (C&C) infrastructure over a period of days or weeks. In a campaign reported by Infoblox in May 2019, njRAT also delivered the Agent Tesla keylogger as part of its attack chain.
Cyberthreat Advisory — HIDDEN COBRA
BeagleBoyz and FASTCash 2.0
The Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory based on analytic efforts with the Department of the Treasury, the FBI, U.S. Cyber Command (USCYBERCOM), and government partners on Aug. 26. The report describes tools and techniques used by an element of the North Korean government to carry out attacks against automated teller machines, or ATMs. The U.S. government refers to those efforts as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The United Nations considers the BeagleBoyz’s activity a means to circumvent its resolutions and generate funds to support prohibited nuclear weapons and ballistic missile programs. The BeagleBoyz group is part of North Korea’s Reconnaissance General Bureau and has been carrying out FASTCash campaigns against banks’ retail payment infrastructure since 2016.
Raccoon InfoStealer Malspam Campaign
On Sept. 1, Infoblox observed malspam e-mail campaigns distributing Raccoon, aka Racealer, malware-as-a-service (MaaS) that allows buyers to receive software updates and support from sellers. The Raccoon infostealer, first observed in April 2019, can steal credit cards, cryptocurrency wallets, passwords, and usernames. It has relatively basic features but is affordable and effective at the same time, and it’s been reported that threat actors can purchase Raccoon from online forums for $75, a reportedly lower-than-average price for similar types of malware.
Cyberthreat Advisory — APT39 Malicious Activity and Tools
On Sept. 17, the FBI published a new FLASH alert in coordination with the DHS and the Treasury Department. The report describes multiple types of malware that the Iranian Rana Intelligence Computing Company (aka APT39), a front operation for Iran’s Ministry of Intelligence and Security (MOIS), has used in its global operations. In the report, the FBI included descriptions of how the various types of malware operate and a set of YARA rules for each type. The FBI also published a representative set of malware samples to VirusTotal for public analysis. According to the FBI, Rana has targeted hundreds of individuals and entities in more than 30 countries across Africa, Asia, Europe and North America. It has previously targeted foreign citizens, foreign governments, and organizations mostly in the academic, hospitality, telecommunications, and travel industries. In Iran, Rana has targeted academic institutions, companies, dissidents, and other individuals.
WeTransfer—Malicious Spam Campaign Delivers Static Phishing
On Sept. 20, Infoblox observed a malspam campaign delivering a malicious HTML file capable of phishing for credentials. Threat actors used generic lures in e-mails, but the HTML file specifically targeted file-sharing service WeTransfer. The malicious HTML file used in the campaign isn’t related to any malware family that Infoblox knows of.
Glupteba Backdoor Trojan
From Sept. 20 to 26, Infoblox detected communications between malicious Glupteba bots and C&C servers in customer DNS traffic. This activity was identified by Infoblox’s Threat Insight security solution, which employs machine-learning models to detect and block certain types of malicious behavior – in this case, data exfiltration.
The global cybersecurity market is expected to expand at a compound annual growth rate (CAGR) of 10% in the next seven years, according to Grand View Research.
In efforts to bring cyberthreats to light and help organizations ward them off, Infoblox has begun publishing a quarterly Cyberthreat Intelligence report. The vendor’s inaugural report covered the third calendar quarter of 2020.
In this blog, part 2 of a 2-parter, we’ll look at some data that Infoblox has shared about 10 malware campaigns that ran from August to September.
Qakbot Infostealer
This past summer, on Aug. 3, security researcher Brad Duncan reported a malspam campaign using compressed Visual Basic Script (VBScript) files to deliver the Qakbot (or Obot) infostealer. Qakbot, which can steal a victim’s banking info, credentials, and files, includes worm capabilities that allow it to spread itself to multiple systems on a single network and rootkit capabilities that help hide its presence and allow it to establish itself on infected clients.
MassLogger Infostealer Malspam Campaign
On Aug. 11, Infoblox observed malspam e-mail campaigns distributing malware known as MassLogger, an infostealer reportedly first observed in April 2020. Written using .NET, a programming framework developed by Microsoft, MassLogger can log keystrokes and clipboard data, take screenshots, and steal credentials from browsers including Chrome and Firefox; communications platforms such as Discord and Telegram; FTP app FileZilla; NordVPN, a VPN service provider; Outlook; Thunderbird, an e-mail app; and more.
Metamorfo Banking Trojan
On Aug. 18, cybersecurity researchers at Menlo Security reported an ongoing malware campaign using HTML smuggling techniques to deliver a banking trojan called Metamorfo, which attempts to steal sensitive financial information and exfiltrate it to a C&C server. What sets Metamorfo apart from other banking trojans is the wide variety of evasive techniques it employs to bypass security mechanisms and deliver its payload without being detected.
Cyberthreat Advisory — HIDDEN COBRA
BLINDINGCAN RAT Variants
On Aug. 19, the Department of Homeland Security (DHS), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report on malware variants, dubbed BLINDINGCAN, used by the North Korean government. Malicious cyberactivities associated with the North Korean government are commonly referred to as HIDDEN COBRA, and BLINDINGCAN refers to a series of RAT variants currently used by those threat actors to maintain persistent access inside a victim’s infrastructure. The target for this campaign includes government contractors that deal with key military and energy technologies. The threat actors used active job postings from contractors as lures to deliver one of the malware variants to the victim.
njRAT Malspam Campaign
On Aug. 24, a malspam e-mail campaign distributed njRAT, a remote access trojan (RAT) and infostealer first observed in January 2013. Also known as Bladabindi and Njw0rm, njRAT can maintain persistence and operate undetected on victims’ machines while transmitting sensitive information back to its command and control (C&C) infrastructure over a period of days or weeks. In a campaign reported by Infoblox in May 2019, njRAT also delivered the Agent Tesla keylogger as part of its attack chain.
Cyberthreat Advisory — HIDDEN COBRA
BeagleBoyz and FASTCash 2.0
The Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory based on analytic efforts with the Department of the Treasury, the FBI, U.S. Cyber Command (USCYBERCOM), and government partners on Aug. 26. The report describes tools and techniques used by an element of the North Korean government to carry out attacks against automated teller machines, or ATMs. The U.S. government refers to those efforts as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The United Nations considers the BeagleBoyz’s activity a means to circumvent its resolutions and generate funds to support prohibited nuclear weapons and ballistic missile programs. The BeagleBoyz group is part of North Korea’s Reconnaissance General Bureau and has been carrying out FASTCash campaigns against banks’ retail payment infrastructure since 2016.
Raccoon InfoStealer Malspam Campaign
On Sept. 1, Infoblox observed malspam e-mail campaigns distributing Raccoon, aka Racealer, malware-as-a-service (MaaS) that allows buyers to receive software updates and support from sellers. The Raccoon infostealer, first observed in April 2019, can steal credit cards, cryptocurrency wallets, passwords, and usernames. It has relatively basic features but is affordable and effective at the same time, and it’s been reported that threat actors can purchase Raccoon from online forums for $75, a reportedly lower-than-average price for similar types of malware.
Cyberthreat Advisory — APT39 Malicious Activity and Tools
On Sept. 17, the FBI published a new FLASH alert in coordination with the DHS and the Treasury Department. The report describes multiple types of malware that the Iranian Rana Intelligence Computing Company (aka APT39), a front operation for Iran’s Ministry of Intelligence and Security (MOIS), has used in its global operations. In the report, the FBI included descriptions of how the various types of malware operate and a set of YARA rules for each type. The FBI also published a representative set of malware samples to VirusTotal for public analysis. According to the FBI, Rana has targeted hundreds of individuals and entities in more than 30 countries across Africa, Asia, Europe and North America. It has previously targeted foreign citizens, foreign governments, and organizations mostly in the academic, hospitality, telecommunications, and travel industries. In Iran, Rana has targeted academic institutions, companies, dissidents, and other individuals.
WeTransfer—Malicious Spam Campaign Delivers Static Phishing
On Sept. 20, Infoblox observed a malspam campaign delivering a malicious HTML file capable of phishing for credentials. Threat actors used generic lures in e-mails, but the HTML file specifically targeted file-sharing service WeTransfer. The malicious HTML file used in the campaign isn’t related to any malware family that Infoblox knows of.
Glupteba Backdoor Trojan
From Sept. 20 to 26, Infoblox detected communications between malicious Glupteba bots and C&C servers in customer DNS traffic. This activity was identified by Infoblox’s Threat Insight security solution, which employs machine-learning models to detect and block certain types of malicious behavior – in this case, data exfiltration.
