MIRCOP [1] ransomware- Trend Micro have discovered a new strain of ransomware called MIRCOP that bucks the usual extortion trend by accusing infected users of robbing a member of Anonymous and threatening retribution if the ransom is not paid. The ransomware is spread by spam mail and is dropped by a Word document that masquerades as a Thai customs form. It includes a built in datastealing routine and prepends ‘Lock’ to encrypted files instead of using an extension. MIRCOP is also unusual in terms of how much it asks for: 48.48 BTC or nearly $32,000. More information here [2]. Retefe [3] targeting UK- The Retefe banking trojan is targeting UK customers with emails containing malicious javascript files. Double-clicking the attached file will install a malicious certificate and change the proxy auto-config to a TOR site, which will run as long as a UK IP address is found. The malicious Comodo certificate allow attackers to create trusted (fake) versions of legitimate banking sites and intercept credentials as they are entered. Banks targeted by this trojan included Barclays, Natwest, HSBC and Santander.More information here [4]. BART ransomware- The now resurrected Necurs botnet [5] has been serving email spam containing a new strain of ransomware named ‘Bart’ after the extension it appends to encrypted files. Bart is similar to Locky in terms of its infection methodology. Emails come with a zip archive containing a javascript file and the file will download intermediate malware called RockLoader that drops the ransomware. Bart is distinct from Locky in that it can run offline without the need to communicate with a C2 server. The ransom payment is high at 3 BTC.Marcher’s [6] increased target list- Phishlabs has analysed the Marcher banking trojan throughout June and noted that the amount of organisations targeted by the malware has increased significantly. Marcher steals credentials via a screen overlay that replicates the intended banking website and targets 62 banks, 3 mail applications and a payment provider (PayPal). The majority of these banks are based in Germany and France, while those in Austria, Turkey, Australia and the UK are unenviable runners up.More information here [7]. NASCAR team ransomed- NASCAR’s Circle Sport – Leavine Family Racing team (CSLFR) was hit with Truecrypt ransomware [8] and paid the price to get their data back. According to crew chief Dave Winston, the team’s test computer was locked just before a major race, necessitating the payout. Fansmitter [9] malware- Researchers at Ben-Gurion university have created malware that can extract data by manipulating fan speeds to send varying acoustic tones to a receiver such as a mobile phone. A similar technique has been used to extract data via a machine’s speakers although these, unlike a fan, can be easily removed. While not particularly practical and quite unsuited to transferring large amounts of information, this so-called Fansmitter malware could be used to extract keys or passwords from air-gapped networks. More information here [10].Google boss suffers social media hack- OurMine hackers [11] have targeted another tech executive, this time Google’s CEO Sundar Pichai. Pichai’s Quora account, also linked to his Twitter account was hacked today, with OurMine posting messages going out to Pichai’s half a million Twitter followers. OurMine reportedly gained access to Pichai’s account by exploiting a security issue in Quora’s platform that they had previously warned the company about.The three-man OurMine team recently gained notoriety for hacking high profile social media accounts including Mark Zuckerberg, CEO of Spotify Daniel Ek and former Twitter CEOs Dick Costolo and Ev Williams, among others. They have branded themselves a ‘security group’, hacking to promote security and offer their services to upgrade security. IRS kills e-filing pins due to cyberattacks- The IRS has expedited their decision to discontinue the use of e-filing PINs following new cyberattacks. The electronic filing personal identification numbers, used to authenticate tax returns filed online, are no longer available on the IRS.gov website or over the phone. A breach in February, resulted in over 100,000 e-File PINs being accessed from stolen taxpayer information from third party websites. The PIN tool was retained at the time since most commercial tax software products use it, but additional defences were added inside the IRS processing systems for protection. Recently the IRS again observed automated attacks taking place at an increasing frequency, but seemingly affecting only a small number of e-File PINs. As a result of these recent attacks, the decision was made to remove the tool as a safety measure. New ransomware targets Office 365 users in Australia- Check Point reports that many Australian Office 365 users are at risk of malware attacks sent via email. The emails are sent via Outlook and contain an invoice in the form of an Office document which, when opened, prompts users to enable a previous version of the software to view the content. The ransomware is click-activated, encrypting all files and demanding a ransom payment in Australian dollars in order to unlock the files. Hackers hit medical practice- Allergy Asthma & Immunology of the Rockies has learned that its computer system was hacked on May 16th after an unfamiliar directory account was discovered. Hackers bypassed the firewall and began testing ransomware on the system. The system was shut down, new hard drives installed and the firewall configuration updated as soon as the hack was discovered. The practice began notifying potentially affected individuals on June 17th, sending out letters outlining steps patients should take to mitigate potential impact. There is no evidence that any confidential patient information was compromised, but the practice will nonetheless be offering patients a one year identity theft protection program as a precautionary measure. The Silobreaker TeamDisclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.
[1] https://my.silobreaker.com/view360.aspx?item=11_1031099859#?q=Keyphrase:%22MIRCOP%20Ransomware%22&rd=true
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/
[3] https://my.silobreaker.com/view360.aspx?item=11_764809469#?q=Keyphrase:%22Retefe%22&rd=true
[4] https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customers
[5] https://my.silobreaker.com/view360.aspx?item=11_970660529#?q=Keyphrase:%22Necurs%20Botnet%22&rd=true
[6] https://my.silobreaker.com/view360.aspx?item=11_941780974#?q=Keyphrase:%22Marcher%20Trojan%22&rd=true
[7] https://info.phishlabs.com/blog/marcher-android-malware-increases-its-geographic-reach
[8] https://my.silobreaker.com/view360.aspx?item=11_1003445932#?q=Keyphrase:%22TrueCrypt%20Ransomware%22&rd=true
[9] https://my.silobreaker.com/view360.aspx?item=11_1029980744#?q=Keyphrase:%22Fansmitter%20Malware%22&rd=true
[10] https://arxiv.org/ftp/arxiv/papers/1606/1606.05915.pdf
[11] https://my.silobreaker.com/view360.aspx?item=11_889029636#?q=Organization:%22OurMine%20Team%22&rd=true