Operation C-Major [1]Trend Micro have discovered a data theft campaign targeting Indian military personnel, for which Pakistani actors may be responsible.Trend Micro found that the attack, dubbed Operation C-Major, began with carefully crafted phishing emails aimed at high ranking military personnnel. The emails contain a malicious PDF document which, when opened, will drop a trojan that connects to a C&C server. The trojan proved to be fairly unsophisticated and easy to analyse: it has the capacity to log keystrokes, record audio and steal files and passwords. The C&C server was found to have several open directories which reseachers were able to examine. They contained over 16 gigabytes of data, including passport scans, sensitive army documents and personal photos.There is an interesting trail of evidence that ties this campaign to Pakistani actors. Some of the older C&C infrastructure has been used to host an Android spyware app configured to target Indian army personnel, while one C&C IP address is definitively hosted in Pakistan. Interestingly, a user ID tied to Pakistan has also submitted the Operation C-Major trojan to Virustotal numerous times, probably with the intention of checking its detection rates.The full report is available here [2].USB Thief [3]ESET have found a unique USB-based trojan that they have nicknamed 'USB Thief'. In contrast to more generic forms of data-stealing malware, USB Thief executes by inserting itself into the command chain of portable versions of applications such as Firefox and Notepad++. When these apps are accessed from the USB, the malware will also run invisibly in the background. Several of USB Thief's files are AES128 encrypted and use the individual USB's ID and disk properties as components of the encryption key. This suggests that the malware is intended to be run only from a particular USB and neither copied nor installed directly onto its target. Because the trojan runs from the USB for the duration of its operation, it leaves little to no trace on exploited systems.In a classic example of media hyperbole, this trojan is often described as being 'designed to target air-gapped systems'. Although USB Thief runs and stores data on the USB itself (meaning that it does not need to communicate with a C&C server), so does a simple USB keylogger. The nature of the encrypted payload does imply, however, that USB Thief is intended to harvest data from specific targets.OpBrussels [4]Perhaps unsurprisingly, Anonymous have reacted to the recent terrorist attacks in Brussels by launching a hacking operation targeting supporters of the Islamic State terrorist group (IS). OpBrussels was announced via a video message posted and distributed across social media. The group pledged to shut down IS Twitter accounts, hack their websites and steal their bitcoins, all in the defence of freedom and liberty. The group vowed to ‘track down and punish’ IS supporters wherever they hide, stating that attacks on freedom cannot go unpunished. Anonymous have started similar campaigns in the past as a response to major terrorist incidents, launching OpParis [5] after the November terrorist attacks in France, an operation they claim to be their biggest ever. Maktub Ransomware [6]Security researchers at Dutch company Fox-IT have encountered a previously unreported ransomware called Maktub Locker. The ransomware is distributed as an executable file with a .SCR extension attached to emails. If downloaded, the file presents users with a fake Windows Terms & Conditions update, that when opened, launches the ransomware. Maktub operates in the traditional manner, encrypting files and demanding payment for the encryption key. Although the technical workings of the software are still being analysed, it is known that Maktub Locker does not use a static extension for encrypted files, but rather assigns a random extension for each victim.Ransom demands start at 1.4 bitcoins ($588), and then increase up to 3.9 bitcoin ($1640) as time passes.Whilst the origins of the malware are currently unknown, Maktub is an Arabic phrase meaning ‘it is written’, which suggests the authors may have Arabic roots or connections. Security researchers noted that at present there is no online tool capable of decrypting infected files, meaning the best protection against this emerging threat is conscientious system back-ups and a cautious approach when downloading or following emailed attachments.The Silobreaker Team
[1] https://my.silobreaker.com/view360old.aspx?item=11_984829109
[2] http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf
[3] https://my.silobreaker.com/view360old.aspx?item=11_985405408
[4] https://my.silobreaker.com/view360old.aspx?item=11_985249264
[5] https://my.silobreaker.com/view360old.aspx?item=11_929019930
[6] https://my.silobreaker.com/view360old.aspx?item=11_984928880
↧