Next Page: 10000

          

Novedades de la botnet Stantinko

 Cache   
Se trata de una campaña de adware que ahora obtiene beneficios de los equipos de los que toma el control.
          

Stantinko botnet’s monetization strategy shifts to cryptomining

 Cache   

The versatile Stantinko botnet that’s been targeting former Soviet nations since at least 2012 has added a Monero cryptomining module to its arsenal. Stantinko historically has perpetrated click fraud, ad injections, social network fraud and brute-force password stealing attacks, primarily targeting Russia, Ukraine, Belarus and Kazakhstan. But this latest module, discovered by researchers at ESET,…

The post Stantinko botnet’s monetization strategy shifts to cryptomining appeared first on SC Media.


          

Malware Analyst - Task Order 33 - NSSPlus - Arlington, VA

 Cache   
Knowledge of worms, viruses, Trojans, rootkits, and botnets and their associated TTPs. Malware Analyst – Task Order 33 – Cyber Security Operations Support.
From NSSPlus - Tue, 13 Aug 2019 22:17:21 GMT - View all Arlington, VA jobs
          

Gigantic mining botnet unmasked

 Cache   

Includes 500,000 infected machines used to mine cryptocoins (without user knowledge).

The hacker group "Stantinko" already attracted attention with one of the largest botnets in the world due to the theft of credentials, fraud and the manipulation of banners. Researchers at security researcher Eset have recently discovered a new business model for botnet operators: cryptomining on more than 500,000 computers. So that their machinations remain undetected, they camouflage their malicious program on the infected machines. If the person in question opens the Task Manager or if the affected device goes into battery mode, the coinminer from Stantinko shuts itself off and remains invisible.

To conceal the communication, the malicious program works with proxies whose IP address is determined from the description text of Youtube videos. This technique is very sophisticated, because visiting the video platform is not uncommon. Youtube got informed and deleted the videos.

Not surprisingly, the criminals behind Stantinko are looking for new ways to further increase their financial profits through the botnet. Cryptomining is more profitable and harder to track than its old core adware business. With more than half a million infected computers, the cybercriminals will be attracting lucrative revenue. However, the new scam has the disadvantage that the mining of cryptocurrencies consumes enormous system resources, It makes even the opening of the browser a game of patience. Here, the criminals try tricky ways to go to disguise the malicious program from ordinary Internet users. Where previously advertising was only intrusive, the new mesh interferes with even the simplest work.

 


          

Kriptovaluta-bányász modult telepít a Stantinko botnet az áldozatok gépére

 Cache   

Forrás: Prim hírek | | 2019.11.29.

Az ESET kutatói nemrégiben fedezték fel, hogy a félmillió számítógépet megfertőző Stantinko botnet mögötti kiberbűnözők Monero kriptovaluta-bányászó modult telepítenek az általuk ellenőrzött gépekre.

A Stantinko botnet működtetői - akik körülbelül félmillió számítógépet irányítanak távolból és legalább 2012 óta aktívak - elsősorban Oroszország, Ukrajna, Fehéroroszország és Kazahsztán felhasználóit célo...

          

Nueva funcionalidad de la botnet Stantinko: minado de criptomonedas

 Cache   
La botnet Stantinko (una campaña de adware masiva iniciada en 2012) ha expandido sus funcionalidades para añadir una nueva forma de obtener beneficios a través de los equipos de los que toma el control. Esta botnet cuenta ya con aproximadamente medio millón de máquinas – las cuales se conoce que están activas desde al menos […]
          

Black Friday & cyberattaques : les sites de vente de vêtements particulièrement ciblés, selon Kaspersky

 Cache   
Récemment, les chercheurs de Kaspersky ont observé des réseaux d’ordinateurs infectés (botnets) par un malware visant à intercepter les données de connexion des utilisateurs sur des sites de e-commerce majeurs. Dans certains cas, ces données de connexion comprenaient également des numéros de cartes bancaires, attachés au profil utilisateur.
          

Black Friday Alert: financial botnets primarily targeting e-commerce apparel sites

 Cache   
*In the wake of the upcoming Black Friday sales period, cybercriminals are targeting customers of apparel e-commerce websites, including fashion, shoes, gifts, toys and jewelry. Consumers looking for deals in these areas during the upcoming weeks are advised to be careful when making online...
          

Cum atacă infractorii cibernetici clienții site-urilor de comerț electronic în perioadele de reduceri

 Cache   
În perioada de vânzări ocazionate de Black Friday și de sărbătorile de iarnă, infractorii cibernetici vizează clienții site-urilor de comerț electronic - în special cele de îmbrăcăminte, încălțăminte, cadouri, jucării și bijuterii. Utilizatorii care caută oferte în aceste domenii în următoarele săptămâni sunt sfătuiți să fie atenți atunci când fac cumpărături online, spun cei de la Kaspersky Lab. Botnet-urile sunt rețele de computere infectate cu malware și ele vizează interceptarea datelor de identificare ale utilizatorilor pentru a obține într-un fnal acces la detalii despre cardurile bancare.
          

Kriptovaluta-bányászatra kényszeríti a megtámadott gépeket egy botnet

 Cache   
A Stantinko már hét éve fertőz, és gyakorlatilag bármilyen programot telepíthet a gépre.
          

Malware Analyst - Task Order 33 - NSSPlus - Arlington, VA

 Cache   
Knowledge of worms, viruses, Trojans, rootkits, and botnets and their associated TTPs. Malware Analyst – Task Order 33 – Cyber Security Operations Support.
From NSSPlus - Tue, 13 Aug 2019 22:17:21 GMT - View all Arlington, VA jobs
          

A YouTube-on hatalmas botnet bányászott kriptopénzt

 Cache   
Az ESET kiberbiztonsági cég bejelentése alapján a Stantinko nevű botnetet felvették a cryptojacking-listájukra, mivel a YouTube-on keresztül Monero kriptopénzt bányásztatott a felhasználókkal. A jelentés alapján YouTube-csatornákat használtak arra, hogy bányászmalware …
          

Threat Roundup for November 15 to November 22

 Cache   
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 15 and Nov. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Downloader.Nymaim-7391562-0 Downloader Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Trojan.Bunitu-7394346-0 Trojan Bunitu is malware that establishes a persistent foothold on an infected machine and then turns it into a proxy for criminal VPN services.
Win.Malware.Trickbot-7394707-1 Malware Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Worm.Vobfus-7395002-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C2 server.
Win.Malware.DarkComet-7395004-1 Malware DarkComet and related variants are a family of RATs designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Ransomware.Cerber-7395321-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, this is no longer the case.
Win.Dropper.Remcos-7395733-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Tofsee-7402230-0 Dropper Tofsee is multipurpose malware that features several modules used to carry out malicious activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Threat Breakdown

Win.Downloader.Nymaim-7391562-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\KPQL 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
25
Mutexes Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 25
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 25
Local\{0F53A50D-AEA8-402A-580B-3C32A490301E} 25
Local\{42FDAA48-39A4-4464-9CC4-6F1A48111B12} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sqmgdts[.]net 25
wneeuc[.]in 25
jiwlzenl[.]com 25
zgzaztmi[.]com 25
amkqrprvei[.]com 25
srbhfbemi[.]pw 25
yoekgdnoyej[.]in 25
scwafgfxlr[.]net 25
grnorxacnw[.]com 25
futzruakw[.]pw 25
dhcfsfxgb[.]net 25
lmgsmlhidh[.]net 25
fpmuefeozs[.]in 25
wjpbf[.]net 25
yfuoixdwjxpy[.]pw 25
sqwpuwoq[.]net 25
wqjlwcnqbe[.]com 25
tjjqmo[.]net 25
bsztb[.]in 25
gmznk[.]com 25
cejwtluei[.]com 25
rejfedtcd[.]net 25
uktldpj[.]com 25
aanpolaayjm[.]net 25
rdipde[.]com 25
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 25
%ProgramData%\ph\eqdw.dbc 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%TEMP%\kpqlnn.iuy 25
%TEMP%\fro.dfx 24
%TEMP%\npsosm.pan 24
\Documents and Settings\All Users\pxs\dvf.evp 24
\Documents and Settings\All Users\pxs\pil.ohu 24

File Hashes

009c5d8c565ffc008a15040f7c1ce30a65321089606ad3e6e711e715e65ed5d3 043fd8c728078e4cc3402b65d216e224a482532faaa18dff9ce7baea068666a6 0c6cf23450cb8d2f982780d0b63b32f84c4cef5ed035b336198cfab945d7222f 0e2c7c4988f5d6b83aa46bfaec967e409310588fb31d41aaf752cd0cd1f61e07 159157544afea2dae4868b345f3ace9dbb3946dcdb051afda1f9d3de43b84b5b 27992098e220360f3a5896812a077ba611dce6936c7d8a93a8851b9498534483 2f625f48f37cc6d9ad56bf49690f578d345ca7938750614fce45a6db3ea94ee2 3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4 3dccca8f309ddb9675ef1099afa48c99259af991603ffe82a83ad9516b5742f3 5c3ad5d944eb5911e73ced27779e8ecb6a555c64ace076998018e313c058c128 630b0e5f46a932762b7e569f0785e163db04a5e482a1b2c2469343439cd5f004 689c22dc80615221d5c64720f599a33eaa093e27aabcd89191fa446d5dcc8463 75d8010dab02726e712f1ba1cba34ae48d3aabf897c22caf258a552282c7cfa3 776186df1d180131e8272e9bed1901a10156c3f12adacd904b8023fe5f164b22 8837d607c0bf29f0855967de0cb3ac6e36c6418786e693dbcb92cce0addef532 8ad6d601b0d1e03dda4b01708e40fcbcc66e610c2b848f1662b26d70aa358cf6 8b75cc8eeff51a02702262472039bda60c892e0beba4f76d5b3262f1c1482081 8cb66655a63b931fd20483d5b347756980e2a5f1d70a66fb84819b1a10c82722 9c79e22684603ef09d8939a72827d9e39478e2583740f55d4a5f676a4d1cd30c a02dc770b986b1360c6534907f5c9ad368f7810da498a6df1e2bedd665db75ef a0977a0743fd97773d06407074172e2e763d5306310075b301833454204fecce a2eef697284f59a4306ad79669dcb9c1e095595cbf52a73a6775e90a34c790c4 a94e7042aea0920a02775452ec9f05ab07b7ae60a7c9466a2ce8eb8b5e40b428 aaa24779cd52e2685d6646ac379a1c102b8811f1d969e16c2d6b358d00a147ec ad3f4bd490dd4134e099d505123e528f858463a7e17989c258516c7d24ac3836
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP



Win.Trojan.Bunitu-7394346-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: Impersonate
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: Asynchronous
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: MaxWait
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: DllName
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: Startup
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: daoemni
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI 9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: Impersonate
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: Asynchronous
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: MaxWait
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: DllName
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: Startup
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: daomni
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: Impersonate
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: Asynchronous
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: MaxWait
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: DllName
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: Startup
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: omnilg
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: syncfx
1
Mutexes Occurrences
qazwsxedc 26
A9ZLO3DAFRVH1WAE 25
I106865886KMTX 25
IGBIASAARMOAIZ 25
J8OSEXAZLIYSQ8J 25
LXCV0IMGIXS0RTA1 25
TXA19EQZP13A6JTR 25
VSHBZL6SWAG0C 25
A9MTX7ERFAMKLQ 25
3G1S91V5ZA5fB56W 1
8AZB70HDFK0WOZIZ 1
NHO9AZB7HDK0WAZMM 1
PJOQT7WD1SAOM 1
PSHZ73VLLOAFB 1
VHO9AZB7HDK0WAZMM 1
VRK1AlIXBJDA5U3A 1
<random, matching '[A-Z0-9]{14}'> 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
209[.]85[.]144[.]100 25
172[.]217[.]7[.]206 21
66[.]199[.]229[.]251 21
62[.]75[.]222[.]235 21
95[.]211[.]230[.]86 16
5[.]104[.]230[.]200 5
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
w[.]topfealine[.]com 20
l[.]topfealine[.]com 14
w[.]netzsoflow[.]net 5
n[.]netzsoflow[.]net 5
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 19
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 19
%LOCALAPPDATA%\daoemni.dll 11
%LOCALAPPDATA%\daomni.dll 9
%HOMEPATH%\Local Settings\Application Data\daoemni.dll 9
%HOMEPATH%\Local Settings\Application Data\daomni.dll 7
%LOCALAPPDATA%\omnilg.dll 5
%HOMEPATH%\Local Settings\Application Data\omnilg.dll 5

File Hashes

05fc7a5cbd0145db5324d216eca44799f3089ce93b9020b1e79a8ffd074373e9 155931a83c112e3b9ec9e53170bc01f00f627149abb4df90506ff9746420ac33 1e781bec2e81a7ea35b3170ba13b8c383a5b34333bfdf5fb8c8fc2da89c79b47 21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7 22becfbe5b71e26f87a6f3525a75af422f9c6903873911290bc20f8869bd0b83 281c088b7ad0f9ed61fbdd599ffb2fdcd934a02ad66fe16b1f40c0e668d203fa 2f2e4c912ae939c550ab3d3d9723d562ceff5cd8f120570bf2ca75975d5dada1 32ea5866bda9068d8c0f10f3c50225823254194f89f841483e6dbad2e8227315 35c4024898d064cea42eebd3efe714e031aeb7a5cd685ff8fc55176762a6c5cc 371abc331dd0d9f9ae078efd7b88a60795e6707f1833f3b31675a7e80b96843f 392a1507494a62ddd1ad5f6659487254930dbba1dbcc98b3d0f34a1ab1852128 3e27faf67ebc38dc381617546201dafb570bcabc12d1d85e2088da56262d80e9 40d378b966cecafc1ba06ddfcbfb644fd408f83792e40109cd810914825d6b06 45f55ec75fdc96afb4133334435b00ea598206c9f00094a8ac42bbc37ff64310 50ab0d77e4368f929287ef0fe486712cc615f9a9c3d74f7767a257d2a677e1ae 551411d65a597560b93c303fc3fd0bde366f4fd767a940a127bc35c0e188255f 56873d0e1082711b6e9f7c0dd230fd76963f5fe977002bba0fdd51d320d2480a 57260f19a6a615eba7325d454666b2a3cf05589e4ffd20eb34c67c4493b613d2 5b144acca2679ab8563e70e789ef0026b25dcc3e2f96e651a504ef35d7cfc1ae 6243725e2486608c0266f4b954487310e8b36f092e5172eacf967a37e12c49c1 6a836249f7f7cdaa5c796248b0684f0ca45bfa524148331b8de2e395d5b0b88a 8127c67786fa6bcf2ba3b891d1619f6b2589027d94d0f8b5f10a005a1dcc4df8 8b7e399b092922ae7972799f1d28d1f40bf2c463ec2ac90d332a816c1b307cbd 9b33901eb6a246891da01fba649a7ea058c10fc5865a6610b4627fa53d3c50cb 9db359f9c8d9e4960e5fb5475c4c873b386a522ef9340153966c841e594ea224
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Win.Malware.Trickbot-7394707-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
3
Mutexes Occurrences
Global\316D1C7871E10 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
117[.]196[.]233[.]100 10
94[.]156[.]144[.]74 5
78[.]24[.]219[.]9 5
45[.]224[.]214[.]34 4
103[.]219[.]213[.]102 3
212[.]80[.]218[.]144 3
216[.]239[.]32[.]21 2
62[.]109[.]22[.]2 2
107[.]173[.]240[.]221 2
144[.]91[.]80[.]253 2
51[.]89[.]115[.]110 2
176[.]58[.]123[.]25 1
116[.]203[.]16[.]95 1
52[.]55[.]255[.]113 1
69[.]195[.]159[.]158 1
177[.]154[.]86[.]145 1
66[.]85[.]173[.]57 1
5[.]182[.]210[.]254 1
117[.]255[.]221[.]135 1
185[.]222[.]202[.]25 1
195[.]123[.]220[.]155 1
117[.]206[.]149[.]29 1
170[.]84[.]78[.]224 1
91[.]108[.]150[.]213 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ident[.]me 1
myexternalip[.]com 1
ip[.]anysrc[.]net 1
ipecho[.]net 1
checkip[.]amazonaws[.]com 1
wtfismyip[.]com 1
Files and or directories created Occurrences
%APPDATA%\cmdcache 26
%APPDATA%\cmdcache\счв.exe 26
%System32%\Tasks\Command cache application 26
%ProgramData%\счв.exe 26
%APPDATA%\cmdcache\data 26
%APPDATA%\cmdcache\settings.ini 26
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 25
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 25

File Hashes

031dba2decd40789db3851d1940275bab98d378ceb410eb661b463adf2410650 07553800c14fabbb3aca709a6d5d7af0b9936504fb3d1406825ba6034e22f97f 0d2da6104e039e429a4bb0f2a27744879a4551cbadb1e4a44de54343a6c0ac6c 218ba8f3d20fbab8eaa94aa7d3aa6ffe417d859bbf6bbd499c1e6211f0292a07 26616609c018bb2081c86a11b1567865a4ee63686eff17f4b7e88b6655ad93eb 2cd5c3baae45b92b8f39f808493a9805f94eed3847b94c853bfb160217225887 2da40b82795dff861dd4bf9025b4fd659e398d894df20ef399c1960fe92de323 334aafa1b9ac0f0d94f690a25ad5841e732de6c0609704e838e8c8ad8986a207 339c9866157b0f51d0fe6c644cd8b485672fdbf16ad5244ceaa7b4eab9d0fd56 33da9747569d5cfa3e42d8a98b8cb941829905cac809428de49e9d011372b3be 3476f50e527ab1558f8a12b20a6d0394045c98b7b352f9703499c54ac13b526a 38548798cfcc55fc8200d3f3482d9eb7eafc14feda2b88b22d143c4fec75a175 3d9bb460763687a31c360beb958abae1a5e10add4fad3b0a9e3fb70aa3803241 3e1762697fe5f1996a8cd224a97bfd47fc2578ac1950d5e177cc17edc4fa9094 4766ae5c1ffdbf142e5c7df792654f591c1ef4df1e7775484d458c2b8237312a 4793182f8a55a7d2df459ea2ef2ed27835bfe43648d78bbe540ecfe9185f4380 48f273faec8a9236fadadcd0b88cc416eab9c4c40b064742213c1e5ed24cc105 4b3ff0afe6f834a9c05354fd2089662e670e9203b864969e0d67bb957af37c43 4cfabac70d45aa70f7e129fcf234ebf84e0edb950380bacf0008616d8059601b 53677c31b06dbf686f019dad8465876ae4e757adf186d02d60a5194106ee20da 5441d28936218f078a094e4b03a60db5f06a890f02ebbbabbf2e4345ef3ed05a 5641e7f156339b3c2d624972d9eea74910e39f0620aed2eadff1fa0635137541 58d92ae7cacfadf7ca36fbabebfa721299c4a828f81707290416639919f0fb20 5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211 5b80b61034467babade5a004fab79adb3d9f18416345c1cdbe6ca0776c9c9513
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP




Win.Worm.Vobfus-7395002-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU 26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
Value Name: NoAutoUpdate
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ciiti
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: supej
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zauuca
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yxyom
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wznoid
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qousu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jiigio
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bmjiif
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ryhiy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: caodaap
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: viean
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: beoal
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fiiisep
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fuafoop
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: juuso
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: peaceit
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbnur
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zoelie
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: teuemar
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jomol
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yiozaot
1
Mutexes Occurrences
A 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]11[.]56[.]48 26
46[.]166[.]182[.]115 13
37[.]48[.]65[.]148 11
64[.]32[.]8[.]67 7
207[.]244[.]67[.]214/31 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ns1[.]anytime2[.]net 26
ns1[.]anytime3[.]net 26
ns1[.]anytime3[.]org 26
ns1[.]anytime2[.]com 26
ns1[.]anytime4[.]com 26
ns1[.]anytime2[.]org 26
ns1[.]anytime1[.]net 26
ns1[.]anytime1[.]org 26
ns1[.]anytime1[.]com 26
Files and or directories created Occurrences
\autorun.inf 26
\System Volume Information.exe 26
\$RECYCLE.BIN.exe 26
\Secret.exe 26
\Passwords.exe 26
\Porn.exe 26
\Sexy.exe 26
E:\autorun.inf 26
E:\$RECYCLE.BIN.exe 26
E:\Passwords.exe 26
E:\Porn.exe 26
E:\Secret.exe 26
E:\Sexy.exe 26
E:\System Volume Information.exe 26
E:\x.mpeg 26
%HOMEPATH% 26
%HOMEPATH%\Passwords.exe 26
%HOMEPATH%\Porn.exe 26
%HOMEPATH%\Secret.exe 26
%HOMEPATH%\Sexy.exe 26
%HOMEPATH%\c 26
%HOMEPATH%\c\Passwords.exe 26
%HOMEPATH%\c\Porn.exe 26
%HOMEPATH%\c\Secret.exe 26
%HOMEPATH%\c\Sexy.exe 26
*See JSON for more IOCs

File Hashes

0114132de55fe3391d2ffe1eb2235af64538e704a5d39a7c12a5242b26feff60 024c44316844dd33ee87876a1acf6b823b30f97b8f9b2aa593289df21b0ec1d7 056bf3cca6f0cd4e41ad01e0eb4700bee0271c2bb3334642784920529e2554de 07ee7ffcf647257d1293ad9826c82fc09398f657092c25b21169f87fa5a7c9d4 08169078f447a9671714276fd75f906cd349fb720001a77d78bef56b9e35a233 081aabf461e76026a4b5ce622d7dea97bd5c69bd7f6291bc69325ee9e1b2478b 082ee719168ea7be341b1303d4e62fe30007af27470e269a63aa0b1098e7d488 084b2c416ebeb7c01a099604458bc0851f1e1e8b2f230522898cf4084c803f15 0a1e200b0c26beab5775cfa61c2639ea27157e46781e70cbd78a4b19232b632b 0ad7fb766799dd2f438ba70821e2c7f6b2e08c524fd750b34a6209ab8ac3d480 0b11ae767b606de45c93913ce84153b226eae42d035871a9955f19c4cbb46c7a 0bf91f7b0d81a825f042006243db69eb23d52726c19b335ad42e188c53616d99 0c5f7e0d447a0f9445888ba803a9c6bb223bdee7d982be2f833d6184e754b7b0 0e323827671fd25c7f89c594618623916a4dc60221f405a3f2bf7df0275e4e0d 0eb69de315990b07cdc4e6472f7b1a178412d9730766fddb596bddf5b2576ed1 1396cae157a806641cb34122f34c22b4dc995028686f6a082725e4e335e60aed 13a7e9c873e5e108d28acca607b1689f391c1036db6d977f8602908046ca4739 148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5 156452ee7c520ac7ef66233c06b2d9bb8faa3c119e9ae697a53695a7f10c3fa3 15b5879a31b9e41872a13caefbff2bc7e4b672beb19a6fbc3c5b5a38774cc13d 16fa24d44c523e35c4c37fc149647d7e6c21d090a047127fc8d68fc6b9ad8a42 1713907f8ca3dc61f966a367d1d65a4dc13e525fc8ce091b2147d3665a3c0c23 193491d849129d8286edd480622bbe6da83f551d6cd8d3eb16c3cc38c21eeacb 1a59da8f0388e798d4ade89f7c880166b72ad576cc87a883568d614df2d0529d 1b1de63ef24f88d5350acd0909ed76b0ee71c7fa327a715bb1ae554feb33837b
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage
By David Liebenberg and Kendall McKay.

This summer’s most popular malware families were commonly seen, unsophisticated attacks, with phishing being the top infection vector, according to Cisco Talos Incident Response (CTIR) data. In addition to threat actors repeatedly deploying common threats like ransomware as final payloads, we found that adversaries also leveraged similarly well-known open-source frameworks post-compromise to enable activities such as traversing victim networks, reaching out to command and control (C2) nodes, and exfiltrating data. These findings indicate that organizations across a variety of industry verticals continue to face challenges in defending against common threats and attack methods, most of which have the potential to cause critical damage if not detected and remediated quickly and effectively.

The discoveries outlined in this blog were observed during CTIR engagements between May and July, which corresponds to Cisco’s fourth quarter in fiscal year 2019. These reports, which we intend to publish quarterly, are intended to provide executives and network defenders with regular updates and analysis on the threat landscape.

Top threats

The top threats that we observed between May and July included ransomware, commodity banking malware such as Emotet and Trickbot, and illicit cryptocurrency miners. Although adversaries’ use of ransomware initially appeared to slow down following the rise of cryptocurrency miners, ransomware was by far the most commonly observed threat in incident response engagements during the time period in question. We also frequently saw commodity banking trojans acting as a dropper for ransomware.

Ransomware

Based on our findings, ransomware was the most common threat affecting organizations, with Ryuk being the most frequently deployed type of ransomware. Ryuk infections targeted companies in the retail, media and entertainment, software and internet, and healthcare industries, severely impacting business-critical services and operations. In at least one case, the Ryuk infection occurred months after the initial Trickbot compromise, indicating that the threat actor avoided detection and maintained access to the victim system for a prolonged period of time.

In most of our incident response engagements, we observed multiple threats being deployed on victim systems at various stages of the operation. Ryuk, for example, was typically dropped by banking trojans such as Trickbot, which is consistent with the ransomware’s known TTPs. In one such incident, a company experienced a Trickbot-Ryuk infection, after which the adversary used the open-source framework PowerShell Empire to pull down Sodinokibi ransomware binary code from a Pastebin page.  However, some Ryuk infections were not accompanied by a commodity malware dropper. One such company was infected with Ryuk via a malicious decoy Microsoft Word install, causing Microsoft Exchange servers and domain controllers to lose availability and impacting business operations.

Banking trojans

Modular banking trojans were also observed in several incident response engagements, often as a dropper for ransomware. The most commonly observed variants were Emotet and Trickbot. Other banking trojans observed between May and July included Qakbot, Cridex and Dridex and affected organizations in the retail, business services, media and entertainment, software and internet, manufacturing and health care industries.

As mentioned above, several incident response engagements involved Trickbot dropping Ryuk. During at least one case, in which the adversary used PSExec and RDP to stage, spread, and execute the malware, the infection was widespread and progressed over time. Emotet was also observed in several engagements this past quarter. In one instance, a manufacturing company fell victim to an Emotet infection that was caused by malicious spam sent from one of their regional offices. An employee received a high-quality spoofed email that appeared to come from another employee and contained a malicious attachment, which likely led to an Emotet infection.

The actors behind banking trojans such as Trickbot and Emotet have shown a willingness to continually update their malware, adding new modules for increased lateral movement and data exfiltration. They also have been increasing commodification of their malware, engaging in malware-as-a-service by providing access to their tools and infrastructure to other malicious actors. Given adversaries’ propensity to target enterprise networks, they remain a consistent threat observed by responders.

Coinminers

Between May and July, we observed a number of illicit cryptomining attacks in our telemetry and CTIR engagements, several of which involved prominent Chinese botnets and the collaboration of multiple threat actors. Cryptomining malware was observed in CTIR engagements with organizations in the education, health care, business services, telecommunications, and retail industries. Following a dramatic drop in cryptocurrency values in 2018, the market appears to be slowly rebounding with gradual price increases since in early 2019. Despite the fluctuating market, threat actors have largely remained undeterred from targeting cryptocurrency exchanges, suggesting that the currency’s monetary value has little to do with their decision to carry out these types of attacks. As the value of cryptocurrencies continue to rise, we expect illicit cryptoming attacks to remain constant  and possibly increase in frequency.

Prominent Chinese cryptocurrency botnets were observed in several engagements. A company in the business services industry had an internet-facing server exploited and was infected with malware associated with cybercriminal group Rocke. The threat actor, which Cisco Talos wrote about in 2018, is linked to the Iron cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, and ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure.

In another engagement, a telecommunications company was compromised with a Monero miner associated with another prominent Chinese-language botnet that Talos has been following since February 2019. This actor had been observed exploiting unsecured ElasticSearch clusters to drop cryptocurrency miners, as well as targeting Oracle WebLogic and Hadoop YARN. During the CTIR engagement, the actor conducted a brute-force authentication attack, after which automated adversary scanners attempted to install cryptocurrency mining malware. Several Hadoop virtual machines (VM) became infected with mining malware that reached out to a known C2 used by the group.

Our findings also indicated that mining malware is usually delivered by relatively unsophisticated means such as mass exploitation campaigns or brute-forcing. These types of common infection vectors are often used by various other threat actors to carry out a range of unrelated threat activity, suggesting that the presence of mining malware can sometimes be an indication that more sophisticated malware is also present on the victim’s environment.

Top entry vectors 

We were unable to determine the entry vector during the majority of engagements due to the victim organization having insufficient logging and security instrumentation. However, when the entry vector could be reasonably determined or assumed, phishing, brute-forcing and exploitation of web applications were the most frequent entry methods.

Phishing  

With the prevalence of banking trojans that mostly spread via malspam and phishing campaigns, it should be no surprise that email was one of the top initial vectors we observed. Several engagements saw Emotet and Trickbot delivered via malicious emails. This included emails sent from one victim within an organization to another, which can make detecting a phishing incident much more difficult by both the victim and security appliances.

Brute-force

Brute-force attacks occur when an attacker continuously attempts to log in to an application until they find the correct ID-password combination that grants them access. These processes are typically automated and happen at a rapid pace. In addition to our CTIR team uncovering evidence of brute-force attacks in their engagements, we also frequently observed this type of activity in our Talos honeypot infrastructure.

Web application compromise

Another common initial vector was the exploitation of unpatched internet-facing applications. Threat actors commonly scan for unpatched servers to exploit using publically available proofs-of-concept soon after vulnerabilities are announced. We frequently observed this activity in our telemetry and have seen it in incident response engagements as well. For instance, a business services company had cryptocurrency miners dropped onto their environment after actors exploited vulnerabilities in their Jenkins servers, while an organization in the education industry had their SharePoint servers breached with a web shell.

Actions after compromise

In addition to completing their primary objectives – for example, encrypting files during a ransomware attack – we observed threat actors carrying out a variety of secondary actions post-compromise,  such as reaching out to a C2 for follow-on malware or instructions, traversing the network, compromising user accounts, establishing persistence and exfiltrating data. This type of malicious activity after compromise shows how adversaries can leverage common and relatively unsophisticated tactics, including the use of widely available open-source tools, to carry out successful operations.

Cisco Talos also observed some common lateral movement methods. For instance, we frequently observed exploitation of SMB and internal spam as a means of a lateral movement, typical actions of banking trojans such as Trickbot and Emotet. We also observed attackers in several engagements leveraging readily available open-source post-exploitation tools to traverse the network and execute malware. This includes Mimikatz, a post-exploitation tool that dumps passwords from memory, as well as other sensitive data.

We also observed PowerShell Empire, an open-source post-exploitation framework that leverages PowerShell and includes modules ranging from keyloggers to credential dumpers, to execute malware, traverse the network, and reach out to C2s. Defenders should not underestimate the damage an attacker can cause through the use of these tools. Evidence of Mimikatz in particular potentially indicates that an organization’s critical services may be severely compromised. During an engagement with a manufacturing company, we observed the presence of Mimikatz in a local administrator account’s remote interactive session. We also found compromised accounts from this organization and another CTIR response victim for sale on the dark web.

We also observed common persistence techniques such as establishing a cron job to reach out to the payload hosting domain and execute the payload, installing multiple copies of a payload on a host, creating scheduled tasks, and creating registry keys in the Autorun locations in the registry.

Multiple actors compromising the same victim

An organization vulnerable to compromise may be attacked by multiple adversaries, each with different objectives, and these adversaries may even battle one another for control of the victim network. In one instance, we observed a malicious threat actor named Rocke, another cryptomining actor named Watchbog, as well as the longrunning China.Z botnet on the same victim. In another case, we observed a ransomware event that ran parallel to an adversary who had compromised credentials via Mimikatz. During a ransomware event, a second adversary compromised the victim’s externally facing SSH server to drop IoT botnet malware. It is important to consider the implications of finding multiple actors, mainly how organizations can address the underlying security weaknesses to prevent these attacks as well as improvements in visibility to help increase detection.

This one reason why a common threat, like a ransomware event, banking trojan outbreak, or illicit mining attack can be considered a canary in the coal mine, showing that a low-effort, low-sophistication attack successfully bypassed an organization’s defenses, which could indicate the presence of other actors.

What to watch for and mitigations

The fact that these common threats prevail shows that adversaries are able to take advantage of typical weaknesses in an organization’s security architecture. Since phishing was a top entry vector, Talos urges a multi-pronged approach to address email security, including user training (how to identify and report suspected phishing), technical anti-spoofing controls, intelligence-based email security filtering, and configuring end-points to be less vulnerable to common attacks.

The lack of monitoring for deployed network detection tools/systems was a key weakness as well. This was especially true in some of these incidents where tools like Cisco AMP were deployed in “audit” mode but were not being reviewed by a person or aggregated into SIEM software.

Post-compromise, the lack of logging was a weakness present in almost every engagement. A lack of logging makes it difficult for responders to put together a complete picture of what adversaries achieved post-compromise. This was also one of the reasons why in the majority of engagements we were unable to exactly pinpoint the initial vector of attack.

Other common weaknesses we observed included lack of multi-factor authentication, sensitive servers exposed to the internet or not properly segmented, lack of patching, and ineffective security products.


          

Phishing, cryptojacking, and commodity malware. New supply chain security measures. And have you heard about this Black Friday thing?

 Cache   

A Fullz House for Thanksgiving. Google finds that nation-state phishing continues at its customary high levels. DeathRansom, the low-end ransomware that didn’t actually encrypt files, has now begun to do so. The Stantinko botnet adds cryptomining functionality. Microsoft reflects on Dexphot, and the sophistication it brings to ordinary malware. Supply chain security rules are coming to the US. A lawsuit in Tel Aviv. And some final notes on Black Friday. Daniel Prince from Lancaster University on business innovation and cyber security. Guest is Francesca Spidalieri from Salve Regina University on the importance of collaboration from all sectors.

For links to all of today's stories check our our CyberWire daily news brief:

https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_27.html 

Support our show


          

La botnet stantinko, conocida por sus fraudes online, ahora está infectando miles de pc para minar criptomonedas.

 Cache   
https://www.itdigitalsecurity.es/files/201610/seguridad-botnet.jpg



ESET firma un nuevo hallazgo en el lucrativo mercado de minado de criptomonedas. Según han confirmado sus especialistas, esta botnet, que controla aproximadamente medio millón de ordenadores y Opera contra objetivos en Rusia, Ucrania, Bielorrusia y Kazajstán desde 2012, ahora estaría infectando miles de PC para minar criptomonedas.



Según Vladislav Hrcka, analista de malware de la firma que es el responsable de esta investigación, después de años confiando su modelo de negocio en el fraude de clics, inyección de anuncios, fraude en redes sociales y robo de credenciales, Stantinko ha empezado a minar la criptodivisa Monero. Al menos desde agosto de 2018, los ciberdelincuentes de este grupo están distribuyendo un módulo de criptominado a los dispositivos que tienen bajo control.



Este módulo, de acuerdo con el experto, es una versión muy modificada del criptominero de código abierto xmr-stak y su característica más interesante es la forma en la que se oculta para frustrar los análisis y evitar la detección. Debido al uso de ofuscaciones a nivel de código y de altas dosis de aleatoriedad y al hecho de que los desarrolladores compilen este módulo para cada víctima nueva hace que cada muestra de Stantinko sea única, explica.



Además de las técnicas de ofuscación, CoinMiner.Stantinko emplea algunos trucos peculiares. Por ejemplo, para ocultar su comunicación, el módulo no se comunica con el pool de minado directamente, sino a través de proxies cuyas direcciones IP se consiguen a partir de los textos de descripción de los vídeos de YouTube, de forma similar a como lo hace el malware bancario Casbaneiro. ESET ya ha informado a YouTube de este abuso y todos los canales con vídeos relacionados han sido eliminados, confirma Hrcka.



Para evitar sospechas, CoinMiner.Stantinko suspende las funciones de criptominado si se usa el PC con batería o si se detecta la presencia del gestor de tareas. También comprueba si se están utilizando otras aplicaciones de criptomonedas y las suspende, y realiza un análisis del sistema para comprobar la presencia de software de ciberseguridad en el sistema.



En realidad CoinMiner.Stantinko está lejos de ser el malware más peligroso existente, aunque sí puede llegar a ser bastante molesto pero, sobre todo, lo que hace es utilizar el ordenador de la víctima para generar dinero para el ciberdelincuente y en última instancia podría incluso usarse con fines más dañinos, señala Hrcka.







Ver información original al respecto en Fuente>

https://www.itdigitalsecurity.es/actualidad/2019/11/la-botnet-stantinko-se-pasa-al-minado-de-criptomonedas


Next Page: 10000

© Googlier LLC, 2019