Hamas is targeting the hearts of Israeli soldiers using social engineering attacks that are triggered with a simple friend request.
Israel Defense Forces reported the group is scrolling through Facebook for Israeli soldiers to “catfish” using fake accounts created from photos and identities stolen from attractive unsuspecting users, according to a blog post.
Hamas operatives will then add the Israeli soldiers on social media and chat with them before sending a few pictures, in an effort to disarm suspicious and prove they are real before inviting them to a video chat using an app sent to the soldier from the operative.
The app is actually a trojan capable of gleaning contacts, locations, apps, pictures, and any files as well as access the camera and microphone.
Soldiers are advised to not accept friend requests from strangers, keep GPS features off when not in use, and to not side load apps to their device.
SOURCE: Robert Abel | SC Magazine
Nine days after Christmas, a new ransomware named “Merry Christmas” was discovered operating in the wild and later a new variant was found which transmitted the DiamondFox malware as a secondary infection. DiamondFox malware is a versatile malware that includes modules that recruit bots for distributed denial of service attacks, steal credit card data from POS systems, pilfer browser passwords, open remote desktop connections and others.
The malware generates its ransom note as a file named “YOUR FILES ARE DEAD.hta” and inserts it in every folder wherein documents are encrypted. The note contains instructions directing victims to contact the criminals through telegram or email. The ransomware also communicates with the command-and-control server from the infected machine and transfers information including username, computer name, running processes, installed programs, local time and hardware information.
Palo Alto Networks and three other researchers are credited with discovering two variants of the Merry Christmas malware. MalwareHunterTeam discovered the DiamondFox secondary infection by the ransomware.
Self-styled ransomware hunter, Michael Gillespie has discovered an unusual Koovla ransomware variant which offers decryption keys for a read up of two articles on how to stay secured from malware.
The ransomware once downloaded states:
“In order for me to decrypt your files you must read the two articles below. Once you have click the ‘Get My Decryption Key’ button.
Then enter in your decryption key and click the ‘Decrypt My Files’ button. Eventually all of your files will be decrypted 🙂
If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.
So User do you want to play a game?”
One of the security articles is from Google’s security team on how to stay safe online while the other is from Bleeping Computer explaining the Jigsaw variant.
Researchers at CyberX have found a new variant of the KillDisk program. This was the program used to attack Ukrainian energy utilities. The new variant is an evolution into a ransomware that may the targeting industrial control networks according to the researchers.
CyberX reports that the ransomware is distributed through malicious Office attachments and displays a pop-up demanding 222 Bitcoins, equivalently $206,000. It uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt files and folders that are shared between organizations.
A free decryptor tool for the Crysis ransomware has been developed and released by ESET security researchers. Information released on Pastebin and reported by Bleeping computer were used in creating the tool.
Download of the ESET Crysis Decryptor tool is available at https://www.eset.com/int/download-utilities/
Instructions on how to use the tool is available at http://support.eset.com/kb6274/
Variants of Crysis ransomware has been spotted in 123 countries since May, 2016 with the most targeted countries being France, Spain and Brazil.
File this one in the “Irony” department: Threat actors have been discovered trying to infect security-minded individuals with a trojan downloader by sending spear phishing emails that offer free invitations to Palo Alto Networks’ Nov. 3 Cyber Security Summit in Jakarta, Indonesia.
Palo Alto Networks’ Unit 42 threat research group identified the malware as the Emissary trojan, which is linked to Lotus Blossom, an advanced persistent threat (APT) group that has historically launched campaigns against multiple countries in Southeast Asia. According to a Palo Alto blog post, the trojan arrives as an malicious Word document attachment bearing the file name “[FREE INVITATIONS] CyberSecurity Summit.doc.” Opening the attachment deploys a decoy document and downloads Emissary, which compromises systems by exploiting a critical vulnerability in Microsoft’s MSCOMCTL.OCX ActiveX controls (CVE-2012-0158) that dates back to 2012.
By analyzing the original screenshot that was cropped to create the decoy document, Palo Alto found a variety of evidence suggesting that the adversaries’ primarily language is Chinese.
SOURCE: Bradley Barth | SC MAGAZINE
The latest version of the Ghost Push trojan discovered in 2015 has been found by researchers at Cheetah mobile. This latest variant is able to root almost all Android devices except those running the Android 6.0 Marshmallow or higher.
The malware hides its core coding in the system directory, disguising itself as a built-in app of the phone and prevents third parties from taking over root privilege in order to hide and evade detection.
Cheetah Mobile reported that the highest percent of infection was in Malaysia (14%), followed by Vietnam (13%) and Colombia (10%).
Android users can stay immune by upgrading to version 6.0. But most android smartphone manufacturers apart from Google do not get updates pushed out to users in a reasonable amount of time as the manufacturers, carrieers and Google have to work together to push out updates to users.