Top Stories: Going Phishing and Throwing Targets

Apr 30, 2019

Stalking StalkersBleeping Computer announced that DNSpionage malware campaign comprises a new reconnaissance stage that has demonstrated that attackers have become more selective in their targets. Additionally, a new .NET-based malware, nicknamed Karkoff, enables attackers to remotely execute code on compromised locations. The DNSpionage new victim survey phase is also stated to avoid being detected and analyzed by researches, when they drop the malware payloads in sandboxes designed for analysis.

The GitHub PhishClubBleeping Computer announced web-based GitHub code hosting platform has been used by malicious actors to host phishing kits. Taking advantage of the service’s free repositories, the kits are delivered to their targets via github.io domains. This technique enables perpetrators to bypass both whitelists and network defenses.  In the same way that large consumer cloud storage sites (think, Dropbox), commerce services (think, Paypal) and social networking sites (think, Twitter) make it possible to conceal malicious activity amongst all the valid traffic and interactions.

Still Breaking Banks – In more news from Bleeping Computer the TA505 hacking group ran a spear phishing campaign targeting a financial institution last month with the help of a signed version of the ServHelper backdoor and a number of LOLBins designed to help the operation evade detection. TA505 is a threat group known to have been active as far back as the third quarter of 2014. It is recorded to have attacked  multiple financial institutions and retail companies using large sized malicious spam campaigns driven with the help of the Necurs botnet and dropping the Dridex and Trick banking Trojans. It has also used the Locky and Jaff ransomware strains on their target’s computers.

Email Death ThreadTID alerted a phishing campaign dropping the Qbot banking Trojan with the help of delivery emails that camouflage as parts of previous conversations. The campaign was spotted late March 2019 by the JASK Special Operations team. The JASK security researchers advised “The delivery mechanism for this Qbot infection was a phishing campaign where the targeted user received an email containing a link to an online document. Interestingly, the delivery email was actually a reply to a pre-existing email thread.”

Learn more about about Deep Instinct’s Cybersecurity Solution.