Detail of a calendar page with dates

A week in security (Apr 17 – Apr 23)

Last week, we doubled back on the Locky ransomware, seeing that it’s back. The good news is we still protect our users from this new strain.

Moker, a Trojan also known as Yebot and Tilon, was spotted by our researchers being used as payload by the Rig-V exploit kit. As such, a deep analysis of the said malware was in order.

Lastly, we profiled a malvertising campaign that uses decoy websites and strong IP filtering techniques in order to keep itself under the radar. The campaign was aptly called “Binary Options” as the threat actors behind it use trading companies as a front to hide the real nature of their business.

Below are notable news stories and security-related happenings:

  • Exploits Targeting Corporate Users Surged Nearly 30% In 2016. “A new report from Kaspersky Lab this week holds some mixed news for individuals and organizations on a couple of fronts. The report is based on an analysis of the threats detected and blocked worldwide by Kaspersky Lab’s antimalware products in 2016.” (Source: Dark Reading)
  • Public WiFi Security: A 10-Step Guide. “These days, public WiFi is everywhere. Beyond cafes and airports, you’ll find hotspots in sports stadiums, hospitals, and department stores. While IT pros are well aware of the security risks of public WiFi, their users — who are eager to get online wherever they are — likely aren’t.” (Source: Network Computing)
  • Peer Pressure, Not Money, Lures Youngsters Into Cybercrime – Report. “Teenage hackers get mixed up in cybercrime mostly to gain bragging rights over peers rather than to get rich, according to a new study. The National Crime Agency report fingers peer pressure and kudos as a key reason for youngsters in getting mixed up with online crime. Few if any of those who stray on to the wrong side of the law in cyberspace would have committed conventional crimes.” (Source: The Register)
  • MilkyDoor Malware Turns Androids Into Backdoors To Attack Enterprise Networks. “A new Android malware family is able to blend in with normal network traffic and avoid detection by encrypting its payloads, in order to access internal networks. The backdoor, known as MilkyDoor, has so far affected 200 unique Android apps available on the official Google Play Store. Some of those apps boast between 500,000 and one million installs.” (Source: Graham Cluley’s Blog)
  • Google Is Building An Ad-blocker Into Google Chrome, Report Claims. “When the world’s biggest online advertising platform is reported to be working on a technology to block ads in the world’s most popular browser, it’s no wonder that some eyebrows will be raised. According to a report in the Wall Street Journal, Google is planning to build an ad blocker into Google Chrome.” (Source: Tripwire’s The State of Security Blog)
  • RawPOS: New Behavior Risks Identity Theft. “While the threat actor’s tools for lateral movement, as well as RawPOS’ components, remain consistent, new behavior from the malware puts its victims at greater risk via potential identity theft. Specifically, this new behavior involves RawPOS stealing the driver’s license information from the user to aid in the threat group’s malicious activities.” (Source: Trend Micro’s Security Intelligence Blog)
  • A Third Of Employees Say It’s Common To Take Corporate Data With Them When Leaving A Company. “Today’s workforce is caught between two imperatives: be productive and efficient on the job and maintain the security of company data. The results of a recent end-user security survey by Dell indicate that among the professionals that work with confidential information on a regular basis, there is a lack of understanding in the workplace regarding how confidential data should be shared and data security policies.” (Source: Help Net Security)
  • Chrome, Firefox, Preparing Fixes for Nasty Phishing Trick Using Punycode. “Normally, when you click on a link to a site, you expect to be taken to that particular site. Thanks to a researcher, however, it has been discovered that it’s not always the case due to a vulnerability of most browsers in the way they translate special characters. For example, a website address that starts with xn-- tells your browser that the domain name is encoded using Punycode, which allows special characters to be displayed. This ability is quite important because a large part of Internet users don’t speak English, or it’s not their first language, and their mother tongues include such special characters.” (Source: Softpedia)
  • Cyber Security Is A ‘People Problem’ Says IISP Survey. “Over 80% of security professionals identify ‘people’ as the industry’s biggest challenge compared to technology and processes, according to the results of the second annual survey from The Institute of Information Security Professionals (IISP).  The survey also indicates that while 60% of respondents still feel that investment is not keeping pace with threat levels, there was a modest 5% increase in businesses that feel better placed to deal with a breach or incident if it happens. In real terms, spending does appear to be on the rise with 70% of companies seeing an increase in budget, up from 67% and only 7% reporting a reduction, which is down from 12% last year.” (Source: IT Security Guru)
  • Two-Thirds of Apps Using Open Source Have Known Software Vulns. “With 96% of all apps containing open source components, it should be alarming to learn that two-thirds of all apps using open source (60+%) contain known software vulnerabilities. And, 85% contain license conflicts. That’s according to the second-annual 2017 Open Source Security & Risk Analysis report from Black Duck’s Center for Open Source Research and Innovation (COSRI), which examined findings from more than 1,000 commercial applications audited in 2016.” (Source: InfoSecurity Magazine)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR