The Ivanti Threat Thursday Update for November 9, 2017: Malware Evolves

Greetings. Hackers fine-tune ransomware and other malware to make their attacks more effective and disruptive. You doubtless have opinions, reactions, and perhaps even suggestions. All are welcome – so please share. Thanks in advance.

Marcher: Phishing + Malware + Data Theft = Headaches for Android Users

Marcher, malware that started out stealing credit card information from European users in 2013, has gone global and gained new features able to do more damage.

  • As ZDNet reported, Marcher “first originated on Russian underground forums” and “has been active since at least late 2013.” The malware originally stole credit card information by pretending to be legitimate software updates or games at the Google Play App Store. Within months, the malware was targeting financial institutions across Europe and in the United Kingdom.
  • “Uncovered by researchers at Proofpoint, the latest Marcher campaign has been ongoing since January and uses a multistep scheme to target customers of Austrian banks.” Phishing emails link to fake Bank of Austria sites, where unsuspecting customers are asked for details including their email addresses and phone numbers.
  • Hackers use that information to persuade those customers to download a fake app to their mobile phones, and “alter their security settings to allow the download of applications from unknown sources,” which enables installation of Marcher. Once installed, Marcher can steal credit card information directly, and capture enough personal information to enable hackers to exploit the stolen credentials. “Data suggests almost 20,000 people clicked through to the campaign, potentially handing their banking details and personal information into the hands of hackers.”

Locky: Now with Spear Phishing and Better Cloaking!

Marcher is not the only malware to have gained new features recently. Separately, ZDNet also reported that Locky, “one of the most prolific types of ransomware out there,” has been modified to make it more difficult to detect.

  • “In February 2016, Locky was used to disrupt the Hollywood Presbyterian Medical Center, which declared an ‘internal emergency’ as systems, databases, and critical information were encrypted and staff members were locked out. The hospital ultimately “gave in and paid $17,000 in Bitcoin for a decryption key.”
  • “Locky has also been linked to a ransomware campaign in August this year in which as many as 23 million phishing emails were sent in only 24 hours.”
  • More recently, a new Locky variant called Diablo6 includes features designed to defeat detection, by antivirus tools and by users. A phishing email now masquerades as a legitimate email and attachment. When a user is fooled into clicking on the attachment, a Visual Basic Script (VBS) file can download the ransomware from a backup “command-and-control” server if an initial attempt to reach a primary server fails.

Microsoft: Banking Trojans Gain Ransomware Spreading Techniques

ZDNet also reported warnings from Microsoft that malware that originally targeted consumers had gained new propagation features and increasingly targets enterprise and small-business networks.

  • So-called “Trojans” are malware variants that have largely been used by hackers to steal credentials from consumers. Recently, however, three such Trojans, Qakbot, Emotet, and Trickbot, “have adopted the exploits that helped WannaCry and NotPetya ransomware rapidly spread inside networks using the file-sharing protocol Server Message Block (SMB).”
  • “Qakbot and Emotet can spread on a network by infecting all accessible network shares and drives, including USB drives, harvesting credentials to spread via default admin shares and shared folders, and guessing the passwords to Active Directory accounts. ‘Qakbot and Emotet can also drop copies in other machines in the network using SMB and then use remote execution to activate,’ notes Microsoft.”
  • Microsoft “has provided a list of actions customers can take to stop the malware spreading.” These include “disconnecting affected machines from the network and cutting off internet access until [each] infected machine has been cleaned.”

What We Say: The above examples make two things abundantly clear. Whether the goal is extortion, disruption, or something more sinister, malware works, and the people behind it know it. We can all therefore expect malware to continue to evolve and gain more powerful and effective features for gaining access to enterprise networks, resources, and data. Your organization must continue to evolve its cybersecurity protections to maximize defenses and minimize disruptions. (See “Endpoint Security Evolves: The Rise of the Personal Perimeter,” “Ransomware: It’s About Much More Than Money,” and “Your Threats Are Evolving. Are Your Defenses?”)

Evolve Your Cybersecurity with Ivanti

To become and remain maximally effective, your cybersecurity strategy must be comprehensive and multi-layered. You need to be able to discover and inventory your critical resources and identify threats to it. You must get and keep your client and server system patches up to date. You need, granular, proactive control over your users’ applications, devices, and admin rights. You must be able to combat and remediate malware and other attacks. And you need accessible, actionable reporting and analysis that improves your ability to protect your network and your organization.

Ivanti has the solutions, the experience, and the ecosystem to help you with all of these critical requirements. Check us out online, then get in touch with us to discuss how we can best help you, today and tomorrow. (And please keep reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates!)