New attack campaign targets vulnerable WordPress sites to alter their titles

Recently, a new attack campaign responsible for adding phony keywords in the titles of vulnerable WordPress sites was discovered. The attackers added “1800ForBail” or “1800ForBail – One+Number” in the titles of the compromised sites. Most of the sites targeted in this campaign were compromised after June 12, 2019. The threat actors behind the campaign changed the “blogname” setting in WordPress to modify the titles. This campaign was discovered by Kaushal Bhavsar, a malware analyst for Sucuri. As per the researcher's analysis, a Google search for “1800ForBail” query garnered over 158,000 results. Google’s cache indicated that most of these sites were compromised after June 12, 2019. It was reported that the attackers widely exploited vulnerabilities in various WordPress plugins that would allow them to load malicious code on targeted sites. Old versions of plugins such as WordPress GDPR Compliance, TagDiv themes, Freemius Library, and Convert Plus, among others, are known to be exploited. It is also believed that the “1800ForBail” campaign is part of a large-scale campaign, that aims at exploiting newly found flaws in WordPress. Sucuri observed that the campaign had two active attacks in the making. “These seem to be two separate attacks. One of them (siteurl/home) redirects visitors to scam sites (tech support and push notification scams), while the other changes blog titles — a black hat SEO technique used to gain more visibility for the brand of the ‘bail service’,” read the blog by the security firm. As for mitigations, WordPress site owners affected in this campaign are advised to update all their plugins and themes as well as change the “blogname” option to prevent them from being reinfected.

 

Newly discovered Mac OSX/CrescentCore malware spotted in the wild

Security researchers at Intego, who are previously responsible for the discovery of OSX/Linker, have found CrescentCore on multiple websites. The malware is disguised as Flash Player installer to avoid detection and to be easily installed on a victim’s system. The new malware was first observed on a site purporting to share digital copies of new comic books for free. Apart from this, the researchers also noted that, “A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.” The sketchy sites that are involved in the distribution of the malware claimed to offer free versions of movies, TV shows, music, and books. CrescentCors is delivered as a Trojan horse through a DMG disk image file, masquerading as an Adobe Flash Player updater. If a user opens the DMG disk image file and opens the Player app, the Trojan horse will first check to see whether it is running inside a virtual machine. “Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior,” researchers added. The OSX/CrescentCore trojan also checks to see whether any popular Mac antivirus programs are installed on a victim’s machine. If it finds an antivirus or running within a VM environment, the malware will simply exit and not proceed further. Adding more woes to the situation, Intego researchers have discovered a second variant of OSX/CrescentCore malware. Depending on the variant, the trojan installer may install rogue Advanced Mac Cleaner’ software or a malicious Safari browser extension onto the victim’s machine. Both the versions of CrescentCore are signed by certificates assigned to a developer named Sanela Lovic.

 

New variant of Dridex trojan fools antivirus solutions

Security researchers have recently identified an ongoing attack campaign distributing a new variant of the Dridex trojan. Discovered by malware researcher Brad Duncan, this variant reportedly goes undetected under many of the popular antivirus solutions. Security firm eSentire, which conducted an extensive analysis of this unique variant, suggests that the new infrastructure used for the malware is expected to change over time. Dridex is one of the fastest evolving malware which has seen advanced features being incorporated in its structure at frequent intervals. The malware is customarily distributed through spam emails containing malicious Word documents. These documents make use of macros for downloading the trojan. The macro script uses an application whitelisting bypass technique to avoid mitigation done through Windows Script Host. If the macro is successfully executed, it connects to the ssl-pert[.]com to download servern.exe, which is the Dridex installer. Samples analyzed by Duncan and eSentire contained malicious JavaScript code embedded in an XSL template. This script actually downloads and executes the Dridex installer. According to eSentire, only 16 antivirus solutions detected the new variant of Dridex. As mentioned earlier, eSentire researchers note that the command and control infrastructure used by the new variant is evolving and the campaign will continue employing new indicators. “Two observations indicate this campaign isn’t done shifting identifiers. Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” researchers wrote in a blog.

 

Newly discovered Spelevo exploit kit found compromising B2B site to distribute IcedID and Dridex trojans

Intego researchers have uncovered a new piece of Mac malware called OSX/CrescentCore. The malware is distributed in the form of DMG disk image, masquerading as Flash Payer installer, to evade detection by antiviruses. Security researchers at Intego, who are previously responsible for the discovery of OSX/Linker, have found CrescentCore on multiple websites. The malware is disguised as Flash Player installer to avoid detection and to be easily installed on a victim’s system. The new malware was first observed on a site purporting to share digital copies of new comic books for free. Apart from this, the researchers also noted that, “A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.” The sketchy sites that are involved in the distribution of the malware claimed to offer free versions of movies, TV shows, music, and books. CrescentCors is delivered as a Trojan horse through a DMG disk image file, masquerading as an Adobe Flash Player updater. If a user opens the DMG disk image file and opens the Player app, the Trojan horse will first check to see whether it is running inside a virtual machine. “Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior,” researchers added. The OSX/CrescentCore trojan also checks to see whether any popular Mac antivirus programs are installed on a victim’s machine. If it finds an antivirus or running within a VM environment, the malware will simply exit and not proceed further. Adding more woes to the situation, Intego researchers have discovered a second variant of OSX/CrescentCore malware. Depending on the variant, the trojan installer may install rogue Advanced Mac Cleaner’ software or a malicious Safari browser extension onto the victim’s machine. Both the versions of CrescentCore are signed by certificates assigned to a developer named Sanela Lovic.

 

WannaLocker evolves to include spyware and banking trojan capabilities

WannaLocker - a mobile derivative of WannaCry ransomware - has been enhanced with spyware, RAT, and banking trojan capabilities. Cybercriminals have been found using this all-in-one malware to target banks and their customers. Discovered by Nikolaos Chrysaidos, a threat researcher at Avast, this triple-threat mobile version is targeting four major banks. The new version of WannaCry is one nasty ransomware package that is capable of: Harvesting text information; Stealing call logs, phone numbers, GPS location and microphone audio data; and Grabbing credit card information. Although it is unknown as to how this new version of the ransomware gets into phones, but Chrysaidos suspects that it could be through malicious links or third-party stores. Once installed, the malware encrypts the files on a mobile user’s external storage and demands a relatively small ransom to release them. “This version includes the design to do this and the message to show to the infected user, but appears to still be in development,” Chrysaidos said in a blog post. The WannaLocker ransomware was originally designed in 2017 to target Chinese Android device users via gaming forums. However, with its latest evolution, the ransomware can pose a serious threat for banking and retail sectors.

 

New phishing campaign bypasses security controls by abusing QR codes to redirect victims

Researchers from Cofense observed a new phishing campaign that abuses QR codes to redirect users to phishing pages bypassing security controls that blocks suspicious or blacklisted domains. The phishing emails are disguised as a SharePoint email with a document. The emails have a subject line similar to ‘Review Important Document’ and the message prompts users to ‘Scan Bar code to view the document’. The emails also included a GIF image containing the QR code which would redirect users to a fake Sharepoint page. The phishing Sharepoint page urges users to log in to view the document. Upon login, users are removed from the security of their computers allowing attackers to scan the QR and evade security controls such as protection services, secure email gateways, sandboxes, or web content filters. Researchers noted that most of the smartphone QR code scanner apps instantly redirect users to the malicious website via the phone’s native browser. “Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this document,” researchers said in a blog.

 

Edited and compiled by cyber security specialist James Aguilan.