Fortinet Activity Summary – Week Ending June 16, 2017


 
This week FortiGuard Labs discovered cybercriminals advertising Ransomware-as-a-Service (RaaS) on a TOR page targeted at MacOS. This is the first case of RaaS for Mac. Malware is usually created with MS Windows in mind, both because it is far more common and usually much easier to exploit. Because this exploit was so unique, we decided to try and contact the criminals, and we actually managed to get our hands on a sample. If you want to have a look at our analysis of the malware, and the possible reasons why these cybercriminals developed it, take a look at our Threat Research & Insights section below.

Over the past month we have also documented a change in how large malware families spread. The historically primary carrier of malware – the Trojan known as Nemucod – had been consistently dropping in detection frequency. However, this week the Nemucod Trojan resurfaced with a number of variants, allowing it to return to a spot in our top 5 most detected signatures. Check out the following Malware Activity section to learn more.

 

Malware Activity

Rank Name Volume
1 JS/Nemucod.DDR!tr.dldr 901,731
2 WM/Nemucod.0EFE!tr.dldr 883,889,872
3 SNMP.v1.Spec.Violation 883,889,872
4 SIPVicious.SIP.Scanner 385,098,381
5 MS.DNS.WINS.Server.Information.Spoofing 341,282,390

 

Nemucod returns  Over the past few weeks, FortiGuard Labs noticed a precipitous drop in Nemucod detections, variants of which were used to distribute the infamous Locky and Cerber ransomware. However, as you can see in the table above, 3 of the top 5 detections this week were Nemucod variants. Over the past week we documented a dramatic rise in Nemucod detections, and a variant of Nemucod (JS/Nemucod.DDR!tr.dldr) has even reappeared at the top of our rankings.

Nemucod is a script Trojan that downloads potentially malicious files to an infected computer. It is commonly spread through spam or phishing emails that contain malicious attachments. These emails are normally disguised as coming from an important sounding department of an organization, claiming that the attached file is vital information that requires opening to view. Because so many end users regularly enable these attachments, the Nemucod malware has been the bane of security teams worldwide for quite some time. When an unsuspecting user opens the attachment, malicious code is run, and often, even further malware is downloaded on the affected machine. The single best piece of advice we can offer organizations to stop this threat is to educate users to pause, think, and think again before opening any link or file in an email attachment.

About 30% of this week’s Nemucod hits were detected in the United States, 18% in South Korea, and 12% in Japan. We will continue to track this family and share our findings with readers as new details come to light.

 

Application Vulnerabilities / IPS

Rank Name Volume
1 NTP.Monlist.Command.DoS 11,745,146,458
2 DNS.Invalid.Opcode 575,320
3 WM/Agent.0EFE!tr.dldr> 308,236
4 W32/Genome.XJN!tr> 166,367
5 JS/Nemucod.DBI!tr.dldr> 159,432

 

NTP DDOS remains at the top –  For months now, NTP.Monlist.Command.DoS  has been the most triggered IPS signature. It indicates an attack attempt against a Denial of Service vulnerability in the NTP (Network Time Protocol) service. The vulnerability exists due to an error in the way the software handles a maliciously crafted request. A remote attacker may be able to exploit this vulnerability to cause a denial of service condition on the affected system.

NTP is an old protocol for clock synchronization between computer systems, and it has become a favorite of criminals when it comes to executing DoS attacks. The reason is that this vulnerability allows an attacker to create a huge amount of traffic with respect to the data sent, thereby amplifying its destructive power. The vulnerability has been fixed with a patch in version 4.2.7p26, so if you are running an NTP server we strongly recommend that it be updated to the latest version.

 

Web Filtering

horcor dot com – FortiGuard Labs discovered that this domain is associated with the Ursnif Banking Trojan, which was identified in a fake DHL malspam campaign. The domain was created on 30 March, 2017 and became active on 26 Apr, 2017. Traffic to the domain hit 77K+ visits on 4 May, 2017. FortiGuard blocked it on 27 Apr, 2017.

neweroffru backslash logs backslash schet underline 4402 dot exe – Shade is a ransomware variant that was discovered in late 2014. Its malicious payload not only encrypts files, but also downloads bots to the infected system. FortiGuard Labs has identified the domain associated with this ransomware and added it to our blacklist.

 

Threat Research & Insights

We ain’t fixin it – In December 2016 FortiGuard Labs found a vulnerability in WINS Server. However, due to the work required to fix the problem, MS has announced that there will not be a fix, and that the solution is to switch from the WINS Server to DNS. Read More

Mac(s) security? FortiGuard Labs explains why Mac malware, which has historically been quite rare, is now starting to increase in popularity. Read More

MacinTOR Ransomware as-a-Service has started spreading on other platforms besides Windows, such as MacOS. FortiGuard Labs recently found a Ransomware offer on TOR, and we were able to obtain a sample from the criminals that wrote it that we then analyzed and documented. Read More