Cannon Malware

 

 

A Russian government-backed hacking group is distributing a new form of trojan malware as part of a cyber espionage campaign targeting the US and Europe, according to security researchers.

Named Cannon after references in the malicious code, the malware gathers system information and takes screenshots of infected PCs and has been operating since at least late October.

The new campaign begins with phishing emails which reference the recent Lion Air crash just off the coast of Indonesia. The Microsoft Word document is named Lion Air Boeing 737.docx and claims to have an author named ‘Joohn’. The reason this subject has been chosen for the lure is likely simply that people respond to emails which are related to current events.

This campaign has been spotted delivering two different forms of similar malware. One is Zebrocy, a trojan which has previously been observed being used as part of cyber espionage attempts working out of Russia.

The other is Cannon, with this campaign representing the first time the malware has been seen. It functions in a similar way to Zebrocy, by establishing communication with a command and control server which provides malware with instructions.

Cannon is designed to be persistent, set to take screenshots of the desktop every 10 seconds and gathering full system information every five minutes. In an effort to subtly pass stolen data on, Cannon uses email to forward attachments to one of three accounts hosted by a Czech Republic based service provider. From here, emails go to accounts controlled by the attackers.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Cannon malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-15981

 

 

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player 31.0.0.148 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Source: Adobe

How do you protect yourself?

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version:

Product Version Platform Priority Availability
Adobe Flash Player Desktop Runtime 31.0.0.153 Windows, macOS 1 Flash Player Download Center

Flash Player Distribution

Adobe Flash Player for Google Chrome 31.0.0.153 Windows, macOS, Linux, and Chrome OS 1 Google Chrome Releases
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 31.0.0.153 Windows 10 and 8.1 1 Microsoft Security Advisory
Adobe Flash Player Desktop Runtime 31.0.0.153 Linux 3 Flash Player Download Center

 

Zorro Ransomware

 

 

A ransomware that has been distributed since the summer of 2018 has started to pick up steam in the latest variant. This new variant is currently being called Zorro Ransomware, but has also been called Aurora Ransomware in the past.

It is not currently known how this ransomware is distributed, but there are indications it may be installed by hacking into computers running Remote Desktop Services and that are exposed to the Internet. The attackers will brute force the password for RDP accounts in order to gain access to the computer and install the ransomware.

When installed, the ransomware will connect to a Command and Control server to receive data and to receive an encryption key to be used to encrypt the victim’s files.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Zorro Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.