CamuBot Malware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

A new financial malware bucks the trend and rather than employ heavy stealth techniques to stay hidden, instead, camouflages itself as a legitimate bank security system. The malware appears to be focusing on Brazilian banks at present but business banking customers are most at risk of being targeted.

The operators behind the malware begin by performing basic reconnaissance to find businesses which are connected to a bank of interest. A phone call is then made to someone from the business which is likely to know the information required to access a business bank account.

While masquerading as a bank employee, a criminal involved in the scheme then attempts to direct the victim to an online domain in order to ‘check the status’ of a security module.

The victim is then directed to install a “new” security module, which is, in fact, an installation wizard for the CamuBot Trojan.

A fake Windows application, which features the target bank’s logo, will then execute. CamuBot then writes dynamic files to the Windows folder to establish an SSH-based SOCKS proxy module, as well as add itself to the Windows Firewall to appear trusted.

The victim is then redirected to a phishing website where they are asked to log in with their bank credentials. This domain then sends the account information to the threat actors behind CamuBot.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against CamuBot malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

 

CVE-2018-12377

Threat Meter

 

Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution. In one case, a use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash.

Source: Mozilla

How do you protect yourself?

Update to  Firefox ESR 60.2 to fix this vulnerability.

 

Fallout Exploit Kit

Threat Meter

 

A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs).

This kit is installed on hacked sites and will attempt to exploit vulnerabilities on a visitor’s computer. The exploited vulnerabilities are for Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174).

The Fallout Exploit Kit has been observed installing the GandCrab Ransomware on Windows machines and for macOS users will redirect visitors to pages promoting fake antivirus software or fake Adobe Flash Players.

If the computer was successfully exploited, it will cause Windows to download and install a Trojan onto the computer. This Trojan will check for the following processes, and if found, will cause the Trojan to enter an infinite loop and not perform any further malicious activities.

Otherwise, it will download and execute a DLL that installs the GandCrab ransomware. When GandCrab infects the computer it will append the .KRAB extension to encrypted files and drop a ransom note named KRAB-DECRYPT.txt.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Fallout Exploit Kit and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.