Banking Trojan targets Google Search Results (SEO)
Nov 2, 2017 - "It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus-Panda-banking-Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion. By targeting primarily financial-related keyword searches and ensuring that their -malicious- results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time... The initial vector used to initiate this infection process does not appear to be email based. In this particular campaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets using search engines such as Google. By leveraging compromised web servers, the attacker was able to ensure that their malicious results would be ranked highly within search engines, thus increasing the likelihood that they would be clicked on by potential victims...
Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking-a-link, opening-an-attachment or even blindly trusting the results of a Google search..."
IPs Distributing Maldocs:
C2 IP Addresses:
(More detail at the talosintelligence URL above.)
'Coin Miner' Malware - hits Google Play
However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.*
We found two apps; one supposedly helps users pray the rosary, while the other provides discounts of various kinds:
These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of -any- performance degradation on their devices after installing an app. We have reached out to Google, and the apps mentioned in this post are no longer on Google Play..."
Related posts: http://blog.trendmic...e-banking-apps/
"... Conclusion: Fileless attacks are becoming more common. Threat actors are increasingly using attack methods that work directly from memory and use legitimate tools or services*. In this case, WMI subscriptions have been used by this cryptocurrency-mining malware as its -fileless- persistence mechanism. Since there are no malware files on the hard drive, it’s more difficult to detect..."
* Fileless Threats that Abuse PowerShell
Edited by AplusWebMaster, 03 November 2017 - 11:51 AM.