Note to readers: PhishLabs will be represented by Paul Black at MalCon 2016 in Puerto Rico from October 18-21. At MalCon 2016, Paul will review the evolution of malware targeted at banks and financial institutions, reviewing notable trending data and methods to combat them. Contact PhishLabs for ongoing concern, questions and a deeper dive into the latest remediation techniques.
The cat and mouse game between malware researchers and threat actors operating banking Trojans began with the creation and propagation of the Zeus banking trojan in 2007. Since Zeus’s release, the number of banking trojans has increased continually, yet the anti-analysis mechanisms used by cybercriminals to obstruct researchers appear to have plateaued.
PhishLabs is investigating multiple online scams involving news about Hurricane Matthew. Some of these scams are using news of the hurricane to distribute malware via email attachments and malicious links. Other scams are posing as charities and are requesting relief donations. Individuals should be on high alert and be suspicious of any online communication that mentions Hurricane Matthew.
Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks. Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason is because legitimate sites that have only been recently compromised are less likely to be blacklisted by internet browsers and other security measures.
Earlier this year, PhishLabs wrote an in-depth analysis on Marcher, an Android Banking Trojan which is available for purchase as a kit on underground marketplaces. Marcher runs in the background on an infected device and monitors its operation to detect the launch of specific applications or websites. When a targeted application or site is opened, Marcher overlays the screen with a customized phishing site which mimics the look and feel of the targeted institution. Recent samples of Marcher have demonstrated an increase in total number of targeted institutions as well as a spread to additional geographic locations.
During a recent analysis of a business email compromise (BEC) scam, we observed a lure attempting to install the Olympic Vision Keylogger. Further research determined that this keylogger and the accompanying Olympic Vision Crypter were used in a larger campaign, targeting multiple organizations using a variety of different lures, including invoice lures and shipment confirmation lures. This campaign appears to be originating out of South Africa, utilizing both maliciously registered free domains as well as compromised domains.
Many of the cybercriminals behind some of the most devastating cyber-attacks used phishing as the initial attack vector. At PhishLabs, we maintain a massive repository of phish kits that we continually analyze for intelligence about phishing tactics and techniques. The complexity and sophistication of these kits vary greatly.
About Parts One and Two This post is a conclusion to a three-part blog analyzing "Marcher" malware that targets the Android platform. Read part one
here and part two
here. To round out the discussion, let’s cover the network and host indicators associated with this trojan.
About Part One
Last week I posted a blog analyzing "Marcher" - malware targeting the Android platform. Designed to steal mobile banking app credentials from banking customers, it is one of the most prevalent Android password stealers seen in the wild. Read part one here.
Part 1 of 3
"Marcher" is malware targeting the Android platform. It is designed to steal mobile banking app credentials from customers of many different financial institutions. Distributed through a variety of means, it is one of the most prevalent Android password stealers seen in the wild, second only to Svpeng.