Stephen Coty

Stephen Coty
on August 28, 2018

Threat Report Tuesday August 28th 2018

Threat Report

Ryuk ransomware campaign targeting large organizations in the US and around the world has made the attackers behind it over $640,000 in bitcoin in the space of just two weeks. It appears to be connected to Lazarus, the hacking group working out of North Korea. Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.

Secondly, Security researchers at Kaspersky Lab have uncovered a new campaign dubbed as “AppleJeus” being carried out by North Korean APT group Lazarus. Highly active in recent months, researchers note that this is the first time the threat group not only targeted Windows Systems but also targeted and developed macOS-based FallChill malware. The breach was sourced back to an email to an unsuspecting employee of the cryptocurrency exchange company that downloaded third-party legitimate-looking Celas Trade Pro, a cryptocurrency trading program developed by Celas.

Malware: Ryuk ransomware

It first emerged in mid-August and in the space of just days infected several organizations across the US, encrypting PCs and storage and data centers of victims and demanded huge Bitcoin ransoms. The attacks are highly targeted to such an extent that the perpetrators are conducting tailored campaigns involving extensive network mapping, network compromise and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

For more information there are a few links below:

Siliconangle

Cryptonewsreview

Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the download of a malicious files
  • Intrusion detection systems (IDS) would detect additional payload downloads
  • A solid Backup strategy for easy restore as not to disrupt business operations
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: AppleJeus

The malware checks if it’s worth attacking. It runs an auto-Updater which contacts the C&C Server to download and run additional executables including the payload, Fallchill backdoor. In turn, Fallchill malware can secretly take over the victim’s computer and carry out cryptocurrency mining. Researchers suspects Celas is a fake company created by the North Koreans. Researchers believe that a Linux version of the malware might have been circulating already, if not in development.

For more information there are a few links below:

SCmagazine

Pastebin

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for communication to the C2 network
  • Email filtration to find malicious attachments
  • FIM looking for the downloaded executables related to the fallchill backdoor
  • 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday August 23rd 2018

Share this on:

Stephen Coty

Stephen Coty
on August 28, 2018


Perchy Subscribe to our blog