Threat Report
In this week’s report we are covering two very malicious programs. Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels. The other is The Nozelesn Ransomware is a crypto- threat that was reported on July 2nd, 2018 with numerous submissions to security platforms. Unfortunately, the Nozelesn Ransomware leaves little or no traces on compromised machines and creating detection rules turned out to be troublesome. The team behind the Nozelesn Ransomware appears to target the users based in Poland judging from the initial submissions and the way it spreads to PC users.
Malware: OSX.Dummy
Security researcher Remco Verhoef recently discovered OSX.Dummy, a new Mac malware family that is currently being spread via cryptocurrency-focused Slack and Discord channels. Cryptocurrency enthusiasts are convinced by attackers to type a long command inside their Mac terminal with the promise that it will resolve various issues. The command downloads a 34 megabyte binary named “script” to the /tmp folder and runs it. The “script” file then sets itself as a launch daemon to maintain persistence. It then creates a Python script that opens a reverse shell to a server, which gives attackers access to infected hosts. The server can be traced back to 185.243.115.230:1337. Additionally after the code is run, the malware requests the user’s root password and saves it un-encrypted in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, allowing the attacker ease of access for future malicious operations. Researchers state that the malware is simplistic and easy to detect with standard malware detection tools.
For more information there are a few links below:
Links:
Some Mitigation Strategies:
- File Integrity Management looking for the installation of python scripts into /tmp and /users/shared
- Intrusion detection systems (IDS) would detect network communication over port 1337
- 24x7 Security Monitoring for malicious behavior and immediate incident response
Malware: Nozelesn
Security researchers at MalwareHunterTeam have discovered a new ransomware named Nozelesn. Researchers first noticed chatter regarding the malware from multiple Polish victim submissions to ID ransomware, as well as a newly generated discussion started by victims on BleepingComputer forums. According to a researcher at CERT Polska, the Computer Emergency Response Team for Poland, the malware is being distributed through spam emails imitating a DHL invoice. Upon successful infection, files are encrypted with a “.nozelesn” extension. Following encryption, the malware creates a ransom note offering to fix the computer, labelled HOW_FIX_NOZELESN_FILES.htm. The note contains instructions together with a personal code to login to TOR payment server “lyasuvlsarvrlyxz.onion”. The ransom is currently .10 BTC or roughly $660 USD.
Links:
Some Mitigation Strategies:
- Intrusion detection systems (IDS) to monitor for malicious communication
- File Integrity Management is looking for new files being installed on the system
- Log Management would collect data on C$ shares and other lateral movement
- Mail Filtration to capture potential files attached to phishing emails
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Threat Report Wednesday June 18th 2018
Share this on:
Subscribe to our blog