ShadowTalk Update – 09.17.2018September 17, 2018
In this week’s ShadowTalk, Richard Gold and Simon Hall join Michael Marriott to discuss the latest spate of attacks by the threat actor known as Magecart. We dig into the history of Magecart, different approaches to web skimming, and provide advice on how organizations can best protect against this threat.
Fallout exploit kit identified distributing GandCrab ransomware
The Fallout exploit kit has distributed the GandCrab ransomware against entities in the Middle East via a malvertising campaign. The final payload of the exploit kit, which targeted CVE-2018-8174, was dependent on the victim’s operating system. Microsoft Windows users received the ransomware and macOS users were redirected to social engineering pages. This latest campaign’s use of a different payload and targeting of new geographies indicate an increase in Fallout’s capabilities. While the vulnerabilities exploited by Fallout remain the same as previously reported, the addition of GandCrab suggests that developers will likely add more exploits for ransomware-as-a-service attacks.
APT group Silence increases TTP capabilities, targets financial sector
The advanced persistent threat (APT) group Silence has significantly developed its tactics and tools since 2016. In attacks on financial institutions in over 25 countries, Silence has attempted to compromise interbank communication systems, ATMs and card processing platforms to steal information. The emergence of tools developed by Silence likely suggests an increase in the group’s capability and sophistication. Additional incidents involving custom tools, developed and operated by Silence, will likely be observed within the next six to twelve months.
Recently identified threat actor “PowerPool” exploits Windows zero-day vulnerability
A recently identified threat actor named PowerPool has exploited a previously identified Windows zero-day vulnerability. The threat group manipulated the vulnerability’s binary source code to escalate its privileges and subsequently replace a target file’s contents with malicious code. This file provides PowerPool with persistence within a system and can be remotely removed if detected. Additional technical details were unavailable at the time of writing. Historically, PowerPool has used unnamed backdoor variants for reconnaissance purposes; they likely used this methodology for this latest vulnerability. The use of a legitimate Windows utility allowed PowerPool to minimize their risk of detection and obfuscate their code delivery.
To stay up to date with the latest Digital Shadows threat intelligence and news, subscribe to our threat intelligence emails here.