July has been a busy month for the distributors of GandCrab ransomware. After about two months with no major update, the cybercrime gang behind GandCrab released version 4, and a few days later, version 4.1. The primary delivery method is via compromised WordPress websites, which have been hijacked to include fake crack application pages, which in turn redirect to the GandCrab executable. Other distribution methods are Exploit Kits (EK) and malicious email campaigns.
A new highly sophisticated botnet incorporating numerous malicious, evasive techniques is quickly spreading its tentacles. Dubbed MyloBot, the botnet uses an usually complex chain attack and combines multiple anti-analysis techniques to make it more difficult to detect the payload and harder to analyze by security researchers. Initial research published by Deep Instinct points out that everything on the victim’s end takes place in memory, while the main business logic of the botnet is executed in an external process using code injection. This makes it even harder to detect and trace.
Adobe disclosed that a Flash zero-day was being exploited in targeted attacks against Windows users. The critical vulnerability was discovered and independently reported by several security firms. Successful exploitation of the vulnerability allows arbitrary code execution which can ultimately lead to an attacker assuming full system control.
After more than four years with no weaponized exploits for Adobe Acrobat Reader, researchers at ESET identified a weaponized PDF that allows attackers to execute arbitrary code on the targeted machine and eventually assume full system control. The PDF exploits two previously unknown vulnerabilities, Acrobat Reader vulnerability CVE-2018-4990 and a privilege escalation vulnerability in Microsoft Windows, CVE-2018-8120.
Adobe Reader has a built-in sandbox feature that usually makes exploitation difficult. By combining vulnerabilities, this attack achieves code execution and then bypasses the sandbox protection to fully compromise the targeted system.
In April, researchers at Qihoo 360 Core Security Division discovered a VBScript vulnerability actively exploited in targeted attacks. Since then, it has appeared in additional attack campaigns. The vulnerability, CVE-2018-8174, dubbed "Double Kill", is significant on several counts.
On March 21,2018, Morphisec Labs began investigating the compromised website of a leading Hong Kong Telecommunications company after being alerted to it by malware hunter @PhysicalDrive0. The investigation, conducted by Morphisec researchers Michael Gorelik and Assaf Kachlon, determined that the Telecom group's corporate site had indeed been hacked. Attackers added an embedded Adobe Flash file that exploits the Flash vulnerability CVE-2018-4878 on the main home.php page.
Two days ago, researchers at TarLogic published a proof-of-concept APT that leverages CVE-2017-11826, a Microsoft Office 0-day vulnerability existing in all Office versions. Microsoft issued a patch for the vulnerability in October, however many systems still remain at risk.