German Malware Breaches Expected to Spread Westward

This week, we hear the latest on the Chimera and German malware breaches and how malware certificate signing is growing in the cyber underground.

Breach

German Malware Breaches Expected to Spread Westward

Security researchers at a German threat research center have discovered a variant of the Chimera ransomware that has breached several German companies. The entity Chimera is a classic blackmail Trojan which is now executing spear phishing attacks on specific employees in German companies with fake emails about job applications or job offers. 


The emails point them to a Dropbox address to acquire more information; however, if victims click on the link, Chimera begins to encrypt their computer files and the data on their corporate network. Additionally, Chimera also threatens to publish personal media and other information online if the victim fails to pay the 2.45 bitcoin (approximately $500) ransom. 


Researchers believe that Chimera will spread to other Western countries such as the US and UK. Security researchers have seen many variants of CryptoLocker targeted for different countries and tailored for maximum effectiveness. There is no reason to suggest that Chimera is localized and will only stay in Germany. 

References: Ransomware's new threat: if you don't pay, we'll publish your photos online | New ransomware threatens to make private files public

 

Mitigation Strategies:

  • Daily log review is needed to review system logs for malicious activity
  • Network traffic analysis to detect data exfiltration
  • 24x7 Security Monitoring to provide anomaly detection
  • In-house training to ensure staff is OPSEC trained

Malware

Malware Certificates Becoming Underground Niche Industry

The world of the dark net has developed yet another niche industry for cyber criminals through the sale of digital certificates that allows code signing of malicious (malware) instructions. Security researchers have identified the new niche and have stated that it is a lucrative and expanding industry that is dominated by the Advanced Persistent Threat (APT) crowd, backed by various states around the world.

One such example is GovRAT. A hacker responsible for GovRAT’s creation was able to fool a legitimate authority into issuing certificates before marketing the rebranded malware certificates to the underground cyber-espionage audience. Moreover, code-signing certificates issued by companies like Comodo and GoDaddy, firms well known for supplying digital credentials to legitimate software developers, are among those offered in the underground. Security researchers stated that cyber criminals have also started offering malware-signing-as-a-service.  

The mechanics of the trade also appears to be elaborate. Cyber criminals are obtaining these certificates through underground middlemen. APTs buy the malware-ridden certificates through cyber criminals, who obtain them from legitimate sellers. Due to the lack of due diligence, in many cases, sellers rarely execute background checks. As a result, the use of falsified credentials is rampant and end-user certificates are barely ever requested. 

References:  Stuxnet-style code signing of malware becomes darknet cottage industry | GovRAT, the malware signing-as-a-service platform in the underground

 

Mitigation Strategies:

Top 20 IP Addresses

91.200.12.9 - NEW 46.166.173.89 - NEW
176.9.11.7 - NEW 178.235.13.172 - NEW
192.121.113.63 - NEW 95.141.29.60 - NEW
95.141.31.16 - NEW 108.59.8.1 - NEW
23.91.70.63 - NEW 79.141.172.11 - NEW
217.170.203.202 - NEW 95.141.20.204 - NEW
94.141.162.45 - NEW 192.99.212.176 - NEW
194.187.251.4 - NEW 43.229.53.80 - NEW
23.91.70.77 - NEW 217.170.203.204 - NEW
37.235.55.143 - NEW 79.141.162.17 - NEW