Rietspoof

Rietspoof

Multiple stage malware that starts in messenger or skype, delivers a script that infects and continues on through 4-5 stages depending on the target.

Community Names:

• Trojan.YDJX-4
• Generic.Trojan.Agent.TPE1UM
• VBA:Rietspoof-A [Trj]

Attack Vector:

• Links in Skype & Messenger

References:

• https://www.technadu.com/rietspoof-malware-distribution-skype-messenger/58503/ 
• https://blog.avast.com/rietspoof-malware-increases-activity
• https://twitter.com/malwrhunterteam/status/1097568650507284483
• https://www.hybrid-analysis.com/sample/90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008?environmentId=100
• https://twitter.com/James_inthe_box/status/1097569129123311624
• https://malware.sekoia.fr/results/90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008
• https://www.virustotal.com/#/file/90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008/detection
• https://www.vmray.com/analyses/90813ad836ef/report/overview.html

Separ

Password stealer virus with some interesting trends.

Community Names:
  Separ
Tactics:

• Living off the Land

Attack Vectors:

• Primarily phishing emails with fake adobe pdf/installer infected attachments
• Some entry points are by accident when people stumble across the infected sites

References:

• https://hackercombat.com/whats-new-with-separ-malware-family-in-2019/
• https://www.deepinstinct.com/2019/02/19/a-new-wave-of-the-separ-info-stealer-is-infecting-organizations-through-living-off-the-land-attack-methods/
• https://threatpost.com/separ-malware-credentials-phishing/142009/
• https://blog.talosintelligence.com/2018/06/threat-roundup-0622-0629.html

Shlayer

Shlayer is a macOS trojan first discovered by researchers at Intego in February 2018. It was first distributed masquerading as an Adobe Flash Player installer. This new variant is being distributed in a similar fashion, this time as an Adobe Flash update via browser pop-ups on hijacked or spoofed websites. In addition, malvertising has also been observed as another distribution method in this new campaign. The new campaign was discovered by Carbon Black’s Threat Analysis Unit (TAU). It was targeting all macOS released up to 10.14.3 Mojave, arriving as files signed by a legitimate Apple developer ID

References: https://www.bleepingcomputer.com/news/security/shlayer-malware-disables-macos-gatekeeper-to-run-unsigned-payloads/ https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8

Speak Up

Community Synonyms

• Named after its C2.
• Likely discovered under different names (TBD)

Detection Characteristics & Behavior

• The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.

Attribution links

• Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit.

Malware References

• https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

GoScanSSH

GoScanSSH

Community Synonyms

• None noted at this time.

YARA

• https://github.com/raw-data/signatures/blob/master/yara/trojan_linux_GoScanSSH.yar

Possible Code

• https://github.com/ofalk/scanssh

Context of use

• https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Pro-High-CPU/td-p/2245371
• https://searchsecurity.techtarget.com/answer/GoScanSSH-How-does-this-malware-work-and-differ-from-others

Malware References

• https://threatpost.com/goscanssh-malware-targets-ssh-servers-but-avoids-military-and-gov-systems/130812/
• https://blog.talosintelligence.com/2018/03/goscanssh-analysis.html
• https://www.ssh.com/attack/GoScanSSH
• https://exchange.xforce.ibmcloud.com/collection/GoScanSSH-Malware-078ff9e71f01695186d4a7d10abc1a81/reports
• https://www.birger.technology/press/emerging-threat-malware-goscanssh-targets-ssh-devices