Threat Report

Thursday August 9, 2018

Security researchers at Proofpoint have uncovered Dreambot malware which is a new variant of Ursinif banking Trojan. Though it is still in development, it was seen spreading since July 2016 through exploit kits such as Neutrino, through phishing emails with malicious attachments, and through malvertising. Secondly Palo Alto researchers discovered a threat group named DarkHydrus carrying out credential harvesting attacks using weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions in the Middle East. Based on the analysis, DarkHydrus used the open-source Phishery tool to host the command and control server to harvest credentials. The use of Phishery further illustrates Dark Hydrus’ reliance on open source tools to conduct their operations.

Malware: Dreambot

Researchers point out that this new variant has new capabilities which includes peer-to-peer (P2P) functionality and Tor communication capability. This Tor-enabled versions are hard to detect because of encrypted and anonymized communications.

For more information there are a few links below:

Proofpoint

Virustotal

Some Mitigation Strategies:

Malware: DarkHydrus

Two Word documents using the 0utl00k.net domain to harvest credentials were found. These related Word documents were first seen in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.

Researchcenter

Securityweek

Some Mitigation Strategies:

Stephen Coty

Stephen Coty
Contractor
LinkedIn