Threat Report

Monday July 2, 2018

In this week’s report we are covering two very malicious programs. Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels. The other is The Nozelesn Ransomware is a crypto- threat that was reported on July 2nd, 2018 with numerous submissions to security platforms. Unfortunately, the Nozelesn Ransomware leaves little or no traces on compromised machines and creating detection rules turned out to be troublesome. The team behind the Nozelesn Ransomware appears to target the users based in Poland judging from the initial submissions and the way it spreads to PC users.

Malware: OSX.Dummy

Security researcher Remco Verhoef recently discovered OSX.Dummy, a new Mac malware family that is currently being spread via cryptocurrency-focused Slack and Discord channels. Cryptocurrency enthusiasts are convinced by attackers to type a long command inside their Mac terminal with the promise that it will resolve various issues. The command downloads a 34 megabyte binary named “script” to the /tmp folder and runs it. The “script” file then sets itself as a launch daemon to maintain persistence. It then creates a Python script that opens a reverse shell to a server, which gives attackers access to infected hosts. The server can be traced back to 185.243.115.230:1337. Additionally after the code is run, the malware requests the user’s root password and saves it un-encrypted in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, allowing the attacker ease of access for future malicious operations. Researchers state that the malware is simplistic and easy to detect with standard malware detection tools.

For more information there are a few links below:

Links:

Bleeping Computer

SC Magazine UK

Some Mitigation Strategies:

Malware: Nozelesn

Security researchers at MalwareHunterTeam have discovered a new ransomware named Nozelesn. Researchers first noticed chatter regarding the malware from multiple Polish victim submissions to ID ransomware, as well as a newly generated discussion started by victims on BleepingComputer forums. According to a researcher at CERT Polska, the Computer Emergency Response Team for Poland, the malware is being distributed through spam emails imitating a DHL invoice. Upon successful infection, files are encrypted with a “.nozelesn” extension. Following encryption, the malware creates a ransom note offering to fix the computer, labelled HOW_FIX_NOZELESN_FILES.htm. The note contains instructions together with a personal code to login to TOR payment server “lyasuvlsarvrlyxz.onion”. The ransom is currently .10 BTC or roughly $660 USD.

Links:

Cyber Byte

Londrina Security News

Some Mitigation Strategies:

Patrick Snyder

Patrick Snyder
Triage Tyrant

Fearlessly leading our SOC, Patrick investigates and triages customer alerts, living on HungryMan meals and Texas toast to fuel his work with minimal interruption. A call from Patrick is both fruitful and entertaining. Patrick brings his talents to the Perch nest with nearly 20 years of experience in Information Technology eight of those focused on creating security content and security operations management. When he's not triaging your alerts, Patrick writes greeting cards for embarrassing occasions, and polishes his marionette skills.

LinkedIn