Search This Blog

Showing posts with label Digital Security. Show all posts

Janeleiro a New Banking Trojan Targeting Corporate, Government Targets

 

A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil. An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018. 
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.

According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few. 

Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. 

“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct." 

Interestingly, the Trojan first checks the geo-location of the targeted system's IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically. 

Janeleiro is being used to frame fake pop-up windows "on-demand," such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.

Malware escalation in Q2 2020 : HTTP and Java based script attacks on the rise




While Q2 of this year saw an overall 8% decrease in malware attacks, 70% of them were zero-day attack (attacks occurring after the discovery of a vulnerability and before the release of a patch) - a 12% increase from the previous quarter. After the zero-day attacks, HTTP based attacks marked up to be 34%, and consequently organizations that do not inspect incoming traffic will be blind to one-third of attacks.

 But, there is some good news- encryption attacks reduced to 64% from Q1. Though it comes with a catch, while encryption threats decreased HTTP attacks made a massive jump even after many organizations equip HTTP inspection in their security intel.

 “Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cybercriminals have too,” said Corey Nachreiner, CTO of WatchGuard, on the report.

 “The rise in sophisticated attacks, despite the fact that overall malware detection declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defenses simply can’t catch."

  “Every organization should be prioritizing behavior-based threat detection, cloud-based sand boxing, and a layered set of security services to protect both the core network, as well as the remote workforce.” 

Malware detected in Q2

Java Script-Based Attacks 

 Script attacks like Trojan. Gnaeus and J.S. PopUnder were among the top malware in the last quarter. Both of the access to the user's browser and settings and redirect them. 

 Updating your browser, preventing the browser from loading pages from unknown resources can help combat this malware. 

 Encrypted Excel files 

This malware uses an encrypted Excel file with a default password and once opened- the file automatically runs a VBA script. 

Abracadabra is one such Trojan malware that uses a default password to bypass security as the file is encrypted and later decrypted in Excel. 

 Dos makes a comeback 

 A very old (six years), Dos attacks affecting WordPress and Drupal made in the top 10 malware attack list in Q2. Though these were high in volume, they were concentrated in regions of Germany and Europe.