Lazarus Group Targeted South American Online Casinos
The Lazarus group, a profit-motivated hacking unit widely thought to conduct cybercriminal-like schemes at the behest of the North Korean government, attacked an online casino in South America in late 2017, according to researchers from Slovakia-based antivirus firm ESET. There appear to have been multiple infection vectors, including remote access software, like Radmin and LogMeIn, and other trojans. The attackers deployed a TCP backdoor (capable of executing 20 commands), a session hijacker (similar to one deployed in prior, Lazarus-linked attacks against financial institutions in Mexico and Poland), a rudimentary (command line-based) dropper, variants of KillDisk (wiper) malware—likely in an effort to cover their tracks, a tool designed to steal stored browser passwords, and a modified version of Mimikatz Windows credential stealer. ESET says that it detected these malware on more than 100 endpoints at the yet-unspecified South American casino and that the attack bears resemblance to another targeting financial institutions in South America that TrendMicro reported on in January.
OceanLotus Group Deploying macOS Backdoor
A suspected, state-sponsored hacking unit known as OceanLotus is leveraging a new macOS backdoor, according to new research from TrendMicro. The initial entry vector for the backdoor (OSX_OCEANLOTUS.D) is malicious, macro-enabled Word documents that ask targets to enable macros in order to view the documents. If the user enables macros, then it executes a dropper that, in turn, installs the backdoor. The backdoor collects system info, transmits it back to its command and control (C2) server, and can also receive commands from its C2. Historically, OceanLotus has targeted human rights, media, research, and maritime construction organizations in and around Southeast Asia.
Compromising Magento Sites to Steal Cards, Mine Cryptocurrency
Flashpoint has a new report out detailing an attack campaign whereby criminals compromised more than 1000 sites—mostly in the education and healthcare spaces—running the Magento eCommerce platform to steal payment card data and mine cryptocurrency. The attackers are compromising the sites via fake Flash Player updates. A malware called AZORult does the data-stealing and also installs the second-stage payload: a cryptocurrency miner called Rarog.
Microsoft Fixes RCE Bug in Windows Defender
Microsoft patched a remote code execution enabling, memory corruption vulnerability in Windows Defender. The patch comes out-of-band, which is normal for Windows antivirus patches. Microsoft fixes bugs in Defender on an as-needed rather than monthly basis.