Each week, FortiGuard Labs publishes a Threat Brief to subscribers that profile notable hot topics and threats that were discovered or discussed during the week. Here is a recap of what we are covering in this week’s Threat Brief:
Malware and Zero Day Attacks
- We breakdown our analysis of a newly discovered variant of the NetWire RAT that is spreading via phishing email. When the victim clicks on a PDF-like picture embedded in the email, the NetWire RAT malware is downloaded. This variant also includes various anti-analysis techniques that it uses to stay concealed. We go into further detail of some of these techniques.
- We also summarize our analysis of a new TrickBot variant that FortiGuard Labs researchers just discovered that was being used in a targeted attack. The threat authors have leveraged some interesting tactics, including concealing their intentions by setting the font color to white within the infected document. They also obfuscated their JavaScript using an abnormally large volume of lines of code to make it more difficult for researchers to reverse engineer that code. There is much more listed in our full analysis.
- A zero-day vulnerability disclosed this week was for vBulletin, a widely used proprietary internet forum software package that powers more than 100,000 websites – including Fortune 500 and Alexa top 1 million companies. According to Zerodium, a zero-day acquisition platform, researchers were actually aware of this exploit and have been selling an exploit for it for three years on the dark web. vBulletin subsequently released an update on Wednesday. If this affects you, patch!
- The Emotet malware awoke from its hiatus this week as well. This latest attack begins with a spear-phishing campaign that uses a Word document that references a recently released memoir of Edward Snowden. The subjects of the email are variations of, “Snowden’s book on Amazon’s bestsellers list.” The malware authors are hoping that interest in the topic will cause victims to open the infected document. FortiGuard Labs has put appropriate detection in place for the IOCs, as well as having released a signature: W32/Emotet.BN!tr VBA/Agent.GBR!tr.dldr
- Finally, our researchers discovered research documenting a large-scale phishing campaign targeted at foreign trading companies in China. The malware authors are spoofing a UK-based trading company and utilizing their domain in the phishing email. The attached document is weaponized to exploit a well-known Microsoft Off Equation Editor vulnerability, CVE-2017-11882. If the document is opened it downloads a file infected with NanoCore RAT. FortiGuard Labs has detections in place for this variant.
Critical Patches and Updates
Several critical zero-day vulnerabilities were announced and patches released this week. Microsoft released out-of-band updates addressing two vulnerabilities: One was an Internet Explorer vulnerability that is being exploited in the wild, and the other is for Microsoft Defender, Microsoft’s anti-malware component in Windows. The Microsoft Defender flaw’s update is automatically applied, so there is no user action needed. But the patch for the Internet Explorer bug should be applied immediately.