Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.

Unit 42 has discovered a new Mirai variant that targets business video display systems. It uses additional exploits, boosts the number of credentials for brute-force attacks and hosts payload on the compromised website of a Colombian security firm.

DNS is a critical foundation of the Internet that makes it possible to get to websites without entering numerical IP addresses. The power that makes DNS beneficial for everyone also creates potential for abuse. Unit 42 researchers explain how attackers can abuse DNS to hide their tracks and steal data using a technique known as “DNS Tunneling.” This research can help organizations understand DNS-based threats and the risks they pose to their environment.

In December 2018, Palo Alto Networks Unit 42 researchers identified an ongoing campaign with a strong focus on the hospitality sector, specifically on hotel reservations. Although our initial analysis didn’t show any novel or advanced techniques, we did observe strong persistence during the campaign that triggered our curiosity.

In November 2018 the Chafer threat group targeted a Turkish government entity reusing infrastructure that they used in campaigns reported earlier in 2018. Unit 42 has observed Chafer activity since 2016, however, Chafer has been active since at least 2015. This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes.

Through investigations into infrastructure used by HenBox malware, Unit 42 has discovered another malware family built for the more frequently-targeted Microsoft Windows operating system we named ‘Farseer’.

Since at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese organizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader. Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia.

As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 threat researchers have discovered 23 new vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their February 2019 APSB19-07 security update release and 2 vulnerabilities addressed by the Microsoft Security Response Center (MSRC) as part of their February 2019 security update release.  Severity ratings ranged from Important to Critical for each of these vulnerabilities.

In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles (here and here) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.

One of the most important “innovations” in malware in the past decade is what’s called a Domain Generation Algorithm (“DGA”)”. While DGA has been in use for over 10 years now, it’s still a potent technique that has been a particular challenge for defenders to counter. Fortunately, there are emerging technologies now that can better counter DGAs.

On December 20, 2018 the US Department of Justice indicted two Chinese nationals on charges of computer hacking, conspiracy to commit wire fraud, and aggravated identity theft. The two are alleged members of a hacking group known as menuPass . The compromised organizations were located around the world in industries such as banking and finance, healthcare and medical equipment, government, aerospace, defense, telecommunications, and consumer electronics.  Unit 42 is releasing all IOCs we have associated with menuPass in an effort to provide defenders with an extensive list of their malware and attack infrastructure.

OceanLotus (AKA APT32) is a threat actor group known to be one of the most sophisticated threat actors originating out of south east Asia. 
This blog will cover a new custom downloader malware family we’ve named “KerrDown” which OceanLotus have been actively using since at least early 2018.

Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform.

This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims, stealing saved passwords in Chrome and seeks to steal iPhone text messages from iTunes backups on the tethered Mac.

Redaman is banking malware first noted in 2015 that targets recipients who conduct transactions using Russian financial institutions. We have found versions of Redaman in Russian language mass-distribution campaigns during the last four months of 2018.