Must-Know Malware Attacks: Godzilla Loader, Finfisher, and Slothful Media

Post by Abishek Allapanda Nov 02, 2020

Malware attacks have spiraled out of control in 2020. The COVID-19 pandemic led to the adoption of remote work, which in turn resulted in sensitive and financial information being shared electronically more often. Threat actors are keen to exploit this state of disruption and are experimenting with different tactics to launch complex social engineering and malware attacks. This is making it really hard for security teams to stay on top of all the emerging threats.

Enterprise threat intelligence programs can be tedious with analysts usually being swamped with alerts from various tools. On top of that, to ensure proactive defense, they’re also expected to scan hundreds of blogs, social media, web, and OSINT feeds to gather more intel and trending cybersecurity news. Knowledge NOW aka KNOW from Netenrich is bridging this gap for a lot of users by aggregating cyber threat news and offering FREE global threat intelligence, all in one place.

Trending malware attacks detected by KNOW

KNOW’s threat intel dashboard provides information on the latest threats and adds contextual data for your security team. Today we’re going to dig deep into the “Trending Threats” section in KNOW, and get insights for the top malware attacks referenced over the last 60 days. In case you missed it, our last post covered GravityRAT, IPStorm, Clop, and Ryuk.

Godzilla Loader

Godzilla loader was first discovered in May 2016 and was used to deliver the infamous TrickBot banking trojan. It targets computers running Windows operating system. A new version of Godzilla Loader was recently found on Dark Web forums. Cybercriminals were advertising Godzilla Loader Malware for $500 on Dark web forums, the malware was found to be actively maintained and seemed to be getting new updates periodically.

What does it do?

Godzilla loader comes with a built-in UAC bypass, including a full plugin ecosystem, a propagation module, a keylogger module, and a password-stealing module. The malware is usually delivered via phishing emails and it’s functionalities are eerily similar to that of the Emotet banking trojan. The latest Godzilla Loader variant uses RSA-2048 to verify the identity of the Communication & Control server. It comes with an enhanced security layer which makes the C2 communication safe and has more control flow to fully rely on the Component Object Model (COM) interfaces.

Malware threat intel from KNOW:

• 35,227 Reference(s) to this entity: First seen 1 Jan, 2015, last seen 30 Oct, 2020.
• Aliases: TrickLoader, Nworm, Trick bot, trickbot c&c, GOLD BLACKBURN, The Trick
• Recently Linked To Threat Research – 13 sighting(s)
• Historically Linked To Threat Actors – 5 Related Threatactors: TA505, FIN6, MixMaster, Hidden Cobra, Wizard Spider.
• Historically Linked To Campaign – 1 Related Campaign: Magecart Campaign.
• Recent Sandbox Sighting – 55 sighting(s). Most recent reference: Any Run Sandbox result for Copied_907982968.doc
• Historically Linked To Intrusion Method – 1328 sightings, 52 Related Intrusion Methods: Phishing, Phishing Campaign, Credential Stealing, Spam, Data Exfiltration, Password stealer, Data exfiltrate and 45 more.
• Hashes: 1,721
• Domains: 27

Additional threat intelligence from our experts at the Netenrich Threat Research Center:

Active: Actively maintained with new features added periodically.

Associated C&C Domains: heathbloginfo.com, namerankmate.com, vandulmenage.com

Initially Spotted: Dark Web Sale for $500

Finfisher

FinFisher or FinSpy is a surveillance software that can be covertly installed on targets’ computers by exploiting security lapses in update procedures of other software. Lench IT Solutions plc, the makers of the spyware, have been criticized by human rights organizations for selling these capabilities to repressive or non-democratic states known for monitoring and imprisoning political dissidents. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

What does it do?

FinFisher malware can be installed in many ways, including emails with innocuous-looking attachments, fake software updates, and security flaws in popular software. It’s been observed that the surveillance suite is installed after the target accepts installation of a fake update to commonly used software. Finfisher is designed to evade detection by antivirus software and has versions which work on mobile phones too.

Malware threat intel from KNOW:

• 2,473 References to this entity: First seen 10 Apr, 2015, last seen 9 Sep, 2020.
• Historic Sandbox Sighting – 20 sighting(s)
• Hashes: 2

Additional threat intelligence from our experts at the Netenrich Threat Research Center:

Target: Financial Institutes, Masqueraded as HSBC (recently)

Developer: German Firm

TA: StrongPity (Turkish), other authoritarian regimes

MD5:
dee47b68bc8848b777d69faa011769a7

SlothfulMedia

This malware is an information-stealer which can log keystrokes of victims and modify files. It has been used by threat actors to launch sophisticated cyber attacks aimed at targets in Russia, Ukraine, Kyrgyzstan, Malaysia, India, and Kazakhstan.

What does it do?

The malware deploys two files when executed, the first file is a remote access tool (RAT), mediaplayer.exe, designed for command and control (C2) of target computer systems. The RAT can run commands, take screen shots, terminate processes, modify files and the registry. It leverages Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP) to communicate with its command and control server.

The second file removes the dropper once the RAT gains persistence on the victim system using the “Task Frame” service, which enables the RAT to be loaded after reboot.

Malware threat intel from KNOW:

• 9 Reference(s) to this entity: First seen 16 Nov, 2017, last seen 2 Oct, 2020.

Additional threat intelligence from our experts at the Netenrich Threat Research Center:

The hacking group is infamous for making 4 malwares: KingofHearts, QueenofHearts, QueenofClubs, JackofHearts. The group Powerpool is known to be the owner and has been active since 2014.

Active: Since 2017

Written in: C++

Developer: PowerPool or IamtheKing

Suspected nationality: China

Method: Powershell for Lateral Movement

Target: Windows

Threat intelligence is broken, but it doesn’t have to be. Even with enough cybersecurity sources to go around, your team never has the time to stay on top of all the news about malware attacks. Sign up for the most powerful free threat intelligence tool available today to:

1. PREVENT: Discover risks associated with IP addresses, domains, hashes, vulnerabilities, threat actors, malware, or companies, with scores for current and predicted risk—all in one screen.

2. PROTECT: Access critical threat context on known associations with IOCs. Export lists to update firewalls, discover domains linked to major threats, uncover new IPs to blacklist, and much more.

3. PERSONALIZE: Keep track of threats that matter to your business. Follow relevant entities and news topics grouped in several available categories.

About the Author

Abishek Allapanda