Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/2/2016
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Macro Malware Resurgence Highlighted By Kasidet Outbreak

Also known as Neutrino, this piece of malware is another case of Office macro malaise.

The Neutrino bot is getting a new boost of rejuvenation from a retro form of distribution that's been making a huge comeback lately. According to research last week out from Zscaler, Neutrino--also known as Kasidet--has spiked again in the wild with the help of malicious Microsoft Office macros. This latest example of VBA-related malware is another piece of evidence that a once forgotten class of malware has roared back to life in the last 18 months.

The delivery of Kasidet backdoors is the continuation of a months-long series of campaigns to drop the Dridex banking malware on victim computers using malicious macros, Zscaler reseachers say.

"Over the past two weeks we are seeing these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected systems," Zscaler's researchers wrote. "These malicious Office documents are being spread as an attachment using spear phishing emails."

The variant of Kasidet identified in this latest campaign features two main information-stealing features. The first is through browser hooking. And the second is through the point-of-sale (POS) system memory scraping functionality Kasidet is starting to increasingly employ. Once known primarily for its distributed denial-of-service (DDoS) arsenal, its POS targeting features began popping up in earnest last spring.

"Upgrading old malware to include PoS RAM-scraping capabilities is a new technique in the threat landscape, but it’s not surprising given how lucrative stolen payment card data is. It shows that more and more cybercriminals are putting two and two together to make more money," wrote TrendMicro researchers  in an explanation last fall of the phenomenon.

Zscaler researchers say that the inclusion of Kasidet in an ongoing push for Dridex shows how much cyber crooks share underlying infrastructure and delivery mechanisms. As such, infosecurity professionals should expect to see more macro malware in 2016.

According to the most recent McAfee Labs Threat Report Office macro malware has reached a crescendo over the last 18 months. Barely making a dent  in 2013, it started coming back gradually in 2014 until it spiked at the end of that year. Since then, criminals have been on a tear taking advantage of macro vulnerabilities. At the end of third quarter in 2015, year over year growth in macro threats tripled. And McAfee says it has reached its highest level since 2009. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...