A new Android RAT (Remote Access Trojan) detected under the name of GhostCtrl can lock mobile device by resetting their PIN and display a ransom note to infected victims. These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections, where the RAT was mostly used for its data exfiltration capabilities. The GhostCtrl RAT was discovered by Trend Micro researchers part of a wave of attacks against Israeli healthcare organizations. The campaign targeted primarily Windows computers with RETADUP, a combination of a worm, infostealer, and backdoor trojan.
New “operational” samples of the NukeBot banking trojan have emerged months after its original creator published its source code. NukeBot’s source code leak, which occurred in late March 2017, apparently attracted the attention of malware developers seeking to push out their own threats. Kaspersky Lab’s Sergey Yunakovsky spotted some of those new samples in the wild. A few are “active,” but most of them only in a limited form.
Google is making it even harder to accidentally install a malicious plugin. Today, the company announced new changes to the way Google services handle plugins, adding new warnings for users and a more involved verification system for apps. The result is more scrutiny on apps plugging into Google services, and more active involvement from Google when an app seems suspicious. The changes come after a sophisticated phishing worm hit Google Drive users in May, masquerading as an invitation to collaborate on a document. The malicious plugin was not controlled by Google, but because it was named “Google Docs,” the app was able to fool many users into granting access. Once granted access, it sent a new request to everyone in the target’s contact list, allowing the app to spread virally. Ultimately, the app was blacklisted by Google, but not before it reached tens of thousands of users.
The sensitive personal and financial details of nearly 2.2 million Dow Jones & Co. customers were inadvertently exposed due to a configuration error on a cloud storage server, the publication confirmed on Monday. The exposed data included the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of customers, including Wall Street Journal and Barron’s subscribers, were accessible online to anyone who had an Amazon Web Services account. The exposed information that included the names, addresses, account information, email addresses and last four digits of credit card numbers of millions of customers, including Wall Street Journal and Barron’s subscribers were accessible online to anyone who had an Amazon Web Services account.
Remote Access Trojans (RATS)
Remote Access Trojans (RATs) provide cybercriminals with unlimited access to infected endpoints. Using the victim’s access privileges, they can access and steal sensitive business and personal data including intellectual property, personally identifiable information (PII and patient health information (PHI). While automated cyber-attacks (e.g. Man-in-the-Browser) allow cybercriminals to attack browser-based access to sensitive applications, RATs are used to steal information through manual operation of the endpoint on behalf of the victim. Most Advanced Persistent Threat (APT) attacks take advantage of RAT technology for reconnaissance, bypassing strong authentication, spreading the infection, and accessing sensitive applications to exfiltrate data. RATs are commercially available (e.g. Poison Ivy, Dark Comet) and can be maliciously installed on endpoints using drive-by-download and spear-phishing tactics.