This week we see that Pony is currently the most reported malware on the TruSTAR platform. Pony, also called Fareit, is a well-known piece of commodity malware used for credential theft. One thing to be on the lookout for is a shift in APT TTPs, particularly with Iran, now using more commodity malware as it makes attribution much more challenging. In this article from last week by Ars Technica, we see that Pony is a major player in some of the most prevalent forms of malware in recent memory.
Trickbot Gaining Steam
Last week we noted that there was a large uptick in Trickbot due to new capabilities that would be more fully discovered in the coming weeks. This has indeed proven to be the case. Not only does it have the ability to continually update its configs and capabilities via C&C but it also hides its core functionality inside of the code base of a shooting game. The game doesn't actually execute so it's just there to make the analysis of the malware more difficult for researchers. SonicWall Capture Labs also found that it "...will disable RealtimeMonitoring, stop the service 'WinDefend', and try to delete the service after it’s terminated."
An Uptick in NJRAT
NJRAT is in this week's top three most-reported forms of malware due to its popularity as one of the few free and flexible RATs on the market. Though most popular with smaller cybercriminals this is another tool that is often used by APT actors and is often seen targeting political groups and entities in the Middle East.
Click here to see how hackers are using YouTube Bitcoin scams to infect users with NJRAT.
View this OSINT Threat Report on TruSTAR to correlate IOCs with your own data:
Not on TruSTAR yet? Request a demo, and in the meantime download IOCs via .txt file: