Threat Reports

Silobreaker Daily Cyber Digest – 16 February 2017


Updated Remcos RAT distribution
An updated version of the Remcos RAT is currently being distributed through malicious Office documents called “Quotation” (.xls or .doc). Fortinet have noted that the macros in these documents leverage an exploit to bypass Microsoft’s UAC and execute with high privileges.  Remcos is sold for between $58 and $389, and uses several packers to obfuscate its server component. More information.

New banking trojan based on Zeus
Dr Web has detected a new banking trojan based on the Zeus source code. Known as Trojan.PWS.Sphinx.2, the malware is obfuscated, performs web-injections and downloads a set of utilities used to install a root certificate for MITM attacks. Data inserted into forms by infected users is intercepted and sent to C2 servers. More information.

Leaks and Breaches

Yahoo warns of attacks using forged cookies to access user’s accounts
Yahoo has notified some users of cyber attacks aimed at compromising their accounts. Rather than attempting to steal a target’s passwords, the attacks have seen hackers access victims’ accounts by forging cookies used in the authentication process. The attacks took place in 2015 or 2016 and Yahoo has now informed an unknown number of users that their accounts may have been accessed. More information.

Malware discovered on medical devices
Researchers have detected malware on medical devices used by several major healthcare providers. TrapX Security discovered the infected devices, which included an x-ray printer, an MRI scanner, and a PACS-picture archiving and communication system. The malware created a backdoor for malicious actors, which may have been used to access tens of thousands of medical records. It is as yet unknown how many patients have been affected. More information.


Ongoing Campaigns

Magic Hound espionage campaign targets Saudi Arabia
Palo Alto Networks has detected an espionage campaign – Magic Hound – targeting organisations in the energy, government, and technology sectors in Saudi Arabia. The campaign dates to at least mid-2016 and has used Microsoft Word and Excel documents containing malicious macros and hosted on compromised websites,. The malicious macros use Windows PowerShell to retrieve additional tools such as portable executable (PE) payloads, PE files compiled in .NET Framework, IRC bots, and the remote access tool Pupy. The campaign has been linked to the adversary group Rocket Kitten (AKA Ajax Security Team). More information.

Rasputin targets over 60 universities using SQL injection vulnerabilities
Rasputin – a Russian black hat hacker – has breached the systems of more than 60 universities and US Government agencies. He compromised targets using SQL injection in order to steal sensitive information, which he then offered for sale on various black markets. Targets include ten universities in the UK, over two dozen universities in the US, and the US Postal Regulatory Commission, Health Resources and Services Administration, and the Department of Housing and Urban Development. More information.

Ukraine accuses FSB of orchestrating hacking campaign against the country
Ukrainian authorities have accused the Russian Federal Security Service (FSB) of orchestrating a hacking campaign which targeted the country’s power grid, financial system and and other infrastructure. The Ukrainian Security Service’s chief of staff claimed that the FSB worked with private software firms and criminal hackers to develop and deploy a new malware which attacks specific industrial processes, and has similarities to BlackEnergy. Ukraine claims this was used to carry out 6,500 cyber attacks on the country in November and December alone. More information.

‘Self-Healing’ Malware targets Magento Stores
A new malware strain is targeting online shops running on the Magento platform. Discovered by Dutch researchers, the malware is notable for having the capability to self-heal using code hidden in the website’s database. The malware starts execution when a user places an order and a malicious trigger – a set of automated SQL operations – will execute before Magento assembles the page. The database will then check if the malware’s malicious JavaScript code is present in the store’s header, footer, and copyright section. If it is not, the database contains trigger instructions which will re-insert it in the site’s source code. More information.

Report details distribution network of Ursnif
Palo Alto Networks has released a report on the distribution network used to target Japanese and European organisations with banking trojans, including Ursnif, for over a year. Various distribution networks have been used in the attacks, but they all consist of two main components. Firstly, a spam botnet focused on delivering the banking trojans or downloader trojans. Secondly, a network of compromised web servers which host files used by the malicious downloaders. It is unclear whether a single or multiple groups are using the infrastructure. More information.

Infostealer spam targeting Gulf countries
Researchers at Infosec Institute have discovered a spam campaign targeting Gulf countries. Several entities have received emails containing documents with a malicious VBScript. The script will bypass Windows UAC, and drops an infostealer that tests for virtual machines and debuggers. More information.


The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 21 September 2017

    Malware CryptoMix ransomware variant appends .shark extension to encrypted files > The SHARK variant uses one of three domains for victim contact payment information....
  • Silobreaker Daily Cyber Digest – 20 September 2017

    Malware aIR-Jumper Malware uses security cameras with infrared capabilities to steal data > aIR-Jumper takes collected data, breaking it down into binary and leveraging...
  • Silobreaker Daily Cyber Digest – 19 September 2017

    Malware New Locky ransomware variant switches to .ykcol extension > Stormshield reports that the variant is distributed via spam emails containing a VBS file...
View all News

Request a demo

Get in touch