Silobreaker Daily Cyber Digest – 17 February 2017
XAgent malware may have been copied from Hacking Team
The newly discovered MAC OS iteration of the XAgent malware – deployed by hacker group APT28 – shares a significant resemblance to a malware developed by spyware vendor Hacking Team. According to ex-NSA employee Patrick Wardle, the two malware samples use the same techniques for injecting code onto a target system. As such he argues that APT28 may have copied the entire code injection function from the Hacking Team malware. More information.
Leaks and Breaches
Alleged Badoo database on sale on Pastebin
In a post on Pastebin, an unknown hacker claims to be selling access to a leaked database stolen from the social networking service Badoo. He claims the database contains emails and passwords belonging to 17.9 million users in plaintext, and offers the first 100 lines of accounts as proof. This may be part of a set of data from a 2016 breach of the service.
Microsoft delays release of vulnerability patches
Microsoft has delayed the release of patches addressing multiple flaws, including a zero-day flaw in the SMB file-sharing protocol. Originally due this week, Microsoft announced that the fixes have been delayed to March 14 due to an unspecified “last-minute issue”. Sources are suggesting that the delay relates to a problem with Microsoft’s patch build system. More information,
menuPass campaign targets Japanese Academics
An APT campaign dubbed “menuPass” (AKA ‘Stone Panda’, ‘APT10’) targeted Japanese academics, pharmaceuticals, and a subsidiary of a Japanese manufacturing organisation between September and November of 2016. Distributed through targeted phishing emails, the campaign delivered the PlugX and Poison Ivy trojans, along with a trojan dubbed ChCes which appears to be unique to the group. ChCes acts as an initial infiltration point on a targeted machine and can load additional code to accomplish a number of tasks. Interestingly, ChChes is digitally signed with a certificate originally used by spyware vendor Hacking Team. More information.
Detailed report on Shamoon released
IBM X-Force has released a detailed analysis of the Shamoon malware, revealing the propagation techniques used by its operators. The attackers use targeted phishing emails with a Word doc attachment as their first entry point. The Word file contains a malicious macro which will initiate command and control communications and deploy a remote shell via PowerShell. This allows attackers to remotely execute commands on a targeted computer, and deploy other tools and malware including Shamoon. Two web domains were also identified – ntg-sa.com and maps-moron.club – which are used to host malicious executables and carry out attacks. More information.
Threat actor targets Israeli soldiers
An unknown actor exfiltrated data from the devices of over 100 Israeli servicemen since July 2016. Researchers at Kaspersky, who note that the attack is still ongoing, have reported that attackers used social engineering tricks to infected Android devices with a malware dropper. This would then download a custom payload based on a user’s existing apps. The payload receives commands from C2 in order to execute scheduled tasks and leverage basic RAT capabilities. A wide variety of data is periodically collected and sent to C2, including pictures, documents, call logs and SMS messages. More information.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.