Agent Tesla leveraged in email campaign
- Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght Details.pdf.ace’, which contains a malicious Agent Tesla executable. This executable is capable of contacting an attacker’s C2 server via SMTP, FTP and HTTP to exfiltrate data.
- The C2 server used in this instance belongs to a Pakistan-based healthcare company, but it is located in Los Angeles, US. It has many open ports and vulnerabilities, and has been compromised by the attacker behind the campaign for data exfiltration purposes.
Source (Includes IOCs)
Malicious extensions removed from Chrome Web Store
- Two extensions, ‘AdBlock’ by ‘AdBlock, Inc’ and ‘uBlock’ by ‘Charlie Lee’ used misleading names, similar to those of legitimate extensions, and were also performing cookie stuffing – a technique where extra information is added to users cookies to hijack traffic from its legitimate source. The two extensions where adding a parameter to cookies to ensure that the authors would earn a commission from any payments on certain sites.
- ‘AdBlock’ had over 800,000 installs, and ‘uBlock’ had over 850,000 at the time of their removal from the Chrome Web Store. Google also disabled the extensions on all users’ browsers.
Two adware apps on Google Play Store have over 1.5 million downloads
- Researchers at Wandera discovered two selfie filter camera apps, Sun Pro Beauty Camera and Funny Sweet Beauty Camera, which contain adware. The apps are hosted on the Google Play Store and have a combined download count of 1.5 million.
- Sun Pro Beauty Camera displays full screen-ads even if the app is never opened. Funny Sweet Beauty Camera starts to display full-screen ads outside the app when a filtered photo is downloaded. The researchers also found that the apps had concerning permissions such as installing shortcuts, recording audio, and more.
New Emotet campaign already using new delivery methods
- Following the revival of the Emotet botnet on September 16th, 2019, researchers are already reporting on evolving distribution methods, malicious attachments, and email templates. Researchers have speculated that the Emotet is owned by TA542 who rent out parts of the botnet to other threat actors.
- To date, Emotet has been delivered via attachments or through malicious links contained in emails. Malicious document are designed to trick targets into enabling macros by claiming that the file is in ‘Protected View’ or by stating that they must ‘Accept the License agreement’. In both instances, enabling content results in the installation of Emotet. Additionally, researchers observed attackers employing PowerShells, or WScript to execute JScript to install the payload.
- Security researchers Cryptolaemus identified that Emotet has split into three ‘Epochs’ which are subgroups of the overall botnet. Each Epoch uses its own C2s, distribution methods, payloads, and assigned bots.
Source (Includes IOCs)
GhostMiner malware uses file less attack method and damages rival miners
- On August 2nd, 2019, researchers at Trend Micro identified a fileless cryptocurrency malware, named GhostMiner, that uses Windows management instrumentation (WMI) objects to install persistence, payload mechanisms, and AV-evasion.
- The arrival details of this particular attack have not been discovered, but previously the malware has attacked servers by exploiting vulnerabilities in phpMyAdmin, MSSQL, and others. Once installed the virus drops a 64-bit payload that mines for Monero cryptocurrency. The wallet associated with this campaign has a value of approximately $3,868.
- The malware also checks for rival miners such as MyKings, PowerGhost, PCASTLE, and others. When GhostMiner detects other miners, it terminates their processes and deletes scheduled tasks.
Source (Includes IOCs)
Android trojan campaign targeting banking customers
- The campaign targets Russian customers of 70 banks, payment systems and web-wallets, and is estimated to have stolen at least 35 million rubles ($547,000). In particular, it targets users who place advertisements on Avito, a Russian classifieds website.
- Fanta Trojan is delivered via a phishing site that pretends to be Avito, tricking a user into downloading the malicious application to their phone instead of the legitimate app. Bank details are then stolen by making a user open a phishing site that disguises as the legitimate mobile banking application.
- Capable of bypassing anti-virus tools, the trojan also scans what apps are running on the user’s device, scanning notifications of banking applications, payment systems and e-wallets.
Hackers steal over 20,000 US citizens card details by targeting Click2Gov portal
- Researchers at Gemini Advisory discovered that during August 2019 hackers compromised eight Click2Gov portals used by cities across the US. The researchers discovered that the hackers have stolen 20,000 card details which are already being traded on the dark web. Click2Gov is a web-based self-service portal that handles tax and bill payments for municipalities across North America, the product is sold by Central Square.
- Click2Gov was originally targeted in 2017 by a hacker group using custom malware tools, named Spotlight and Firealarm, that had been specially designed to access the portal. The group stole over 300,000 card details from at least 46 cities in 2017 and 2018.
- Out of the eight cities attacked in August 2019, six had been breached in 2017 and 2018 which suggests the hackers may have left a backdoor. However, this has not been confirmed, additionally it is unclear how the hackers breached the portals of the two previously unaffected cities.
Leaks and Breaches
Thinkful Inc data breach results in mass password reset
- Code training company Thinkful Inc notified customers that an employees account credentials were compromised by an unauthorized party. The company stated that users who login to the platform will have to reset their password.
- Thinkful Inc stated that there is no evidence that any customer data or user information had been accessed.
Magellan Health subsidiaries suffer data breach
- A statement issued by Magellan Health said that two of its subsidiaries, National Imaging Associates and Magellan Healthcare had discovered a potential cyber breach related to members of Presbyterian Health Plan. An anonymous third party gained access to two employee email accounts between May 28th and June 6th, 2019 via a phishing campaign. Potentially exposed data includes names, dates of births, health authorization information, dates of service and some Social Security Numbers.
- The Magellan Health incident is claimed to have impacted almost 56,000 individuals, and the National Imaging Associates breach affected around 600.
Verlo Mattress Factory expose over 387,000 customer records
- Researchers at Security Discovery identified an unprotected Elastic database that belonged to Verlo Mattress Factory. The researchers found 387,604 records which contained names, phone numbers, emails, home addresses, and billing addresses. The database also exposed login details and hashed passwords for internal users, and IP addresses, ports, and more.
- The researchers contacted Verlo Mattress Factory but did not receive any reply. The database was however secured soon after initial contact was made.
Vulnerability discovered in popular WordPress plugin
- A cross-site scripting vulnerability was discovered in Easy Social Feed, a popular WordPress plugin with over 100,000 installs. Publicly released proof-of-concept code could allow an attacker to interfere with a visitors browsing session.
- As of September 20th, 2019, version 4.4.1 is available to download, but it is not clear from the changelog if this issue is fixed.
Chinese students in UK targeted by scammers
- Researchers at Malwarebytes stated that the scam appears to have begun in 2015. The criminals pretend to represent government bodies or law enforcement and claim that visa issues can be resolved with a payment. The attackers have also begun to target Indian students and demand payment via Western Union.
Old Magecart domains being bought for additional threat campaigns
- Researchers at RiskIQ identified that sinkholed domains that have been used in Magecart attacks are being bought by criminals when they are re-released back to the pool of available domains. The domains retain their value as they still make ‘call-outs to malicious domains placed on breached websites by attackers’. Attackers can continue to launch Magecart attacks or can use them for malvertising or ad-fraud schemes.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.