Silobreaker Daily Cyber Digest – 03 December 2019
CallerSpy spyware delivered via malicious Android application
- Researchers at Trend Micro identified a spyware family, tracked as AndroidOS_CallerSpy.HRX. (CallerSpy), being delivered via a malicious Android application package file which purports to be a chat app.
- The malware was first discovered in May 2019 on a fake Google domain. The malicious app was called Chatrious, before being rebranded as Apex App in October 2019. The download site for the app advertises that it is available for Apple, Android and Windows platforms. However, at present, only the Android version is available.
- The app contains no chat functions. When a user launches the app, CallerSpy connects to the attacker’s C2 via SocketIO and uses Evernote Android-Job to schedule jobs. The malware can take screenshots and steal information such as call logs, SMSs, files, and more.
- The malware appears to be in early stage of development. At present CallerSpy has no UI, still contains debug code, displays the default app icon, and is labelled as ‘rat’. Additionally, the malware has not been detected on VirusTotal and no victims have been reported to date.
Source (Includes IOCs)
Smith & Wesson’s online store targeted by Magecart attack
- Security researcher Willem de Groot observed a Magecart group registering domains under de Groot’s company’s name, Sanguine Security, and using his name as the domain contact. De Groot then discovered that the same group had compromised the online store of Smith & Wesson some time before November 29th, 2019, by injecting a malicious script to harvest payment credentials.
- The script will only load a malicious script if the site visitor is using a US-based IP address, non-Linux browser, is not on the AWS platform and visits the checkout page. Under other circumstances, a non-malicious script is loaded.
- Bleeping Computer advises individuals who have recently made purchases on Smith & Wesson’s website to contact their credit card company and monitor their statements for any suspicious activity.
New info-stealing Socelars trojan targets Facebook Ads Manager
- MalwareHunterTeam discovered a number of sites advertising the fake PDF editing programme ‘PDFreader’ distributing an information-stealing trojan. The sites promoting ‘PDFreader’ do not have any active links. Instead, the malware appears to be spread via adware bundles that are sending requests to the ‘PDFreader’ domains.
- The malware is detected as Socelars on VirusTotal and shares characteristics with AdKoob and Stresspaint. However, security researchers Vitali Kremez notes there is not much code similarity to the other malware, suggesting it may have been ‘inspired rather than evolved from previous infections.’
- The malware attempts to steal Facebook session cookies, after which it uses a Facebook Graph API call to steal information from the Ads Manager settings. This includes session cookies, access tokens, account ids, advertising email address, associated pages, credit card information, PayPal email, and more.
- The malware also attempts to steal session cookies from Amazon. However these cookies will merely be sent back to the attacker and not used to extract further information.
Vertcoin targeted in second 51% attack
- Vertcoin (VTC) was targeted in a 51% attack on December 1st, 2019, during which unknown hackers targeted the cryptocurrency exchange Bittrex to manipulate the Vertcoin blockchain. Vertcoin had previously been attacked in December 2018, during which funds worth over $100,000 were stolen.
- Vertcoin’s lead maintainer James Lovejoy noted that the attacker spent more money on the attack than they gained from it. To limit the attack’s success, Lovejoy had also requested Bittrex to stop VTC pairs as soon as the attack was discovered.
- Lovejoy also noted that the motivation behind the attack remains unclear, as the attack ‘was likely not profitable to perform based solely on block rewards,’ and that Bittrex may have been the original target.
PyXie RAT deployed in ongoing campaigns that target range of industries
- Researchers at Cylance Blackberry discovered that PyXie RAT, first discovered in 2018, is currently being used to target a wide range of industries.
- The first stage components of the malware are delivered with a sideloading technique that leverages legitimate LogMeln and Google binaries. The second stage of the attack focuses on installation and persistence. During this stage the malware fingerprints the machine, creates two mutexes, escalates privileges, and creates registry values.
- The third stage of the attack delivers a downloader, dubbed Cobalt Mode, which performs environmental checks, connect to the attacker’s C2, and downloads and decrypts an encrypted payload containing PyXie RAT. The malware can harvest credentials, steal certificates, log keystrokes, perform man-in-the-middle attacks, and more.
- The researchers found that the Cobalt Mode downloader contained some code overlap with the Shifu trojan. Additionally, the researchers stated that they observed PyXie RAT being deployed alongside a custom shellcode loader in a trojanized open source Tetris game. The custom shellcode loader has been used in several ransomware attacks.
Source (Includes IOCs)
Dridex delivered alongside Ursnif in recent malspam campaign
- Security researcher Brad Duncan observed a recent Ursnif malspam campaign spoofing replies to emails and that includes Dridex as its follow-up malware.
- The campaign follows the typical pattern of Ursnif infection in which victims are asked to open a zip attachment containing Word documents with malicious macros. The password for the zip attachment is usually ‘777.’
- Both Ursnif and Dridex stay persistent through the Windows registry. Ursnif copies itself and deletes the original version and Dridex remains persistent through DLL files.
Source (Includes IOCs)
Alleged Imminent Monitor RAT developer tracked to Australia
- Following the announcement of coordinated law enforcement action against Imminent Monitor RAT (IM RAT), researchers at Palo Alto Networks Unit 42 published their analysis of the IM RAT development process and how they tracked the individual accused of developing the malware.
- The researchers identified a developer named ‘Shockwave’ selling IM RAT on online forums in April 2013. In 2014, the developer advertised that IM RAT supported third-party plugins, one of the first of which could turn the webcam light off while the target was being monitored. The developer behind IM RAT consistently claimed that their product was legitimate and should be used for education purposes. However, IM RAT contained a range of functions, such as detection and removal protections and the ability to hide and encrypt logs, which are not features of a legitimate remote access tool.
- The researchers tracked the alleged developer of IM RAT to Australia by examining a Twitter account, DeviantArt profile, Google+ account, and business registries. The researchers passed on their findings to the Australian Federal Police.
Source (Includes IOCs)
Leaks and Breaches
Tuft & Needle customer data exposed on unprotected storage
- Researchers at Fidus Information Security discovered an Amazon Web Services bucket with no password protection belonging to Tuft & Needle. The database contained hundreds of thousands of FedEx shipping labels, exposing customer names, addresses and phone numbers. The storage bucket has since been shut down.
Actively exploited Android vulnerability discovered
- Researchers at Promon discovered a vulnerability, dubbed StrandHogg, affecting all versions of Android. StrandHogg can be exploited by attackers using malware presenting itself as a legitimate app, asking the victim for permissions during installation, which then enables the attacker to harvest sensitive data, such as login credentials.
- The exploit makes use of a weakness in Android’s multitasking system that allows any app to appear as another one. The flaw can be exploited without root access and the researchers found that all top 500 most popular apps are vulnerable.
- The researchers identified 36 malicious apps exploiting StrandHogg, including variants of BankBot. The malware sample analysed by the researchers was not present in Google Play, but rather installed via several dropper apps available on Google Play. These have since been removed. The vulnerability itself has not been patched.
Forma Learning Management System open to SQL injection vulnerability
- Researchers at Cisco Talos identified SQL injection vulnerabilities, tracked as CVE-2019-5111, CVE-2019-5112, CVE-2019-5110, and CVE 2019-5109 in Forma Learning Management System (LMS).
- The vulnerabilities, which are located in the authentication portion of Formal LMS, could be exploited by an attacker to steal databases, user credentials, and access the underlying operating system.
Accusoft ImageGear flaw allows for possibility of remote code execution
- Researchers at Cisco Talos discovered remote code execution vulnerabilities, tracked as CVE-2019-5083, CVE-2019-5076, CVE-2019-5132 and CVE-2019-5133 in Accusoft ImageGear.
- The vulnerabilities, which can be found in the Accusoft ImageGear library, can be triggered by an attacker who provides a malformed file to the victim. Successful exploitation of the vulnerabilities can allow an attacker to perform remote code execution attacks.
EmbedThis GoAhead Web Server vulnerabilities could lead to remote code execution or DoS
- Researchers at Cisco Talos found two vulnerabilities, tracked as CVE-2019-5096 and CVE-2019-5097, in EmbedThis GoAhead Web Server.
- Both vulnerabilities, which can be triggered with a specially-crafted HTTP request, exist in the ‘processing of multi-part/form-data requests within the base GoAhead web server application’ and impact versions v5.0.1, v.4.1.1 and v3.6.5.
- Successful exploitation of CVE-2019-5096 can lead to a full code execution, whereas CVE-2019-5097 can cause a denial-of-service (DoS) condition.
Kaspersky, Trend Micro and Autodesk products contain range of DLL-related vulnerabilities
- Researchers at SafeBreach discovered vulnerabilities in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application. The bugs were reported to the companies in July 2019.
- Kaspersky Secure Connection (KSDE) is impacted by a vulnerability, tracked as CVE-2019-15689, which is related to the manner in which KSDE attempts to run multiple missing DLLs. An attacker who could load an arbitrary DDL could run it with SYSTEM privileges. This could allow an attacker to execute undetected malicious code within the Kaspersky process.
- A DLL issue, tracked as CVE-2019-7365, also impacts Autodesk Desktop Application. In this instance, the lack of safe DLL loading combined with a failure to validate digital certificates could allow an attacker to load a malicious library as a signed process.
- CVE-2019-15628 impacts Trend Micro Maximum Security and could allow an attacker to write the missing DLL file and execute code as NT AUTHORITY/SYSTEM. An attacker could use this to escalate privileges, evade defences, achieve persistence, and more.
ABB Group substation protection devices contain critical vulnerability
- On November 26th, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a warning about a critical vulnerability, tracked as CVE-2019-18253, in ABB Relion 670 Series devices. The devices are used in substations throughout the world, and provide protection and control capabilities.
- The flaw, which has been assigned a CVSS score of 10, can be exploited by an attacker with network access to the devices. An attacker could read or delete files from the device using ‘specially crafted paths in a specific request’.
- The CISA warning states that the vulnerability only requires a ‘low skill level’ to exploit. An update for the flaw has been issued by ABB.
Joint investigation shuts down 30,506 domains for illegal activity
- During Operation IOS X, a joint investigation between 18 EU Member States, Europol, the US National Intellectual Property Rights Coordination Centre, Eurojust, and INTERPOL, over 30,506 domains distributing counterfeit and pirated products were seized. Three suspects were also arrested as part of the investigation, and 26,000 luxury products, among other items, were seized.
Ohio prevents US Election Day hacking
- A hacking attempt, that has been traced back to a Russian-owned company, was thwarted by Ohio on November 5th, 2019, the US Election Day. Republican Secretary of State Frank LaRose referred to the attempted SQL injection attack as ‘relatively unsophisticated’ and stated that the hackers had been searching for vulnerabilities in his office’s website.
FBI warns of ‘potential counterintelligence threat’ that FaceApp poses
- Since the app first emerged in July, concerns have been voiced over how it handles users’ images. FaceApp argued that the images are only collected for a short period of time and that no data is stored in Russia.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.