Silobreaker Daily Cyber Digest – 04 February 2019
Palo Alto’s Unit 42 report on new KerrDown custom downloader used by APT32
- KerrDown has been actively used by APT32 since at least early 2018, being delivered via a Microsoft Office document with a malicious macro, as well as via a RAR archive containing a legitimate program with DLL side-loading.
- The link to the final payload of KerrDown is a variant of Cobalt Strike Beacon. The RAR archive files’ file names used to trick the targets are all in Vietnamese which suggests that the targets for these emails are Vietnamese speaking or in Vietnam.
- From this recent campaign, Unit 42 have been able to discern possible working hour patterns, which suggest that the threats actors are working out of Vietnam or nearby countries.
Source (Includes IOCs)
New malware used to target Macs and the Chrome browser to steal cryptocurrency information
- The new malware is being used by cyber criminals to target Macs and the Chrome browser to steal information pertaining to the victim’s cryptocurrency exchanges and digital wallets. The malware installs cryptomining software that mines the Japanese-centric Koto cryptocurrency.
- The malware is a version of OSX.DarthMiner and includes the capability to steal browser cookies associated with cryptocurrency exchanges and digital service wallets. In addition, it can also steal passwords, usernames and credit card information that has been saved in Chrome and iPhone text messages from iTunes backups on the connected Mac.
- Threat Actors could use this stolen information to bypass sites that require multi-factor authentication, by ‘abusing the legitimate extraction and decryption capabilities built into Chrome by Google Chronium project’. By using this method, the threat actors could have the ability to access the target’s exchange and wallet.
Sextortion scam states Xvideos[.]com hacked to distribute user footage
- A sextortion scam has been circulating in the US stating that adult site Xvideos[.]com was hacked and infected with a malicious script that records visitors through their webcams, sending the footage back to the hacker. The email further states that the script was able to steal the visitor’s data and contacts.
- The scam includes old user passwords obtained from data breaches and asks the recipients to send a bitcoin payment equivalent to $969 to ensure that the footage is not distributed.
Scammers abuse YouTube policy violation system to hold channels for ransom
- Scammers are abusing the YouTube violation system by filing fake copyright infringements against the channel creators until those channels are almost suspended. The scammers then hold the channels ransom by threatening the creators that they will file another copyright infringement resulting in the channel’s suspension, unless payment is sent to them via Paypal or Bitcoin.
Fake fonts leveraged by phishing kit
- The custom fonts render letters in a non-standard alphabetical order, replacing letters with each other, showing intended text within the browser, but not existing on the page. The banks logos are also rendered via vector graphics, so that the logo and source do not appear in the code, making detection more difficult.
- Proofpoint researchers have stated that this type of kit was observed as early as May 2018, but some may have existed before this.
Source (Contains IOCs)
Researchers discover multiple malspam emails
- My Online Security noticed several different malspam emails arriving over the weekend, all delivering well known malware in compressed files, as well as a blank PDF file. The first and second identified emails contained .rar attachments delivering Hawkeye keylogger. These are not able to be extracted natively in Windows, and require a third-party archiving tool.
- The third was a fake PO/Confirmation which delivered Pony Trojan, and the fourth contained a PDF payment confirmation that was completely blank and free of any exploits. It was suggested that the actor may have messed up the vulnerability that was supposed to be included.
Leaks and Breaches
Woodbury infertility clinic suffers data breach
- Reproductive Medicine and Infertility Associates was victim of a malware attack in December 2018, that may have exposed personally identifiable information of clients. The malware was discovered on December 5th 2018, when computer forensic experts were hired to remove the malware and conduct an investigation.
- Data exposed includes names, addresses, dates of birth, health insurance information, treatment information and some social security numbers. RMIA have said that they have not yet seen any evidence of misuse of the information, and that they are offering resources to assist them.
Siri Shortcuts vulnerable to abuse
- John Kuhn, a senior threat researcher at IBM X-Force believes that Siri Shortcuts, a new addition in iOS 12, can be abused to create scareware or a fake ransomware campaign. Non-technical users could be fooled into believing the threat, and paying a ransom fee.
- Kuhn also believes that a malicious Siri Shortcut script can be made into a worm, capable of automatically messaging a victim’s contact list with a download link, either urging others to install the script or to leading to a more dangerous download.
- The IBM X-Force team recommend that users take the same precautionary measures with scripts as they would with a regular application or browser extension.
Code execution vulnerability discovered in LibreOffice
- CVE-2018-16858 is a code injection vulnerability discovered in versions 6.1.0-18.104.22.168 of LibreOffice. It is possible to exploit simply by having the target user hover their mouse over a malicious URL, to show a mouseover preview. Researchers have created a proof-of-concept video demonstrating the vulnerability in action.
- The vulnerability has been fixed in version 22.214.171.124, and users are recommended to upgrade to this.
Source (Contains IOCs)
Mozilla releases updates for two critical issues in Thunderbird
- CVE-2018-48500 is a use after free vulnerability that exists while parsing an HTML5 stream in concert with custom HTML elements. This causes the stream parser object to be freed while it is still in use, which leads to an exploitable crash.
- CVE-2018-18501 is a memory safety bug in Firefox 64, FireFox ESR 60.4 and Thunderbird 60.4, which could be exploited to run arbitrary code.
Digital cryptocurrency exchange loses $137 million
- Canadian cryptocurrency exchange QuadrigaCX has lost control of at least $137 million of customers assets due to the death of its founder. Director and Officer of the exchange Gerry Cotton died of Crohn’s disease in India in December, and was the only person known to have access to the offline wallet that stored the coins.
- The cold wallet was stored on an encrypted laptop that only Cotton was able to decrypt.
- In addition, a further $53 million worth of assets are inaccessible due to disputes with third parties.
Actor behind the Collection #1 leak discovered
- The Collection #1 archive was discovered by Troy Hunt, a cyber security expert, and included around 773 million records. Researchers have found the alleged culprit, who goes by the moniker ‘C0rpz’. They appeared to have collected their trove of data via credential stuffing.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.