Threat Reports

Silobreaker Daily Cyber Digest – 05 April 2019



New banking trojan BasBanke targets Brazilian users

  • Kaspersky Lab researchers discovered a new Android banking trojan, dubbed BasBanke, targeting users in Brazil. The distribution of BasBanke began during the Brazilian general election in October 2018 and since then it has been downloaded over 10,000 times from the official Google Play Store.
  • BasBanke is capable of keystroke logging, screen recording, SMS interception, and the theft of credit card and financial information. The perpetrators have been advertising the malicious applications used to distribute the malware via Facebook and WhatsApp messages.
  • The applications are disguised as a QR reader, a fake app for a real travel agency, and an application to ‘see who visited your Facebook profile’. The most widespread application used in this campaign is a fake version of CleanDroid that offers users protection against viruses, optimization of memory space and the saving of data when using 3G and 4G connection.

Source (Includes IOCs)


New variant of IcedID discovered

  • Researchers at IBM X-Force identified changes in IcedID Trojan, implemented to make it behave with more stealth on a victim’s device. Prior to this update, IcedID would inject code into operating system processes or when hooking browser processes. After the update, IcedID separated these two tactics.
  • When infecting operating system processes, IcedID hooks processes that will be called by the system, counting on it to run the shellcode. This will bypass flagging and detection, and give the code a higher chance of running undetected.
  • X-Force have stated that IcedID is one of the top five active banking trojans globally, due to its continuous evolution, as well as the operators having links to other cybergangs. They expect it to continue evolving, and to be further leveraged against banks and payment platforms throughout 2019.



Ongoing Campaigns

Ongoing DNS hijacking campaign targets consumer routers

  • Four unique rogue DNS servers have been used to redirect web traffic, causing consumer routers to connect to fraudulent and possibly malicious websites and addresses. All attack attempts have originated from hosts on the network of Google Cloud Platform.
  • Consumer routers targeted include multiple models of D-Link DSL modems, ARG-W4 ADSL routers, DSLink 250E routers, Secutech routers and TOTOLINK routers. Targeted routers were found in Canada and Russia.

Source (Includes IOCs)


Backdoor code discovered in Bootstrap-Sass Ruby library

  • The backdoor was found in Bootstrap-Sass, a Ruby package that provides developers with a Sass-version of Bootstrap – currently the most popular UI framework for developers.
  • The backdoor was discovered by developer Derek Barnes after he noticed that someone had removed Bootstrap-Sass v3.2.0.2 and immediately released v3.2.0.3. The change was made on RubyGems, a repository for Ruby libraries, but not on GitHub, where the library’s source code was being managed. Analysis of v3.2.0.3 revealed code that would load a cookie file and execute its content.  
  • The backdoor was removed from RubyGems and Bootstrap-Sass v3.2.0.4 was released to remove any backdoor leftovers.



Phishing campaign uses browser extension tool SingleFile to obfuscate malicious log-in pages

  • Trend Micro researchers discovered a new phishing campaign that uses a legitimate tool called SingleFile to avoid detection. SingleFile is a web extension for Google Chrome and Mozilla Fox that permits users to save a webpage as a single HTML file.
  • The researchers observed threat actors using SingleFile to copy the log-in pages of legitimate sites, generating an identical copy of the legitimate login page. This allowed them to generate phishing pages that hide the login form HTML code and the JavaScript used by the original page from static detection tools.

Source (Includes IOCs)


London Blue cybercriminal group continue operations with attacks against Asia

  • For five months the London Blue cybercriminals group has run Business Email Compromise (BEC) scams against employees in Asia working for companies based predominantly in the US, Australia and Europe. London Blue has been identified as a Nigerian operation, however one member has been identified in the UK.
  • Agari published a report on the London Blue scammers outlining their methods and tactics, including details about their focus on targets in Asia, and updates to their methodology, such as spoofing domains, to ensure emails don’t appear suspicious.
  • The group are reportedly relying on a new database of approximately 8,500 financial executives associated with almost 7,800 unique companies, mostly in the US. This database, however, is significantly smaller than the database previously used by the group, which comprised of a list of over 50,000 executives.



Document-based malware increasingly leveraged

  • Researchers at Barracuda Networks have found that the frequency of document-based malware has risen in the first quarter of 2019, with documents accounting for 59% of all malicious files. They discovered over 300,000 unique malicious documents, which were all used in phishing campaigns.



UK organisations targeted by state-sponsored hackers

  • The National Cyber Security Centre stated that they were ‘aware of a cyber incident affecting some UK organizations in late 2018’. Researchers have suggested that the actors behind the incident are the Iranian Revolutionary Guard – a group previously blamed for a 2017 attack against parliamentary accounts.



CIA extortions scams use SatoshiBox to sell fake proof for $500

  • A new CIA extortion campaign is selling alleged proof that the recipient is part of an ongoing CIA investigation, on Satoshi Box for $500. The scams pretend to be from a CIA technician collection office that noticed the recipient’s name was part of an open investigation into underage pornography, stating that the collection office can remove the name if a payment of $500 is made.
  • Previous reports detailed that payment instructions for new campaigns were being displayed in password protected PDFs. These PDFs also include a link to supposed evidence that the recipient is part of the CIA investigation. The link in the document will open a browser to a URL for Satoshibox, a service that allows users to upload digital content for information that is released when someone purchases it using bitcoins.



Leaks and Breaches

Possible data breach investigated at University Hospital Galway

  • The hospital in Galway, Ireland, is investigating an incident in which a number of its patients received a letter by post claiming that they have won a prize in a ‘Hospital Sick Patient Lottery Draw’ conducted by the ‘World Health Concern Charity Org’.
  • The letters feature patients’ addresses and ask them to fill out an attached questionnaire with their personal details.



Bayer AG suffers malware attack

  • Bayer, a large German pharmaceutical manufacturer, has reported that they suffered an attack leveraging WINNTI malware, and that the malware had resided on their network for at least a year. The firm stated that there is no evidence to suggest data was accessed or removed, but they are investigating the overall impact it had on their systems. It remains unclear how the malware originally appeared on their network.




Windows update 18362.30 fixes boot breaking bug

  • The most critical issue could cause Windows PCs to become unbootable after installing an update followed by an optional feature-on-demand. Among several other minor issues fixed in the update, one flaw meant AAD users were unable to sign-in after updating to 19H1 on ADD-joined PC not enrolled into MDM.



Pre-installed Xiaomi app vulnerable to MiTM attacks

  • Check Point research has reported that a flaw exposing users to Man-in-the-Middle (MiTM) attacks has been patched by Xiaomi in the preinstalled security app Guard Provider. The flaw is the result of communication issues between the various SDKs used by the Guard Provider app, which makes is possible for threat actors to ‘inject any rogue code he chooses, such as password stealing, ransomware, tracking or any other kind of malware.’
  • When multiple SDKs are used in applications, developers aren’t able to prevent issues that impact one of them from compromising the security of others, nor are they able to isolate private storage data used by each SDK.
  • Check Point discovered this flaw in a pre-installed application on Xiaomi smartphones.



Samsung Galaxy S10 fingerprint scanner duped with 3D print

  • Reddit user darkshark9 has demonstrated how the fingerprint scanner feature in Samsung Galaxy S10 can be tricked into unlocking the mobile devices by using a 3D printed fingerprint stolen from its owner.
  • Darkshark9 was able to unlock his Samsung Galaxy S10 using his 3D printed fingerprint, picked up from a photo of a wine glass taken using the smartphone.
  • In addition, last month Samsung Galaxy S10’s face recognition-based screen lock feature was also proven to be vulnerable, after the Dutch Consumentenbond not-for-profit organization was able to demonstrate that the feature could be tricked using high-quality portrait photographs of the device owners.

Source 1 Source 2


Researcher publishes proof-of-concept exploit for unpatched Google Chrome vulnerability

  • The flaw resides in Chrome’s V8 JavaScript engine and a patch has not yet been released. Researcher Istvan Kurucsai detailed how the flaw can be abused for remote code execution.
  • Kurucsai released the proof-of-concept code to demonstrate how a working exploit can be developed for a Chrome vulnerability before a patch reaches the stable Chrome release. The researcher labels this the ‘window of opportunity’ for attackers, resulting from the gap in Chrome’s IT supply chain as patches are required to travel via the Chrome assembly line before they can reach the stable release.

Source 1 Source 2


New patches issued for flaws in Cisco’s RV320 and RV325 routers exploited in the wild

  • The two vulnerabilities, tracked as CVE-2019-1653 and CVE-2019-1652, were initially patched in January 2019, however, the fixes were incomplete, leading the flaws to be exploited in attacks in the wild.  



General News

ATM skimming group members arrested in Mexico

  • Identified as Florian N, 42, and Adrian Nicholae N, 37, the former is suspected to be the boss of a Romanian crime syndicate responsible for deploying card-skimming devices throughout North America. They were arrested for possession of an illegal firearm and cash totalling approximately $26,000.
  • KrebsOnSecurity has suggested that they are a target of a wide-ranging FBI investigation into the Romanian skimming syndicate, and that they have subsequently made bail on their weapons charges, potentially trying to figure out how they can flee the country.




The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 23 August 2019

      Malware Asruex variant exploits old MS Office and Adobe vulnerabilities Researchers at Trend Micro discovered an Asruex variant that exploits the known vulnerabilities...
  • Silobreaker Daily Cyber Digest – 22 August 2019

      Malware First known spyware based on AhMyth found on Google Play Store The malicious app called ‘Radio Balouch’ (or ‘RB Music’) and detected...
  • Silobreaker Daily Cyber Digest – 21 August 2019

      Malware Hidden-Cry ransomware posing as Fortnite cheat tool Cyren researchers analysed Hidden-Cry ransomware, which poses as a cheat in Fortnite that allows players...
View all News

Request a demo

Get in touch