Silobreaker Daily Cyber Digest – 06 February 2019
Coveware detail GandCrab v5.1’s new exploit kit distribution and TOR site features
- Coveware researchers found that the core features of the site remain unchanged with the most recent version of GandCrab ransomware 5.1. The website features a customer support chat and a free test decryption for victims. It also offers ‘discount codes’ which, according to Coveware, cater to ‘shady data recovery firms’ as they enable them to hide the final cost of decryption from victims.
- The discount codes were also found to enable private chats that are hidden from any other visitor of the TOR site, which allows the data recovery firms to conceal the decryption process from their customers, and profit from substantial mark-ups on the actual cost of decryption.
- The researchers also note that RDP ports remain the primary attack vector for v5.1. However, they discovered that the ransomware has also been linked to automated attacks using exploit kits such as Fallout, Emotet and the Vidar credential stealer.
Cryptocurrency wallets Electrum and MyEtherWallet hit by phishing attacks
- On February 4th, the MyEtherWallet team warned via Twitter of a phishing email circulating, asking users for their personal information. A Reddit post stated that the phishing scam was posing as a security update and was attempting to steal sensitive data from Electrum customers.
- Versions of Electrum older that 3.3.3 are vulnerable to a phishing attack where ‘malicious servers are able to display a message asking users to download a fake version of Electrum.’
Morphisec identify new campaign delivering Orcus RAT
- The attacks, undertaken by a threat actor dubbed PUSIKURAC, were focused upon stealing information from victims. Before performing the attacks, PUSIKURAC registered domains through FreeDNS services.
- In addition, the threat actor behind the campaign also uses legitimate free text storage such as pastes, signs executables, misuses commercial .NET packers, and embeds payloads within video files and images.
- Orcus RAT is capable of stealing browser cookies and passwords, launching DDoS attacks, disabling webcam activity lights, recording microphone input, spoofing file extensions, logging keystrokes, and more.
Source (Includes IOCs)
New spam campaign uses links inside fake ebooks on Kindle store
- Malwarebytes Labs detected a new spam campaign targeting fans of John Wick on the Amazon Kindle store. Fake ebooks disguised as an upcoming third movie in the John Wick series are being used to lure victims into clicking malicious links.
- Around 40 individual posts were found advertising the fake ‘John Wick 3’ movie between January 25th and February 2nd, 2019. Upon further inspection, Malwarebytes Labs uncovered that the movies were in fact ebooks that included links to the fake movie. Once clicked, the links redirected unsuspecting users through a series of third-party websites.
- The fake ebooks have since been taken down from the Kindle store.
Outlaw group conducts active campaign targeting Linux systems to mine cryptocurrency
- JASK Special Ops research team reported on the recent attacks observed seizing infrastructure resources in order to enact cryptomining attacks.
- The attacks use a refined version of Shellbot, which creates a tunnel between an infected system and a C&C server operated by the threat actors. Shellbot is distributed through common command injection vulnerabilities which target flawed Linux servers, as well as IoT devices.
- Recently, Outlaw group compromised a File Transfer Protocol (FTP) server of a Japanese art organisation, as well as a Bangladeshi government website. The systems targeted in these attacks received payloads including IRC C&C botware, the cryptomining script XMR-Stak, and the Haiduc SSH scan and network propagation toolkit.
Malicious cryptocurrency software distributes AZORult stealer
- Hackers have hacked into the Github account of Carson Klock, the lead of Denarius cryptocurrency, and installed a backdoored version of the Windows client with the AZORult infostealer. Klock stated that the attack was the result of him reusing an older password to secure his Github account.
- The hacker accessed the account and uploaded a backdoored version of the Denarius Window client which installed a version of the AZORult malware.
- AZORult has the capability to steal a large amount of data such as browser passwords, browser cookies, password for FTP clients’ wallet database files, and more. The malicious control panel had been hosted since July 2018.
Scammer groups exploit Gmail ‘dot accounts’ to enact online fraud
- Gmail’s ‘dot accounts’ are a feature of Gmail addresses that ignore dot characters inside Gmail usernames. Scammer groups have recently discovered that this feature can be abused to file for fraudulent unemployment benefits, file fake tax returns and bypass trial periods for online services.
- Recently, one group has been observed exploiting this feature by using legitimate-looking Netflix emails to prompt Netflix account owners into adding their card details to the scammer’s accounts registered with the user’s dotted email address.
OpenOffice remains vulnerable to remote code execution
- OpenOffice is still exposed to a remote code execution flaw, tracked as CVE-2018-16858, that affects the latest version of OpenOffice, 4.1.6. The vulnerability can be triggered using automated macro execution when users move the cursor over a maliciously-crafted ODT document.
- The flaw was initially discovered by researcher Alex Inführ and was found to impact LibreOffice releases up to and including 6.0.6/188.8.131.52. However, following the researcher’s report, the bug has been patched in LibreOffice 6.0.7/6.1.3.
Vulnerabilities discovered in AEG Smart Scale devices
- Checkmarx researchers reported on several security issues discovered in AEG Smart Scale PW 5653 BT and the related Smart Scale apps for both Android and iOS.
- The most severe flaw discovered is a denial-of-service vulnerability that could allow an attacker to trigger a special request via Bluetooth and crash the smart scale.
- The other flaws discovered in Smart Scale devices could permit attackers to change the device name or launch man-in-the-middle attacks and intercept information sent between the mobile application and the host.
Zcash team divulge details on severe flaw in Zcash
- In October 2018, a severe vulnerability was discovered in Zcash that could have allowed an attacker to generate new Zcash funds without any upper limit. Due to the severity of the bug, only four people were made aware of the issue before it was patched in the same month.
- The flaw could have been abused to flood the Zcash ecosystem with new funds, which could have resulted in the dilution of and destruction of the currency.
Google patches critical PNG image flaw
- In its February Android Security Bulletin, Google addressed three critical vulnerabilities in the Android Framework, tracked as CVE-2019-1986, CVE-2019-1987 and CVE-2018-1988. One of these flaws is a PNG image vulnerability that could allow a remote attacker using a specially-crafted PNG file to execute arbitrary code within the context of a privileged process.
- The security update addresses a total of 42 flaws out of which 11 were rated critical and 30 rated high severity.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.