Silobreaker Daily Cyber Digest – 07 December 2018
Over 100,000 PCs in China infected with new ransomware
- The ransomware, dubbed UNNAMED1989, reportedly infected over 100,000 computers in only four days. The first samples were seen on December 1st, 2018, after users installed a number of social media themed apps including ‘Account Operation V3.1’. By the evening of December 4th, the researchers had identified over 100,000 infections.
- Most notably, the ransomware does not lock the user’s computer or encrypt their files, but instead uses a component designed to steal victims’ login credentials for Chinese digital wallet services, personal cloud hosting platforms, email providers and online shopping portals. Secondly, the ransomware does not use Bitcoin for a payment method, but rather demands ransoms of 110 yuan, the equivalent of $16, via Chinese payment service WeChat.
- The ransomware author, 22-year-old Luo Moumou, has now been arrested by Chinese authorities, and decryptions for the ransomware have been released by Tencent and the Velvet Security Team.
Linux Rabbit and Rabbot target Linux servers and IoT devices to install cryptominers
- Anomali researchers discovered a new malware, named Linux Rabbit, targeting Linux servers and IoT devices. The campaign began in August 2018 and continued until October 2018, targeting machines in Russia, South Korea, the UK and the US. The aim of the campaign is to install cryptocurrency miners onto victims’ devices.
- According to Anomali, the infection vector and perpetrator behind the attacks remains unknown. Linux Rabbit uses Tor gateways to connect to the C&C server, sets up persistence and brute forces SSH passwords, ultimately allowing the operator to download Monero miners. Depending on the architecture of the machine, the malware chooses which of two miners it will infect the system with. X86-bit devices were infected with CNRig whereas ARM/MISP devices were infected with Coinhive.
- In September 2018 a new campaign followed that used a self-propagating worm dubbed Rabbot that shared the same code base with Linux Rabbit. Rabbot differs from Linux Rabbit through sending its payloads via an open port 80.
Source (Includes IOCs)
Danabot banking trojan expands capabilities
- ESET researchers discovered that Danabot’s authors are experimenting with email-address-harvesting and spam-sending features that are capable of misusing the webmail accounts of existing victims to further their malware distribution. In addition, the researchers also discovered indications that the malware’s authors have been cooperating with the criminals responsible for Gootkit.
- Researchers discovered these new features when they were analysing the webinjects used to target users of several Italian webmail services.
Source (Includes IOCs)
Android apps posed as iOS apps performing clickfraud on infected devices
- SophosLabs researchers discovered 22 mobile apps with over 2 million downloads, on the Google Play Store that, once installed, infected the device with Andr/Clickr-ad malware to perform clickfraud on the victim’s device. The apps were disguised as games and functioning utilities. Apps by the same developers were also found on iTunes, however these lacked ad fraud capabilities.
- The malware possesses downloader capabilities, allowing the retrieval of other files if instructed by the C&C server. The C&C server otherwise instructed the malware to send ad requests pretending to originate from a variety of apps. In some cases, the malicious Android apps posed as Apple devices to advertisers, giving them incentive to ‘possibly earn a premium return.’
- The malicious ad calls were made in a hidden browser window in which the app simulated user interaction with the ad. The apps were removed from the Play Store in late November 2018.
TA505 targets retail industry using personalised attachments
- Proofpoint observed email campaigns targeting large retail, restaurant and food chains, as well as other companies in the food and beverage industry. The campaign have been attributed to threat actor TA505.
- The campaigns attempted to deliver various malware families including Remote Manipulator System (RMS) and FlawedAmmyy, and more. In one particular campaign, the attachments were personalised, and used the targeted company’s logo.
Source (Includes IOCs)
DarkVishnya campaign targets Eastern European banks stealing millions of dollars
- Kaspersky Lab researchers identified a new set of attacks, dubbed DarkVishnya, in which cybercriminals physically connected their own devices to an organization’s network. The researchers investigated an incident from 2017 to 2018 in which at least 8 banks were targeted in Eastern Europe stealing tens of millions of dollars.
- Attackers entered the organizations’ central and regional offices, disguised as couriers or jobseekers, to connect their devices to corporate networks. Three types of devices were used: laptops, Raspberry Pi boards and malicious USB thumb drives known as ‘Bash Bunnies’ that are used for penetration testing purposes.
- Next, they remotely connected to the devices and scanned the local network to gain access to publicly shared folders, servers and workstations used for making payments. The criminals also conducted brute-force attacks to sniff login data for the targeted machines and then used fileless attacks and PowerShell, enabling them to bypass whitelisting technologies and domain policies.
Syrian Electronic Army target Android devices with SilverHawk spyware
- In a briefing at the Blackhat Europe 2018 conference in London, researchers from Lookout reported on the recent expansion of tools belonging to the Syrian Electronic Army (SEA). The threat actor was found to be investing significant resources into an Android spyware called SilverHawk.
- SilverHawk is built into fake updates for several security- and privacy-focused communications apps such as WhatsApp and Telegram. SEA was also found to have created Microsoft Word files and YouTube fakes containing the spyware in their attempts to compromise Android devices.
- The apps were spread via watering hole websites and phishing emails.
TheDarkOverload re-emerges on Twitter claiming to possess a FISA order against them
- TheDarkOverload have re-emerged on Twitter with a new account using the handle @tdo_hack3rs, following the suspension of their previous account.
- In a tweet, the threat actor stated plans to release a US Foreign Intelligence Surveillance (FISA) Court order that ‘the USA gov served to Twitter in an attempt to deploy a [network investigative technique] against [them]’.
Lokibot campaigns persists with changes to C&C URLs
- The changes could be the result of a complete change to the C&C URL naming convention, or it could be the particular actor behind this campaign using a different URL naming convention. Usually Lokibot can be identified by the ‘fre[.]php URL, however, this campaign used cat[.]php.
- The delivery email’s subject states ‘Request for Invoice’, and pretends to come from sales@kumarequipment[.]net, with a malicious word document containing an RTF exploit.
Leaks and Breaches
Game publisher Bethesda inadvertently leaks personal data of 76 Fallout customers
- The publisher and developer accidentally leaked the data of customers who needed help and had opened support tickets.
- Other customers tweeted that they had received other customers’ support tickets which includes email, home addresses and payment card information.
Dutch clothing company targeted in Magecart attack
- The company OppoSuits warned clients that Magecart malware planted on its Australian, Canadian, EU and UK websites may have compromised their data. 7,000 customers were contacted after the malware was discovered on November 22nd, 2018.
Marriott data breach reportedly carried out by Chinese hackers
- Reuters have stated that according to investigators the recently reported Marriott Starwood Hotel’s data breach, that spanned from 2014 to 2018, was the work of Chinese government sponsored hackers.
Commonwealth Bank investigating medical data breach
- The bank reported that a potential data breach may have allowed staff to access clients’ medical information, including staff involved in reviewing loan applications.
Unprotected database exposes profile data of 66 million people
- An unprotected Mongo database exposed scraped data from the LinkedIn profiles of 66 million users. Discovered by Bob Diachenko, the database included 66,147,856 unique records containing full names, personal and professional email addresses, user location details, phone numbers and employment history.
Moldovan citizen sentenced for distributing Dridex Malware
- Andrei Ghincul was sentenced by the US Department of Justice for his part in disseminating Dridex malware, which was used to steal banking credentials and carry out fraudulent transfers of millions of dollars from victims’ accounts.
Nokia warns users of increase in IoT malware on networks
- Nokia warned users of a 45% increase in IoT botnet activity on service provider networks since 2016. The company’s ‘Threat Intelligence Report for 2019’ revealed that botnet activity represented 78% of malware detection events in communication service provider networks this year, which is more than double the 33% that was seen in 2016.
Toyota presents PASTA car-hacking tool
- At the BlackHat Europe 2018 convention, Toyota researchers presented the Portable Automotive Security Testbed (PASTA), an open-source testing platform specifically designed to help experts test security features of modern vehicles.
- PASTA consist of four Engine Control Units (ECUs) as well as a console for running tests of the car system operation or to carry out attacks such as injecting Controller Area Network (CAN) messages. PASTA simulates ‘remote operation of vehicle components and features, including wheels, brakes, windows and other car functionalities’.
- According to Security Affairs, Toyota is planning to release specifications on GitHub and release the tool in Japan.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.