Threat Reports

Silobreaker Daily Cyber Digest – 10 April 2019



Baldr Stealer discovered on cybercrime forums

  • Discovered by Malwarebytes, Baldr Stealer is built to exfiltrate sensitive data from key locations on an infected computer, including browser profiles, cryptocurrency wallets, records from VPN clients, FTP programs, text documents and Telegram chats. It has been attributed to the work of three threat actors, Agressor, Overdot and LordOdin, and is sold for $50. Overdot has previously advertised Arkei Stealer, and one of his posts on a forum suggests that Baldr’s and Arkei’s developers occasionally collaborate.
  • The malware was discovered at the end of 2018, and cannot yet achieve persistence, so it attempts to lift all the information in one go and makes no effort to disguise or hide during the stealing process. Once the gathering process is complete, it sends the exfiltrated dataset across to the attacker’s C&C server. The attacker can then access the stolen information via a Baldr web control panel.
  • Baldr appears to have short development cycles, with version 2.2 recently released. Researchers believe that this shows the author is interested in fixing bugs and developing new features. One of the distribution vectors is via fake cracking and hacking tools through YouTube that promise the user ‘free Bitcoins’.

Source (Includes IOCs)


ESET research publish update on OceanLotus’ macOS malware update

  • In March 2019, a new macOS malware sample from OceanLotus group, also known as APT32, was added to Virus Total, that shares similarities with a previous macOS variant, however, the new variant had changes to the structure and was more difficult to detect.
  • ESET’s report includes analysis of anti-debug and anti-sandbox capabilities, string decryption and significant updates.

Source (Includes IOCs)


Flame ransomware linked to GOSSIPGIRL STA

  • As reported yesterday, a new version of Flame ransomware was recently discovered by researchers at Chronicle. In a new blog post, the researchers report that they were led to the discovery while investigating the activities of GOSSIPGIRL Supra Threat Actor (STA).
  • Moreover, their investigation revealed that GOSSIPGIRL STA was likely involved in the early development of Stuxnet malware.
  • Lastly, the researchers also found a ‘missing link’, dubbed Duqu 1.5, in the development from Duqu to the Duqu 2.0 modular platform.



Ongoing Campaigns

FireEye uncovers new attack against a critical infrastructure facility using Triton

  • In December 2017, malicious actors were observed targeting industrial safety systems using the Triton custom attack framework, which FireEye published an analysis of shortly after. Most recently, FireEye have attributed these intrusions to a Russian, government-owned, technical research institute based in Moscow.
  • During their analysis, FireEye discovered an additional attack against a second critical infrastructure facility, in which the attackers focused on targeting the facility’s operational technology. The group established a foothold on the corporate network and then aimed to gain access to the operational technology network.
  • The attack tools used predominantly focused on network reconnaissance, lateral movement and maintaining persistence in the target environment. The attack has also uncovered several new and unidentified tools that suggest that the perpetrators have been active since 2014. FireEye’s report includes further detailed analysis.

Source (Includes IOCs)


Kaspersky Lab researchers discover new TajMahal APT framework

  • The framework was discovered in autumn 2019, however, the researchers suspect that it has been developed and used for at least the last five years. So far, one victim, a diplomatic entity in Central Asia, has been targeted by TajMahal.
  • According to the researchers, TajMahal contains two packages named ‘Tokyo’ and ‘Yokohama’ which include backdoors, loaders, orchestrators, C&C communicators, audio recorders, keyloggers, screen and webcam grabbers, and file and cryptography key stealers. Up to 80 malicious modules were discovered in the framework’s encrypted Virtual File System.
  • Moreover, TajMahal is capable of stealing data from a CD burnt by a victim as well as from the printer queue. It can also request to steal a particular file previously detected on a USB stick the next time the USB is connected to the computer.

Source (Includes IOCs)


Attackers abuse misconfigured servers in ongoing credential dumping campaign

  • IBM X-Force researchers recently found that multinational corporations across a wide range of sectors are being targeted by attackers using malicious scripts to automate attacks on misconfigured servers. These attacks resulted in an ongoing credential dumping campaign that steals corporate credentials of victims.
  • In this campaign, attackers were observed using the DoublePulsar kernel exploit and taking advantage of TCP port 445 for communicating with the network.
  • Moreover, attackers were seen operating a public File Transfer Protocol server that collects credentials from additional compromised networks and sends them to a third host.

Source (Includes IOCs)


Newsletter sign-up forms abused by threat actors to steal payment card data

  • The payment forms are being used by malicious actors to camouflage phishing emails as official newsletter subscription pages. Dr Web researchers discovered that this technique also allows threat actors to circumvent spam filters.
  • The actors are sending phishing emails that come from official addresses from multinational companies such as Audi, Austrian Airlines, and S-Bahn Berlin. A link in the email leads users to the hacked page of a dating website, which contains malicious code that redirects users through several other websites, eventually landing on a phishing site.
  • Victims are then told that they can enter a promotion, which requires them to fill in a survey. Fake testimonials are also included to enhance credibility. Victims are then redirected to a fake payment page that asks for credit card information and a verification code sent by SMS.



Gustuff banking botnet observed targeting Australian financial institutions

  • Cisco Talos has discovered a new campaign targeting Australian financial institutions with Gustuff banking botnet. In addition, the researchers found that the campaign has connections to the ‘ChristinaMorrow’ text message spam campaign previously observed in Australia.
  • Gustuff has infostealing capabilities, as well as the ability to steal user’s contact lists and collect phone numbers, names, files and photos on an infected device. The campaign was observed targeting mainly private users, propagating via SMS messages.

Source (Includes IOCs)


New LimeRAT infection chain discovered

  • Researchers at Cybaze-Yoroi ZLab discovered the new infection chain, which begins with a LNK file that is leveraged to download and execute a PowerShell file, which then uses privilege escalation exploits to bypass User Account Control. It inserts a command to run a payload into the registry and executes it with maximum privileges due to a flaw in Windows Event Viewer.
  • The payload is a Base64 encoded PE32 file, which is filelessly stored in the registry to aid evasion, and appears to be a LimeRAT variant, capable of fileless startup, USB propagation, stealing passwords and cryptocurrency wallet credentials, keylogging, backdoor and RDP processes and also contains anti-sandbox mechanisms. The attacker’s C&C server address is retrieved via Pastebin.

Source (Includes IOCs)



Hacker Groups

Kaspersky Lab researchers identify distinct Gaza Cybergang groups and detail activities of Group1

  • According to the researchers, the Gaza Cybergang is comprised of three distinctive groups, with various levels of sophistication, known as Group1, Group2, and Group3. In a new blog post, the researchers provide detailed analysis of recent Group1 activities dubbed Operation SneakyPastes.
  • Group1 targeted a wide range of entities including embassies, government entities, education entities, media outlets, journalists, activists, political parties and personnel, healthcare entities, and banking institutions. In total, over 240 unique victims in 39 countries were targeted, with the majority located in Palestinian territories, Jordan, Israel and Lebanon.
  • In most of the attacks detected, Group1 used phishing emails with political themes. Moreover, the group’s activities were described as ‘low-budget’ as it downloaded spyware in chained stages using multiple free sites such as Pastebin or GitHub.

Source (Includes IOCs)


Leaks and Breaches

Minnesota Department of Human Services suffers data breach

  • The personal information of roughly 11,000 individuals may have been exposed in the incident that resulted from an employee’s email account being compromised.



Baystate Medical Center suffers data breach

  • The breach was the result of a successful phishing campaign against the Medical Center between February 7th and March 7th, 2018. Several employees’ emails were compromised and as a result 12,000 patient records are believed to be affected.
  • Baystate does not believe that their medical record database was accessed, but patient data such as names, dates of birth, health information and insurance information was exposed.



Berkeley High School student elections hacked

  • An unnamed student admitted to taking advantage of default credentials and poor passwords to access over 500 student accounts, casting fraudulent votes for themselves and another student in their student government election. The fraudulent behaviour was detected and the vote reset. The school has not commented on the incident.




Microsoft’s Patch Tuesday fixes two flaws actively exploited in the wild

  • The two exploited flaws are both Win32k elevation of privilege vulnerabilities tracked as CVE-2019-0803 and CVE-2019-0859. Both flaws are triggered when the Win32k component fails to properly handle objects in the memory.
  • The flaws could allow an attacker to install programs, view, change and delete data, and create new accounts with full user rights.
  • It has been observed that these flaws have been actively exploited in the wild, however specific details are, at this point, unknown.



Verizon fixes three flaws present in Verizon Fios Quantum Gateway routers

  • The flaws, tracked as CVE-2019-3914, CVE-2019-3915 and CVE-2019-3916 were discovered by Tenable earlier this year. They could allow an attacker to run commands on the system with the highest privileges, as well as allowing login replay attacks and disclosing the data used for salting the password hash.
  • It is necessary for an attacker to chain all the flaws to perform a full exploit and gain full control of a vulnerable system. Tenable has published a full exploit code that works either with a plaintext password or its hash added as a command line parameter.

Source 1 Source 2


Intel patch high severity flaws in Media SDK and Intel NUC Mini PC

  • The most severe of the four flaws, tracked as CVE-2018-18094, exists in Intel’s Media Software Development Kit (SDK) and could be exploited to enable an authenticated attacker to escalate privileges. The flaw results from improper directory permissions in the installer for Intel’s Media SDK, prior to version 2018 R2.1.
  • In addition, CVE-2019-0163 is a flaw that exists in the Intel NUC, that results from insufficient input validation in the system firmware of the product, enabling escalation of privilege, denial of service, and information disclosure.



Vulnerability discovered in WordPress Plugin

  • Discovered by Sucuri researchers, the vulnerability exists in the WordPress plugin Duplicate-Page. It has been assigned a severity score of 8.4 as it can be exploited by any user with any account and is easy to exploit. An attacker is able to steal password hashes and in some instances, perform a complete site compromise.
  • The vulnerability is patched in version 3.4 and all users have been recommended to update.



Vulnerabilities patched in Samba

  • CVE-2019-3870 affects Samba versions 4.9.x and allows some files in a private directory to be world-writable. CVE-2019-3880 affects versions 3.2.0 onwards and is an issue that allows authenticated users with write permissions to abuse a file traversal vulnerability to detect and write to files outside of a Samba share.
  • The vulnerabilities have been patched in Samba 4.9.6 and 4.10.2.



Vulnerability patched in MyCar Controls

  • The application, developed by AutoMobility Distribution Inc, previously used hard-coded credentials, which could allow an unauthenticated user to retrieve data and send commands to a targeted vehicle using MyCar, or even gain physical access to it.
  • The vulnerability is fixed in the latest version of the application for iOS and Android, and users are recommended to update.



Adobe patches multiple vulnerabilities

  • Adobe’s April Patch Tuesday fixed critical vulnerabilities in Adobe Acrobat, Flash Player, Shockwave and InDesign, as well as less severe issues in other products including Dreamweaver, Experience Manager Forms and XD.



Researcher bypasses Samsung Galaxy S10 fingerprint reader using 3D-printed fingerprint

  • A researcher known as Darkshark on imgur demonstrated how in just 13 minutes he was able to unlock a Samsung Galaxy S10 smartphone using a 3D-printed fingerprint. The method does not, however, work with capacitive sensors.



General News

Canada ‘very likely’ to be targeted by foreign cyber attacks ahead of October election

  • According to a new report by the Canadian Communications Security Establishment, Canadian voters are expected to encounter ‘some form of foreign cyber interference’ ahead of the country’s federal election this October.



Distributor of Reveton Police ransomware jailed by NCA

  • In August 2018, a member of a crime group behind the Reveton Police trojan was jailed after he was charged with laundering money that had been obtained from Reveton victims. The perpetrator, former Microsoft employee Raymond Odigie Uadiale, also admitted to working with a cybercriminal known as ‘K!NG’.
  • The UK’s National Crime Agency (NCA) has now reported that 24-year-old Zain Qaiser from Essex, who is know by the alias ‘K!NG’, has been jailed for six years and 5 months for distributing Reveton malware, from which he received over £700,000.
  • Qaiser also posed as different advertising agencies to purchase ad space on adult sites, which he used to host malicious advertisements that redirect users to pages hosting the Angler Exploit Kit. The exploit kit subsequently used flaws on the victim’s computer to install malware, including Reveton ransomware.



Researchers observe new wave of payment system scams using bank networks

  • BAE Systems researchers at the Kaspersky Security Analyst Summit reported that cybercriminals are manipulating ATM networks and digital authentication checks in the machines to cash out fraudulent transfers around the globe. These attacks differ from jackpotting as the perpetrators are fabricating transactions and authorizing withdrawals, or impersonating account holders to drain their funds.




The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 23 August 2019

      Malware Asruex variant exploits old MS Office and Adobe vulnerabilities Researchers at Trend Micro discovered an Asruex variant that exploits the known vulnerabilities...
  • Silobreaker Daily Cyber Digest – 22 August 2019

      Malware First known spyware based on AhMyth found on Google Play Store The malicious app called ‘Radio Balouch’ (or ‘RB Music’) and detected...
  • Silobreaker Daily Cyber Digest – 21 August 2019

      Malware Hidden-Cry ransomware posing as Fortnite cheat tool Cyren researchers analysed Hidden-Cry ransomware, which poses as a cheat in Fortnite that allows players...
View all News

Request a demo

Get in touch