Threat Reports

Silobreaker Daily Cyber Digest – 11 March 2019



JavaScript obfuscation leveraged to evade antivirus detection

  • Researchers at Cybaze-Yoroi ZLAB investigated a suspicious JavaScript dropper that leveraged multiple techniques to evade detection. When uploaded to VirusTotal, none of the 58 commercial antivirus solutions detected it as a malicious file.
  • Their analysis shows usage of non-ASCII character sets throughout the script, as well as use of the Cyrillic alphabet, and multiple levels of obfuscation. The deobfuscated script showed that the dropper delivered a variant of the popular remote access trojan Revenge RAT, as well as persistence mechanisms to maintain grip on a victim’s system.
  • As of the 11th March 2019, only 7 out of 58 of the scanners on VirusTotal detect the JavaScript dropper as malicious.

Source (Contains IOCs)


STOP ransomware observed installing password stealing trojans

  • STOP ransomware has been observed installing Azorult password-stealing trojan on victim’s computers to steal account credentials, cryptocurrency wallets, desktop files, and more. Azorult trojan is used to steal usernames and passwords stored in browsers, desktop files, cryptocurrency wallets, browser history, Skype message history, and more. The trojan collects the details and uploads them to a remote attacker-controlled server.
  • The new STOP variant, dubbed Promorad Ransomware, was tested by BleepingComputer who discovered that as well as encrypting files and appending them with the .promorad extension, a file named 5[.]exe was also downloaded and executed. The program created network traffic that is identical to known C&C server communications for Azorult.
  • Recent variants of STOP ransomware included an Any.Run install, which suggests that one of the files downloaded by the ransomware created traffic that was from an Azorult infection. In addition, four unique examples all showed network traffic associated with Azorult.



Ongoing Campaigns

China uses social media to conduct influence campaigns aimed at US  

  • According to a new report, the Chinese government is using social media campaigns to present a biased, positive image of China. In comparison to Russian influence campaigns, China was observed using different techniques to achieve different goals.
  • Through distorted general news, paid advertisements, fabricated social media comments, and nationally important messages, the Chinese government aims to promote views sympathetic to the Chinese government, policies, society and culture while suppressing alternative views.
  • The report also details the difference between Chinese and Russian influence campaigns. In comparison, Russian campaigns were aimed at undermining faith in democratic processes, supporting pro-Russian policies or preferred outcomes, or sowing division within Western societies. They were also characterized as ‘disruptive’ and ‘destabilizing’.



Leaks and Breaches

809 million records belonging to exposed in unprotected MongoDB database

  • Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database, belonging to an email validation firm named, containing 150 GB of plaintext marketing data, including 736 million unique email addresses.
  • Exposed data includes information about individual consumers such as names, social media profiles, birth dates, credit scores, and business intelligence data like employee and revenue figures from various companies. The database has now been removed.



Citrix’s network breached by international criminals

  • Citrix’s network was reportedly breached by cyber-criminals who likely exploited weak passwords to gain limited access to systems before going on to establish more privileged control. Citrix were contacted last Wednesday by the FBI, who advised that it was likely that the hackers used the ‘password spraying’ tactic.
  • Citrix’s products and services are used by over 400,000 organisations worldwide, including 98% of Fortune 500 companies, as well as governments and militaries. It is unknown yet what specific information was stolen, however an initial investigation has revealed that the attackers have accessed business documents.



General News

Kaspersky Lab researchers report on financial cyberthreats in 2018

  • The researchers found that the number of Android users attacked by banking malware in 2018 increased by 300% to a total of 1.8 million users affected worldwide. The largest number of affected users were from Russia, South Africa and the US.
  • Other findings include Asacub being the most common Android banking malware followed by Agent and Svpeng. For Windows desktop users the most common malware used was ZeuS trojan, URSNIF and SpyEye.



Venezuela blackout blamed on US cyberattack

  • The Venezuelan Minister of Communication and Information Jorge Rodriguez attributed a power outage in Venezuela to an alleged cyber attack by the US. Nicolas Maduro, the disputed president of Venezuela, stated that it was opposition sabotage of a hydroelectric dam.
  • The US government denied that they played a role in the blackout affecting Venezuela.



Ransom paid by Jackson county government

  • It has been reported that Jackson county government paid a $400,000 ransom to avoid long-term interruption of services, as a result of network-wide encryption caused by a Ryuk Ransomware infection. It was stated that they could have been down for ‘months and months’ had they not, suggesting that they perhaps did not have backups, or their backups were also encrypted.



US Senate’s report finds Equifax neglected cybersecurity prior to breach

  • The US Senate Permanent Subcommittee on Investigations released a new report in which they state that Equifax ‘failed to prioritize cybersecurity’ prior to the 2017 breach affecting 145 million people.
  • The report outlines how ‘Equifax was aware of cybersecurity weaknesses for years’, how the company’s response to the vulnerability that facilitated the breach was ‘inadequate and hampered by its neglect of cybersecurity’ and how they ‘failed to preserve a complete record of events surrounding the breach’.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 24 May 2019

      Malware Newly upgraded version of JasperLoader targets Italy Cisco Talos researchers discovered a new version of JasperLoader targeting Italy and other European countries...
  • Silobreaker Daily Cyber Digest – 23 May 2019

      Malware Decryptor released for newly discovered GetCrypt ransomware A threat analyst known as ‘nao_sec’ discovered a new ransomware called GetCrypt that is being...
  • Silobreaker Daily Cyber Digest – 22 May 2019

      Ongoing Campaigns Hundreds of US schools remain vulnerable to WannaCry attacks While investigating the ongoing Baltimore City ransomware attack, Ars Technica found that...
View all News

Request a demo

Get in touch