Threat Reports

Silobreaker Daily Cyber Digest – 11 October 2019

 

Malware

Researchers discover malware targeting Russians since at least 2013

  • ESET researchers have discovered a new malware, dubbed Attor, that has been in operation since 2013, yet only targeted a small number of victims. It has been used in highly targeted attacks against Russian-speaking users, specifically ones concerned about privacy, including diplomatic missions and governmental institutions.
  • Attor consists of two components, a dispatcher and loadable plugins. The dispatcher injects itself into running processes and loads the plugins, making exceptions on certain systems. The plugins are delivered as dynamic-link libraries that are asymmetrically encrypted with RSA, making them difficult to decrypt.
  • Many of the plugins serve as ‘espionage plugins,’ used to collect sensitive data, with one of the plugins used for fingerprinting of GSM devices to collect metadata using AT commands. AT commands were developed in the 1980s and are rarely used nowadays. Their use is most likely to target modems and older phone, or to communicate with certain devices connected to the COM port or USB port.
  • Information collected via the plugins is communicated to the C2, however the plugins never communicate with it, but rather use local shared folders for storing data. The C2 was found to be using Tor, which suggests an aim of anonymity and untraceability by the malware authors.

Source (Includes IOCs)

 

xHunt campaign uses PowerShell backdoor to target organizations in Kuwait

  • In June 2019, researchers at Palo Alto Network’s Unit 42 identified a domain, associated with the xHunt campaign, being utilised as the C2 for a new backdoor dubbed CASHY200. The backdoor is PowerShell based and uses DNS tunneling to connect with its C2. At present the researchers are unsure how the backdoor is delivered. 
  • After performing open source collection, the researchers stated that the threat actors may have used CASHY200 to target Kuwaiti government organisations in Spring 2018 and 2019. 

Source (Includes IOCs)

 

New FIN7 malware observed using evasion techniques

  • FireEye researchers discovered new malware developed by FIN7, a dropper and a payload. Some variants of the BOOSTWRITE dropper were found to be signed by a valid Certificate Authority, allowing it to successfully bypass antivirus products.
  • One of its samples contained two dynamic-link library payloads, CARBANAK and RDFSNIFFER. CARBANAK malware has previously been used in financial campaigns, including by FIN7. RDFSNIFFER, however, was observed for the first time.
  • RDFSNIFFER enables an attacker to tamper with NCR Corporation’s Aloha Command Center Client (RDFClient), a remote access tool used for troubleshooting systems remotely. It also contains a backdoor that allows an attacker to inject commands into an active RDFClient session, enabling them to upload, download, execute, and delete arbitrary files.

Source (Includes IOCs)

 

Ongoing Campaigns

Bitpaymer campaign exploits Apple zero-day

  • In August 2019, Morphisec researchers identified a threat actor utilising an Apple zero-day vulnerability to target an enterprise in the automotive industry. The group, who previously targeted various companies across the US, exploited the vulnerability to deliver BitPaymer ransomware.
  • The attack abused a vulnerability in ‘Bonjour’, the component installed alongside iTunes for Windows and is used for update purposes. However, uninstalling iTunes does not remove ‘Bonjour’ from a user’s system. Consequently, many enterprises unknowingly run un-updated versions of ‘Bonjour’ on their computers.
  • The attackers exploited an unquoted path to run BitPaymer when ‘Bonjour’ was trying to run from the ‘Program Files’ folder.  Because ‘Bonjour’ is signed by Apple, the likelihood that anti-virus software will block the malware is reduced. 
  • The issue has since been patched by Apple, however, the researchers stated that they have discovered additional unquoted path vulnerabilities in iTunes software and installer.

Source (Includes IOCs)

 

Anonymous Group in Spain plans new cyberattack campaign

  • According to Information Security Newspaper, reports have emerged that hackers linked to the hacker group Anonymous are planning cyberattacks against multiple organisations and companies in Spain. The campaign is said to be a protest against the resolutions of Spain’s Supreme Court, which is due to announce sentences against Catalan politicians.
  • Researchers from El Confidencial believe the hackers will aim to disrupt the servers of public organisations, similar to activities during OpCatalonia in 2017. Calls have been made on Twitter to participate in OpCatalonia2019, with experts suggesting the same actor is behind both campaigns.

Source

 

New credential stealing campaign observed targeting Nordic countries

  • Heimdal Security researchers observed a new credential stealing campaign targeting work emails in Nordic countries. The researchers believe this campaign may also start targeting other countries in the future.
  • The campaign involves an email sent to a user, made to look as part of an ongoing conversation, and contains a link to a supposed Sharepoint document. Once clicked, the user is redirected to an image of a Word file document, which contains a hyperlink that redirects the user to a malicious site where the user is asked to enter their login details.

Source

 

Citadel banking trojan deep dive analysis published

  • Cylance researchers published an analysis of Citadel version 1.3.5.1. The malware, which is an offshoot of ZeuS, was first discovered in 2012 and infected over 11 million computers worldwide.
  • The virus is commonly distributed via malicious emails and performs man-in-the-browser attacks. The malware steals banking credentials, passwords, and other instances of sensitive data.
  • The researchers examined the Citadel master 1.3.5.1 file which included the malware’s administration panel, and Russian instruction manual. A full technical analysis of the researchers finding is available via the Cylance blog.

Source (Includes IOCs)

 

Leaks and Breaches

Prostitution and escort forums in Holland and Italy suffer data breach

  • The Dutch news site NSO reported that a hacker is selling the database of Dutch prostitution forum hookers[.]nl on online forums. The database contains the details of approximately 250,000 members and exposed details include usernames, email addresses, hashed passwords and IP addresses. A forum post by the owner of hookers[.]nl confirmed the breach.  
  • The hacker, who wants $300 for the database, spoke to NSO and stated that they stole the database using a vBulletin remote code execution vulnerability.
  • BleepingComputer found that the same user is also advertising the database for an Italian based escort forum. The database allegedly contains passwords, usernames, and email addresses for 33,152 users.

Source

 

Vulnerabilities

Critical vulnerability discovered open source software used in HP Touchpoint Analytics

  • Researchers at SafeBreach identified a critical vulnerability in the free open source software program Open Hardware Monitor. The software is used in millions of computers, including HP Touchpoint Analytics, and is used to monitor, temperature sensors, fan speeds, voltages, load and clock speeds.
  • An attacker could exploit the vulnerability to load and execute malicious payloads and read and write to hardware memory. HP have patched the flaw, however, the researchers stated that ‘any machine using the Open Hardware Library was at risk.’

Source

 

Critical vulnerability patched in Sophos Cyberoam Firewall

  • Researchers at thebestvpn identified a vulnerability, tracked as CVE-2019-17059, in Sophos Cyberoam Firewall appliances running CyberoamOS versions 10.6.6 MR-5 and earlier.
  • An attacker can exploit the flaw by sending a malicious request to either WebAdmin or SSL VPN consoles. Successful exploitation could grant a remote unauthenticated attacker the ability to execute arbitrary commands.

Source 1 Source 2 (Includes IOCs)

 

General News

Decryptor for update Nemty ransomware released

  • Researchers at Tesorion have released a new decryptor for Nemty ransomware versions 1.4 and 1.6. In order to prevent the ransomware authors from analysing the decryptor, the researchers have decided to host it on their own server.
  • The researchers are actively expanding the number of file types that the decryptor can retrieve and plan to release a decryptor for Nemty version 1.5 soon.

Source

 

The Silobreaker Team Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 18 November 2019

      Malware NextCloud Linux Servers hit with new NextCry ransomware BleepingComputer and security researcher Michael Gillespie analysed a newly spotted malware, named NextCry, which...
  • Silobreaker Daily Cyber Digest – 15 November 2019

        Ongoing Campaigns Microsoft Office 365 administrator accounts targeted in new phishing campaign PhishLabs researchers observed threat actors impersonating Microsoft and its Office...
  • Threat Summary: 08 – 14 November 2019

    08 – 14 November 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
View all News

Request a demo

Get in touch