Threat Reports

Silobreaker Daily Cyber Digest – 12 December 2018



Cobalt Group use new ThreadKit builder to deliver CobInt backdoor

  • Cobalt group, who are known for breaching the networks of financial institutions and banks, were spotted on the 30th October using a new variant of the ThreadKit exploit builder kit for Microsoft Office documents. ThreadKit’s author sold the tool in May 2017 for $400, enabling threat actors and hacker groups to use it for their own operations.
  • Fidelis Cybersecurity found that the executable for the ThreadKit delivery is the downloader for CobInt, a backdoor used by Cobalt for reconnaissance that was discovered on the C&C server used by the hackers.



CapitalInstall adware family discovered

  • Netskope researchers have discovered CapitalInstall, a strain of malware that delivers the Linkury Adware from a Microsoft Azure blob storage IP range, targeting multiple customers in the health and retail sectors.
  • The binaries were shared via multiple internal applications, and claim to provide licenses and keys for popular software. The malicious binaries are then synced to cloud storage applications and accessed by users who were licencing their software.
  • Linkury, the adware bundled into CapitalInstall, infects a machine and causes it to display advertisements and download unwanted applications, often generating revenue for the malware’s author.



New BadWord and LamePyre Mac malware bear similarities to DarthMiner

  • Following Malwarebytes Labs’ recent finding of DarthMiner, the company has now reported that two additional malware targeting Macs have been identified. The first, tracked as BadWord, was found by Microsoft’s John Lambert and analysed by Objective-See’s Patrick Wardle. The second malware, dubbed LamePyre, was found by Malwarebytes’ Adam Thomas.
  • BadWord is delivered via macros embedded in Word documents. According to Malwarebytes, the malware ‘uses a sandbox escape to create a launch agent on the system’. The launch agent then provides persistence to a Python script that creates a Meterpreter backdoor on the system.
  • LamePyre was made to appear as a malicious version of the Discord App, however Thomas found that it was actually an Automator script that was not a modified copy of Discord and lacked any attempt at disguising itself as the app. LamePyre runs a Python script and installs an EmPyre backdoor, bearing similarities to the previously-identified DarthMiner.
  • Similarities were also found between BadWord and DarthMiner, suggesting that all three malware could have been made by the same developer.

Source (Includes IOCs)


Ongoing Campaigns

New Exploit Kit Novidade targets SOHO Routers

  • The Novidade Exploit Kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers, redirecting traffic from connected devices to attacker-controlled IP addresses. This enables attacks on victims’ mobile devices or desktops through web applications that have authenticated the user.
  • Novidade is delivered through malvertising, compromised website injection, instant messaging, and more. Trend Micro assert that once the victim clicks on the link to Novidade, ‘the landing page will perform several HTTP requests generated by JavaScript image function to a predefined list of local IP addresses to download a corresponding exploit payload’.
  • Following this, Novidade will attack detected IP addresses with all of its exploits, and then attempt to log into the router with default account credentials, followed by a CSRF attack to change the original DNS server to the attackers’. Three versions of the Exploit Kit have been discovered, all sharing the same attack methods, but with some improvements.

Source (Includes IOCs)


Android malware allows hackers to steal funds via PayPal

  • The malware masquerades as a battery optimisation tool called ‘Optimisation Android’ and is available from unofficial third-party stores. Once launched, the app closes and then hides on the infected device.
  • The malware takes advantage of a built-in accessibility service, which is used to send a message to the user to launch the PayPal app if it is installed on the device. To transfer funds to the attacker’s address, the malware mimics this interaction by disguising the prompt to enable the service as a message asking the user to activate statistics for the fake battery optimisation software.
  • If the accessibility service is successfully enabled and the user opens and logs in to PayPal, the service will mimic the user’s clicks to send money to the attacker’s address. Two-factor authentication is of no use against this attack because the login is a legitimate action taken by the user.



Researchers investigate phishing campaign against Russian critical infrastructure

  • Cylance researchers reported on their investigation of an apparent state-sponsored attack against Russian critical infrastructure. They concluded that the perpetrators behind the attacks were not attempting to conduct cyberespionage but were motivated by financial gain.
  • The attacks involved the use of phishing emails to infect victims with the RedControle trojan using C&C domains that intentionally spoofed actual domains of various Russian critical infrastructure firms. A Sticky Keys backdoor was also used to perform sticky keys hijacking.
  • Russian oil company Rosneft was amongst the most prominent companies targeted by these attacks. Other targets include more than two dozen oil, gas, chemical, agricultural and other critical infrastructure organizations, as well as Russian financial exchanges.  
  • The researchers discovered the campaign in early 2018, however the attackers had set up their operations three years earlier, initially launching an attack against Steam users and the gaming community.

Source (Includes IOCs)


Italian oil company’s servers in the Middle East targeted by attackers

  • Reuters reported that Italian oil services company Saipem was hit by a cyberattack that primarily affected its servers in the Middle East. According to a company spokesperson, servers in Saudi Arabia, the United Arab Emirates and Kuwait were targeted while servers in Italy, France and the UK remained unaffected.
  • The company’s servers were shut down and it is claimed that no data has been lost. The attack was found to have originated in Chennai, India.



Leaks and Breaches

Hackers steal 40,000 logins for government services in 30 countries  

  • Credentials have been stolen for the access of official government portals in 30 countries worldwide. 52% of victims are located in Italy, 22% in Saudi Arabia and 5% in Portugal. Government employees, military and civilian citizens in France, Hungary, Croatia, Poland, Romania, Switzerland, and Bulgaria were also affected. Other targets include Israel Defense Forces, Georgian Ministry of Finance, Norwegian Directorate of Immigrations and Italian and Romanian Ministries of Foreign Affairs.  
  • Group-IB researchers have reported to Bleeping Computer that the theft occurred via phishing attacks that delivered malware such as the Pony Formgrabber, AZORult and Qakbot.
  • According to Bleeping Computer, there is a possibility the credentials might have already been sold on underground hacker forums. Although these logins may not result in immediate financial gain, they can allow attackers to reach classified information or infiltrate government websites for espionage purposes.



Scraped data dump discovered in the wild

  • Researchers at Malwarebytes Labs discovered three large databases containing 66,147,856 records, scraped from various publicly available sources across the internet. At least one of the databases was exposed due to lack of authentication on the server.
  • Some of the data appears to be business-centric, as it includes full names, emails, employment history and skills; data which appears to be consistent with a LinkedIn profile.
  • The other two databases appeared to include IPs, names, emails, phone numbers and employer information. Researchers have stated that whilst the information isn’t a dump of sensitive information, it is useful data for an actor to use in a phishing campaign.



Experian customer data exposed via training manuals

  • Experian has removed some of their training manuals from one of their websites after it was alleged that they contained customer data and sensitive information from a business in California.
  • Initially discovered by a security researcher known as ‘notdan’, further investigation revealed that the information did actually refer to a real Californian restaurant. Neither Experian nor the restaurant have released a response in regards to the alleged incident.



North Texas hospital suffers data breach

  • The breach occurred between September 22th and September 29th, 2018, at the Baylor Scott & White Medical Center, and may have compromised the payment information of around 47,000 patients. Vulnerable data included names, mailing addresses, medical record numbers, insurance provider data, card information, and invoices and payment information.
  • The hospital stated that information and clinical systems were not affected, and that Social Security numbers and medical records were not accessed.



Software vendor Central Square suffers data breach

  • The third-party payment vendor of the City of Topeka suffered a data breach between October 31st and December 7th, 2018, impacting approximately 10,000 customers. It is unclear what information has been compromised, but potential victims are being contacted and advised to contact their credit card issuer for advice.
  • Local law enforcement and the FBI have been notified, and an investigation is ongoing.



Lenovo suffers data breach

  • Lenovo has written a letter to their Singaporean employees stating that a laptop containing unencrypted payroll data of staff based in the Asia Pacific region was stolen from a Lenovo employee. The incident occurred on September 10th, and staff were notified on November 21st, 2018.
  • The laptop contained payroll information including employee names, monthly salaries and bank account details. It is unclear how many employees have been affected.




Critical vulnerabilities patched in Adobe Acrobat and Reader

  • The vulnerabilities impact the Windows and macOS versions of Acrobat and Acrobat Reader. The critical flaws include several bypass issues (CVE-2018-16045, CVE-2018-16044, CVE-2018-16018), buffer errors (CVE-2018-15998, CVE-2018-15987), untrusted pointer dereference (CVE-2018-16004, CVE-2018-19720), and more.
  • Of the 87 vulnerabilities patched, 39 were critical, and allowed an attacker to perform privilege escalation or code execution on a targeted computer. There is no indication that these vulnerabilities have been exploited.



Microsoft patches actively used zero-day vulnerability

  • Included in Microsoft’s Patch Tuesday was a zero-day Windows vulnerability, tracked as CVE-2018-8611, that has been leveraged in recent campaigns.
  • The flaw is caused by the Windows kernel failing to properly handle objects in the memory, allowing an attacker to execute programs in the Windows kernel at a higher privilege level. In order to use this bug, the attacker would need to be logged in to the PC. The flaw was discovered by Kaspersky and is reportedly being used by malware developers.
  • In addition, the latest Microsoft security updates also include a patch for the Adobe Flash zero-day that was used in a recent APT attack against Russia’s FSBI ‘Polyclinic #2’ clinic, known as Operation Poison Needles. In total, Microsoft have patched 39 vulnerabilities, 10 of which are critical.



Cisco and Texas Instruments claim to have patched critical BleedingBit flaws

  • The recently discovered critical vulnerabilities, CVE-2018-16986 and CVE-2018-7080, in access points sold by Cisco, Meraki and Aruba, were claimed to have been addressed by Texas Instruments in previous software updates. Similarly, Cisco stated that they have released an update addressing the two flaws.



General News

Researchers analyse Twitter bots amplifying the spread of misinformation

  • Duo Security researchers found that Twitter bots are not only used to ‘follow accounts to artificially boost that account’s popularity’ but are also used to ‘amplify content through artificial retweets and likes’.
  • The researchers analysed a dataset of 576 million tweets using their own web crawler, which led them to discover over 7,000 potential amplification bots in just one day. They conclude that these bots can be potentially more dangerous than bots boosting individual accounts as ‘by artificially inflating the popularity of content, amplification bots not only affect how content spreads, but also its perceived credibility’.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 17 June 2019

      Malware New variant of Houdini Worm discovered Researchers at Cofense discovered a new variant of the Houdini Worm which targets commercial banking customers....
  • Silobreaker Daily Cyber Digest – 14 June 2019

      Ongoing Campaigns Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers Trend Micro researchers discovered an ongoing cryptojacking campaign infecting...
  • Silobreaker Daily Cyber Digest – 13 June 2019

    Malware Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet Unit 42 have discovered a variant of the Hide ‘N Seek botnet...
View all News

Request a demo

Get in touch