Silobreaker Daily Cyber Digest – 13 August 2019
Karagany RAT malware used to target energy sector
- Secureworks researchers discovered that Karagany malware is still being developed by the Russian hacker group Energetic Bear. The malware can be dated back to at least 2010 and is used to target European and US companies in the energy sector.
- The malware can be installed manually or remotely on the target system by an attacker using stolen privilege credentials. Upon installation Karagany runs four VM detection functions, if a VM is detected then the installation process is aborted.
- Successful installation grants an attacker remote access to a user’s device. Additional plugins like keylogger and command shell can also be installed following infection.
New variant of Dharma ransomware encrypts files with new extension
- Researchers at Cymulate identified a new Dharma ransomware strain that is at present not decryptable. The researchers state that the only difference between this and older Dharma variants is the encryption file extension. Although effective, the researchers assessed that the new Dharma variant was not written by a professional.
Source (Includes IOCs)
Increase in use of Shade ransomware detected
- Sucuri researchers have identified Shade ransomware using compromised websites as intermediary malware distributors. Targets are initially infected via a malicious URL that is spread via email or social media.
- When a victim clicks on the malicious URL a JScript file is downloaded to the target device. The JScript then downloads the ransomware file from a compromised website. The researchers stated that in this instance the attackers included the URL of two compromised websites in case one was removed.
- Following infection, the malware encrypts files with two separate keys and gathers file and system data. Collected information is exfiltrated through TOR connections. The ransomware note left by the attackers provides an email address and also a TOR link to a feedback form which can be used to contact the attacker.
Source (Includes IOCs)
Cloud Atlas APT employ new polymorphic tools to compromise users
- Kaspersky Lab’s Securelist researchers reported that cyber espionage group Cloud Atlas are using new polymorphic tools in their latest campaign. The group, first identified in 2014, launched a new spear-phishing campaign in July 2019. The attacks focus on Russia, Ukraine and Central Asia, targeting government, economic, and religious entities, international organizations, and aerospace organizations.
- Targets who use Windows devices are infected via spear phishing emails which contain weaponized Office documents. Following infection, a malicious HTA hosted on a remote server delivers a polymorphic backdoor module, dubbed VBShower. The backdoor attempts to delete evidence of infection from the target device and establishes communication with the attackers C2.
- The polymorphic nature of VBShower and the HTA ensure that their characteristics continually change.
Leaks and Breaches
Elasticsearch misconfiguration exposed Credia[.]ge customer data
- On August 3rd, 2019, security researcher Bob Diachenko identified a publicly available Elasticsearch cluster that belongs to Credia[.]ge.
- One database contained 142,571 records including names, addresses, passport numbers, email addresses, loan amounts and loan status. The database had already been marked as ‘compromised’ and contained a Readme note that demanded 0.1BTC for the data. Diachenko informed the company but stated that it is likely the data has been exfiltrated.
Researchers claim that Valve continue to overlook vulnerabilities in Steam
- Security researchers claim that Valve continue to overlook security vulnerabilities in Steam Client Services after they patched a zero-day local privilege escalation vulnerability which was disclosed on August 7th, 2019.
- Security researcher Mitja Kolsek asserts that despite the recent patch, Steam Client Service is still vulnerable to DLL hijacking which can be used to elevate a user’s privileges. The bug was first reported in 2015 and is tracked as CVE-2015-7985.
UN investigate 35 cyberattacks in 17 countries conducted by North Korean hackers
- Investigators identified three predominant ways that the North Korean hackers conduct their activities. The first method targets computers and infrastructure of the Society for Worldwide Interbank Financial Telecommunication (SWIFT). The second targets cryptocurrency exchanges and users. The final attack type focuses on mining cryptocurrency for the branches of the North Korean military.
- In total, South Korea was hit ten times, India three times, and Bangladesh and China twice each by cyberattacks. Thirteen other countries in Europe, Africa and Asia, each suffered one attack.
- Investigators stated that they are examining the attacks as attempted violations of UN sanctions.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.