Threat Reports

Silobreaker Daily Cyber Digest – 13 March 2019


Belonard trojan exploits vulnerabilities of the official Counter Strike client

  • Doctor Web researchers found that Belonard trojan has been exploiting flaws in the Counter Strike 1.6 game client to infiltrate users’ computers.
  • The trojan installs on the user’s device after it has connected to a malicious game server. Belonard is capable of infecting both the Steam versions and the pirated versions of Counter Strike 1.6.
  • According to Doctor Web, a developer calling himself ‘Belonard’ is responsible for the trojan and has used it to promote other servers via compromised victims’ accounts, as selling, renting, and promoting game servers can be profitable.



New Ursnif variant targets Japan

  • Since the beginning of 2019, Cybereason researchers observed a new variant of Ursnif targeting Japanese users. The variant contains enhanced modules for stealing data from mail clients, email credentials stored in browsers, or data from cryptocurrency wallets and disk encryption software. The variant also has a new module that allows it to bypass PhishWall, a Japanese anti-virus detection software.
  • The campaign begins with phishing emails containing weaponized Microsoft Office documents. Once these files are opened and content is enabled, embedded macros will begin checking if the victim’s machine has Japanese country settings. This is followed by several other language and location checks, such as IP address scanning, to ensure the victim is a Japanese user.
  • After the checks are completed, steganography is leveraged to hide malicious code in an image downloaded from a file-hosting website. The code loads Bebloh, a trojan that in turn loads Ursnif.

Source (Includes IOCs)


Modular malware spreads as a worm between servers to mine for Monero

  • PsMiner is a modular malware that exploits known flaws in servers running ElasticSearch, Hadoop, Spring, Weblogic, ThinkPHP and SqlServer to spread like a worm between servers to mine for Monero cryptocurrency.
  • The worm module of the malware is a Windows binary written in Go language which bundles all the exploit modules that are used to hack into vulnerable servers. The worm module also has the capability to use brute force whenever a target with weak credentials is found, as well as crack credentials using an additional cracking component.
  • Once a victim’s computer is infiltrated, PsMiner will execute a PowerShell command which downloads the malicious payload, which in turn drops the Monero miner in the final infection stage. The miner accumulated a total of approximately 0.88 Monroe coins in two weeks.



Proofpoint report on updated features of Nymaim trojan

  • Recently the Nymaim trojan has been updated to include a range of information stealing and system profiling capabilities. The trojan has been observed in attacks targeting North America, Germany, Italy and Poland.
  • Proofpoint has published a detailed report on Nymaim after decoding and analysing its configuration to determine potential victims and more details on the malware itself.

Source (Includes IOCs)


Trend Micro publishes analysis of Powload

  • Researchers found that Powload was one of the most widely spread threats in North America during 2018. Delivered via spam emails, it used different methods such as hijacking email accounts and files techniques to deliver Emotet, Bebloh and Ursnif. Significant changes were identified in some of the later attachments, which added another stage to the malicious routine execution in order to evade detection.
  • Powload also uses steganography to retrieve an image containing malicious code. These are retrieved by leveraging malicious PowerShell scripts hidden inside documents containing macros. In addition, the spam emails delivering these attachments are tailored to each region they’re sent to. This could make them more convincing to recipients.

Source (Includes IOCs)


Ongoing Campaigns

Operation Comando targets hospitality sector to steal credit card information

  • In December 2018, Palo Alto Networks Unit 42 researchers discovered a new campaign, dubbed Operation Comando, that targets hotel reservation systems with the aim of stealing customers’ credit card information. Targets of the campaign are mainly located in Brazil, followed by the US and the UK.
  • One of the discovered payloads was identified as CapturaTela, a custom-made information-stealing trojan. Other malware used in this campaign include LimeRAT, Revenge RAT, njRAT, Async RAT, NanoCore RAT and Remcos RAT.  

Source (Includes IOCs)


Spam campaign delivers Emotet with Qakbot

  • Researcher Brad Duncan detected a malicious campaign delivering Emotet malware followed by Qakbot.
  • The campaign uses malicious XML documents with macros that, once enabled, infect the victim with Emotet followed by QakBot.

Source (Includes IOCs)


New phishing scam fakes Facebook and targets iOS users

  • A new scam collecting social media account logins is tricking iOS users with a realistic-looking login process, that is actually a video simulation.
  • The scam uses an authentic looking webpage, such as Airbnb, and prompts the victim to login using their Facebook account. When the ‘Login with Facebook’ button is clicked, a video plays that makes it appear that Facebook is being opened in another Safari window on the device. If a user inputs their credentials, they are sent to the malware’s C&C server.


Campaign delivering banking trojan discovered

  • Researchers at Cofense have stated that the current campaign conducted by Read The Manual Group, uses the Read the Manual Bot to target financial departments in Russia and neighbouring countries. The banking trojan is capable of stealing data from account software, and stealing smart card information, whilst exfiltrating this data over the Tor communication protocol.
  • RTM Bot does not install a client on the victim’s machine, and instead uses onion libraries/TOR SOCKS. This minimises the chance of detection by an antivirus solution.



Leaks and Breaches

Unsecured API leaks data from ‘Yelp for Conservatives’ app

  • Researcher Robert Baptiste discovered the API of the 63Red Safe mobile application known as ‘Yelp for conservatives’ open with no authentication. Baptiste was able to view all the data stored in the app’s database which includes every profile’s ID, creation date, username, ban status profile picture, follower counts, email addresses, and more.
  • The app was created to help US conservatives stay safe by finding them places to go such as restaurants, and letting users know if it is safe to wear their Make America Great Again apparel.  
  • The developer of the app also hardcoded his credentials and left a list of API endpoints in the app’s source code. Baptiste stated that he was able to find an entire list of users with names, photos, personal messages and more, in less than five minutes.



Credit cards are cancelled following month-long Kathmandu breach

  • Kathmandu has disclosed that it has suffered a data breach during the post-holiday sales period that affected customer’s personal and payment information. The breach happened between the 8th January and 12th February 2019, during which a third party gained unauthorised access to the system.
  • The company believes that during this time, the attacker captured personal information and payment details entered at checkout. Information accessed includes customer’s billing and shipping names, addresses, emails and phone numbers, as well as credit and debit card details.




Microsoft patch Tuesday includes updates for two vulnerabilities actively exploited in the wild

  • In total, Microsoft has released 4 advisories and updates for 64 vulnerabilities, with 15 classified as critical.  
  • The two actively exploited vulnerabilities include one discovered by Google last week, who found that a flaw in both Chrome and Windows 7 (CVE-2019-0808) was being chained together and actively exploited. The flaw was quickly mitigated for Windows 10 users, however, it still affected Windows 7 users until a fix was released yesterday.
  • The second actively exploited flaw discovered by Kaspersky (CVE-2019-0797) has also been patched. The flaw requires local access and user login, to be exploited.
  • Microsoft also patched two flaws that had been previously publicly exposed, including a Windows denial of service flaw, tracked as CVE-2019-0754, and a flaw in NuGet Package Manager tracked as CVE-2019-0757.



Privilege escalation flaw discovered in CleanMyMac X’s helper service

  • The flaw, tracked as CVE-2019-5011, is present in the helper service of CleanMyMac, due to improper updating. The app fails to remove the flawed components when upgrading to the latest version. A user with local access can leverage this flaw to modify the file system as root. Exploiting this flaw requires local access to the vulnerable machine.



Adobe issues patches for multiple vulnerabilities

  • Adobe Patch Tuesday for March 2019 addresses multiple critical flaws in Photoshop CC and their Digital Editions ebook reader software. These include CVE-2019-7095, an arbitrary code execution flaw in Digital Editions, and CVE-2019-7094, another arbitrary code execution flaw in Photoshop CC for Windows and macOS.



Vulnerability in Samsung Galaxy S10 discovered

  • Multiple users and tech reviewers have claimed that the Samsung Galaxy S10 facial recognition locking feature can be bypassed simply by using a video or a photo of the device’s owner.
  • Samsung alongside over vendors have warned that facial recognition is less secure than other lock methods, and it is possible that a lookalike or trickery could potentially unlock a device.



Vulnerability discovered in Sicon-8 devices

  • CVE-2019-5616 is a client-side authentication vulnerability that appears quite trivial to bypass, as the mechanism is written in JavaScript, and executed in the client’s web browser.
  • A patch has not yet been released by the vendor, and so it is recommended that these devices should not be exposed on the internet or to unknown users. Current scanning suggests that fewer than 40 of these devices are publicly accessible.



Vulnerability in Windows allows security dialog box spoofing

  • Discovered by security researcher John Page, also known as hyp3rlinx, the bug allows an attacker to spoof dialog boxes whilst they are modifying the Windows registry. This could allow them to change the security dialog box that pops up when users are asked if they wish to continue. The ‘Yes’ and ‘No’ text can be swapped around, so when a user believes they are clicking no, they are instead clicking yes.
  • John Page included a proof-of-concept to show how to leverage the method to plant a persistent backdoor on a victim’s computer. Microsoft have stated that since the attack requires user interaction, the main mitigation for the issue is safe computing habits. It seems unclear if they are going to issue a patch for any alleged issues.



General News

GoDaddy, Google and Apple mis-issue one million browser certificates

  • The companies issued at least one million browser-trusted digital certificates that do not comply with binding industry mandates. The mistake was a result of the companies’ misconfiguration of the open source EJBCA software package, that most browser trusted authorities use to generate certificates that secure websites, encrypt emails and digitally sign code.
  • Usually, EJBCA certificates have 64-bit serial numbers. It was discovered by engineers that one of the 64 bits was a fixed value to ensure the serial number is a positive integer, resulting in EJBCA producing serial numbers with 63 bits.
  • It has been reported that no security threat has been posed by the error, however, the certificates have been revoked and reissued to ensure against new attacks exploiting this error in the future.



Encrypted messaging apps facilitate cybercrime in Latin America

  • Flashpoint researchers reported that criminals in Latin America have been shifting from the deep and dark web (DDW) to encrypted chat-services platforms for communication and commerce.
  • According to Flashpoint, this trend is the result of multiple factors in the region including the high adoption rate of mobile networking, the popularity and widespread use of messaging apps, the lack of law enforcement action aimed at cybercrime, or the limited presence of Portuguese-speaking communities on the DDW.



Non-UK far-right Twitter accounts propagate pro-Brexit messages and misinformation

  • A study by F-Secure revealed that the pro-Brexit Twitter community is receiving a large amount of support from far-right Twitter accounts based out of the UK. The study focused on the analysis of 24 million tweets from 1.65 million accounts collected between December 2018 and February 2019.
  • Specifically, top pro-Brexit influencers were found to have a disproportionate number of retweets compared to the influencer patterns observed in the pro-EU community. The pro-Brexit community also received support from non-authoritative news sources. According to F-Secure’s Andy Patel, this could indicate that ‘coordinated astroturfing activity is being used to amplify pro-Brexit sentiment’.



Carbon Black reports increase in cyberattacks against Canadian organizations

  • In a newly released report, Carbon Black states that out of the surveyed 250 CIOs, CTOs and CISOs, 83% said they suffered a security breach in the past year. Moreover, 76% of the surveyed Canadian businesses reported an increase in cyberattacks in the last 12 months.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 24 May 2019

      Malware Newly upgraded version of JasperLoader targets Italy Cisco Talos researchers discovered a new version of JasperLoader targeting Italy and other European countries...
  • Silobreaker Daily Cyber Digest – 23 May 2019

      Malware Decryptor released for newly discovered GetCrypt ransomware A threat analyst known as ‘nao_sec’ discovered a new ransomware called GetCrypt that is being...
  • Silobreaker Daily Cyber Digest – 22 May 2019

      Ongoing Campaigns Hundreds of US schools remain vulnerable to WannaCry attacks While investigating the ongoing Baltimore City ransomware attack, Ars Technica found that...
View all News

Request a demo

Get in touch