Threat Reports

Silobreaker Daily Cyber Digest – 13 November 2018

 

Malware

Fortinet discover new non-beta version of Kraken Cryptor ransomware

  • The new version of Kraken Cryptor is still under construction and the samples analysed are, at present, too unstable to execute themselves. In addition, the beta-tag has been removed from analysed sample’s configuration, despite the ransomware still being a beta version.
  • Multiple bugs have been found in the samples, which cause the malware to either not run, or disable previous functions found in older versions. While the configuration file was modified, the main functionalities have not been heavily updated.

Source (Includes IOCs)

 

Malwarebytes publish analysis of Trickbot’s updated obfuscation module

  • The new Trickbot module begins by disabling Windows Defender’s real-time monitoring by deploying a powershell command. Following this, the new module displays typical Trickbot behaviour.
  • The encryption of the modules has also recently changed in the latest version, in which all strings are now obfuscated using a custom algorithm based on base64. All obfuscated strings are aggregated from a single hardcoded list, selected by its index and passed to the decoding function when needed.

Source (Includes IOCs)

 

WebCobra malware uses victims’ computers to mine cryptocurrency

  • McAfee have recently observed a malware of Russian origin, dubbed WebCobra, which silently drops and installs Cryptonight miner or Claymore’s Zcash miner, depending on the architecture that the malware finds. McAfee assess that the malware is being distributed via rogue PUP installers.
  • After execution, the program checks the running environment to launch the appropriate miner. The Cryptonight miner is then run silently and consumes almost all CPU resources.

Source

 

Ongoing Campaigns

HookAds malvertising campaign attempts to install malware via Fallout Exploit Kit

  • Security researcher nao_sec discovered two new HookAds malvertising campaigns that have been redirecting users to the Fallout Exploit Kit, to install a range of different malware. The first campaign, detected on November 8th, 2018 was found to be installing the DanaBot banking trojan, whereas the second campaign from November 10th was installing the Nocturnal information stealer and GlobeImposter ransomware.
  • HookAds uses cheap online advertising space on low quality networks commonly used by adult sites, online games and blackhat SEO sites. The ads in this campaign were found to contain JavaScript that redirected users through a series of decoy sites and silently loaded the Fallout EK. Fallout was then used to exploit a Windows VBScript vulnerability (CVE-2018-8174) to install the malware.   

Source

 

WannaCry still attacking 75,000 users in Q3 2018

  • Kaspersky Lab reported that WannaCry ransomware is still very much active since the May 2017 outbreak, and is responsible for 28% of all cryptor attacks worldwide in Q3 2018, representing a growth of two-thirds compared to Q3 2017.

Source

 

Dharma ransomware remains active with limited upgrades

  • Fortinet researchers recently detected a new variant of the Dharma ransomware that was found to contain only minor updates compared to previous Dharma versions. Their analysis revealed that the new variant simply uses a different loader program and different file extensions for encrypted files.
  • Over the last 6 months, Fortinet found that over 25% of the ransomware’s activity originated from Turkey. Similarly, Turkish sources reported that more than 100 Greek websites were affected by Dharma. This may likely be related to the ongoing political tensions between Greece and Turkey, Fortinet concludes.

Source (Includes IOCs)

 

ZTE router backdoor script found to contain additional backdoor aimed at hackers

  • A weaponized IoT exploit that makes use of a vendor backdoor account to hack ZTE routers was found to contain a second backdoor that hacks anyone using the backdoor script.
  • According to security expert Pierluigi Paganini, the propagator of the ZTE router backdoor, known as Scarface, may have added the second backdoor to seize control over the botnets of hackers that have used his script.

Source

 

Trend Micro report on inserted malicious URLs within Office documents’ embedded videos

  • Trend Micro has identified an in-the-wild sample of a proof of concept (POC) exploiting a logic bug that allows hackers to abuse the online video feature in Microsoft Office to deliver malware. The attack requires a specially crafted Word document that Trend Micro assume is distributed through other malware or as an attachment or URL in spam.
  • The vulnerability affects Microsoft Word 2013 and later versions. The in-the-wild sample abused the bug in Microsoft Office’s online video from external sources such as YouTube and other similar media platforms

Source (Includes IOCs)

 

DarkHotel Group most frequently targets VBScript in 2018 and develops new exploits

  • Qihoo 360 Core researchers found that the DarkHotel Group has developed and used new exploits for two older vulnerabilities in the Internet Explorer (IE) VBScript scripting engine. The two vulnerabilities are tracked as CVE-2017-11869 and CVE-2016-0189.
  • According to ZDNet, VBScript was DarkHotel’s ‘favorite target’ in 2018. Earlier this year, the group targeted two other vulnerabilities (CVE-2018-8373 and CVE-2018-8174) in the IE scripting engine. These two flaws have since been patched.

Source 1 Source 2

 

Malicious app discovered on Google Play with over 5,000 installs

  • Security researcher Lukas Stefanko discovered a trojanized app on the Google Play Store that had been available since November 30th, 2017. The malicious ‘Simple Call Recorder’ app tricked users into installing an additional app that impersonated a Flash Player update and contained a malicious payload.

Source (Includes IOCs)

 

Hacker Groups

Researchers discover new APT ‘The White Company’ targeting Pakistani military

  • Cylance researchers released a report on a new, likely state-sponsored, threat actor named The White Company, that has been targeting Pakistan’s government and military. The report details the threat actor’s ongoing campaign, dubbed Operation Shaheen, that is specifically aimed at the Pakistani Air Force.
  • The threat actor was found to target and evade eight different types of antivirus products, ‘turning them against their owners by deliberately surrendering [to detection] in order to distract, delay and divert the targets’ resources’. The products include those by Sophos, ESET, Kaspersky, BitDefender, Avira, Avast!, AVG and Quick Heal.
  • Their extensive analysis also focuses on the threat actor’s techniques for obfuscation and evasion, the tools and tactics the attacker uses, and provides a discussion of the geopolitical context of White Company’s emergence.

Source (Includes IOCs)

 

Leaks and Breaches

Google’s services down due to BGP leak redirecting traffic through China, Russia and Nigeria

  • Google was affected by a BGP leak on Monday, November 12th, 2018, which caused traffic to be rerouted through Russia, China and Nigeria. The incident triggered a DoS condition affecting G Suite, Google Search and Google Analytics.
  • According to a report by ThousandEyes, the leak involved Russian TransTelecom, China Telecom and MainOne, a small ISP in Nigeria. The network monitoring company suspects that the ‘origin of this leak was the BGP peering relationship between MainOne and China Telecom’. It is unclear whether this attack was intentional or the result of a misconfiguration.
  • This incident follows recent reports of China Telecom rerouting internet traffic of multinational telecommunications providers via mainland China.

Source 1 Source 2

 

US retailer Nordstrom suffers employee data breach

  • Nordstrom alerted its employees that their information, including names, Social Security numbers, birth dates, checking account and routing numbers, and more, may have been breached.
  • Customer data was not affected in the breach, which occurred on October 9th, 2018 when a contract worker mishandled employee data.

Source

 

Click2Gov payment processing site breached

  • The city of Bakersfield, California reported that payments to the city using the online payment portal between August 11th and October 1st, 2018 had been breached and had malware inserted to steal payment card data.

Source

 

Vulnerabilities

Tenable researcher David Wells finds a way to bypass Windows UAC

  • Wells found that he could bypass Window’s User Account Control (UAC) by spoofing the execution path of files in a trusted directory. UAC is a technology and security mechanism that aims to limit application software to basic user privileges, until an administrator authorises further access.
  • In order to bypass the check, Wells created a directory, with a space in its name, which would usually be invalid. Using the CreateDirectory API, he was able to bypass some of the naming filter rules and send the directory creation request directly to the file system.
  • Following this, Wells copied a signed, auto-elevating executable, and found that upon its execution no UAC prompt was triggered. He was therefore able to elevate a malicious code.

Source

 

General News

Study finds payment card fraud on the rise in US

  • Gemini Advisory found that the switch to EMV chip-enabled cards in the US has not eliminated card fraud. The study found that 93% of the 60 million compromised US payment cards in the past 12 months were chip-enabled.
  • The researchers stated that many card holders are still asked to swipe rather than use chip insert at merchant locations without upgraded EMV enabled POS systems, disregarding the superior security provided by using EMV chip insert.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 22 March 2019

      Ongoing Campaigns Dr Web reports Flexnet banking trojan targeting users of Android devices Flexnet banking trojan is reportedly based on GM bot trojan...
  • Silobreaker Daily Cyber Digest – 21 March 2019

      Malware New Carbanak Gang tools discovered by Flashpoint Flashpoint researchers reported on newly discovered tools used by the Carbanak Gang in a campaign...
  • Silobreaker Daily Cyber Digest – 20 March 2019

      Malware Malicious Office document analysed by ZLAB Researchers at Cybaze-Yoroi ZLAB discovered a malicious Office document with a payload capable of bypassing AppLocker...
View all News

Request a demo

Get in touch