Silobreaker Daily Cyber Digest – 16 October 2019
Researchers publish analysis of LOWKEY malware
- FireEye researchers analysed LOWKEY malware, a backdoor that has been observed being used in highly targeted attacks by APT41. The backdoor is loaded and decrypted from DEADEYE.APPEND, one of multiple DEADEYE variants using RC5 encryption and containing a unique string of code.
- Two variants of LOWKEY were identified, a passive TCP listener and a passive HTTP listener targeting Internet Information Services. Both have identical functions, however the former also contains a user mode rootkit capable of intercepting incoming TCP connections.
- LOWKEY’s payloads only work on specific systems and support commands for a reverse shell, uploading and downloading files, listing and killing processes and file management.
Source (Includes IOCs)
New ‘undetectable’ commodity RAT for sale online
- Palo Alto Networks Unit 42 researchers discovered a new remote access tool called Blackremote, that has already been used in more than 2,200 attacks using almost 50 samples, all believed to have been part of one campaign.
- Blackremote RAT was first observed being advertised by a Swedish individual going by the handles ‘Speccy’ and ‘Rafiki’ in September 2019. Speccy advertises it as a ‘full featured systems remote administration suite,’ selling it as a tool for legitimate purposes. However, the researchers believe added capabilities, such as it being ‘undetectable’ and references to crypting, ‘password recovery’ and ‘fun features,’ suggest the RAT was developed for malicious purposes.
Source (Includes IOCs)
Azorult analysis published by researchers
- Researchers at Trustwave have analysed the information stealing trojan Azorult, which is commonly spread via spam emails. Azorult also often downloads additional malware, such as ransomware.
- The malware sample observed immediately retrieves the configuration from the control panel upon infection, steals all data set in the configuration, exfiltrates the data and then self-destructs. Azorult is capable of harvesting and exfiltrating saved passwords, browser login data, cookies, history, chat sessions, cryptocurrency wallet files, and screen captures.
Source (Includes IOCs)
Site offering iOS jailbreak download used to deliver malware
- Researchers at Cisco Talos discovered criminals delivering click fraud malware through a website that purported to provide the checkra1n jailbreak for iOS devices. The legitimate checkra1n project uses the recently disclosed Checkm8 vulnerability to load a jailbroken image onto an iPhone by modifying the bootrom.
- The fake site has been configured to appear as legitimate as possible and claims to work with prominent jailbreak researchers.
- Users who download and run the fake checkra1n tool will be redirected multiple times before they are prompted to install an iOS app called ‘POP! Slots’ onto their device. The app then instructs users to play the game to unlock the jailbreak.
Cryptomining focused Rocke group alter TTPs to increase resilience to takedowns
- Researchers at Anomali discovered that the China-based Rocke group, first identified in August 2019, altered their C2 infrastructure over summer 2019. The group migrated away from using Pastebin to host their initial setup script and are now using a self-hosted solution and DNS records. The researchers stated that this protects the group against potential takedowns.
- Rocke also made changes to their LSD malware by adding a function that exploits CVE-2016-3088 on vulnerable ActiveMQ servers. The flaw can allow an attack to upload an arbitrary file.
- Although Rocke are primarily known for cryptomining activities, the researchers warned that the group could easily switch their payload to ransomware or a RAT.
Source (Includes IOCs)
Leaks and Breaches
Hacker acquires database of stolen card retailer BriansClub
- Security researcher Brian Krebs reported that in September 2019, he was contacted by a source who provided a plain text file containing the database of criminal marketplace BriansClub. The database contains more than 26 million credit and debit card records, 7.6 million of which were added between January and August 2019. The card details have been stolen from online and physical stores.
- The data provided to Krebs has been shared with individuals who work with financial institutions. The breach will allow banks to reissue cards that appeared on the database.
Unsecured database exposed Whirlpool customer emails
- Security Discovery researchers discovered an unsecured database belonging to Whirlpool, which contained 28,151,181 records relating data collected during full system scans of home appliances. This included customer emails, SAID numbers, which are smart appliance IDs, model names and numbers, and different attributes of scanned appliances.
- Whirlpool has since taken the database offline and stated that its investigation showed that 48,000 emails had been publicly available. Affected customers are being notified.
Hunt Regional Healthcare updates data breach total
- Hunt Regional Healthcare, targeted by a cyberattack in May 2018 that was discovered on May 14th, 2019, has revised the number of affected patients. The attack was originally believed to have only exposed protected health information of 3,700 Hunt Regional Medical Center patients. However, an investigation revealed the data breach was more widespread and affected additional parts of the network.
- Hunt Regional Healthcare is due to update the new figure of affected patients. A full list of additional Hunt Regional Healthcare networks that were compromised is available via HIPAA.
Adobe issue out of band patch for 81 vulnerabilities
- On October 15th, 2019, Adobe issued patches for Adobe Acrobat and Reader, Adobe Experience Manager, Adobe Experience Manager Forms, and Adobe Download Manager.
- Adobe Acrobat and Reader contains 68 vulnerabilities, 45 of which are rated as critical. The flaws are easily exploitable and could allow an attack to arbitrarily execute code.
STOP ransomware most reported strain in past 6 months
- Emsisoft’s report on ransomware statistics for Q2 and Q3 2019 showed that the most reported strain is STOP ransomware, also known as DJVU, followed by Dharma and Phobos. Ryuk ransomware, although not among the top ten reported strains, has been involved in numerous high-profile ransomware attacks and has been particularly disruptive and profitable.
- The most targeted countries were Asian nations, with 17.1% of submissions from Indonesia and 15% from India. This figure was followed by the United States, Brazil and Korea.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.