Silobreaker Daily Cyber Digest – 18 January 2019
Malicious Google Play apps use motion-based evasion techniques to download BankBot Anubis
- Trend Micro researchers discovered two malicious apps on Google Play Store that infect victims with BankBot Anubis. The two apps were called BatterySaveMobi, which had over 5,000 downloads, and Currency Converter. Both apps have since been taken down from the Play Store.
- According to the researchers, the two apps rely on unusual evasion techniques that leverage motion sensor data, meaning the malicious payload will only execute in cases where motion is detected. The assumption behind this is that the sandbox for scanning malware is an emulator, without motion sensors, and thus will not produce motion data. The malware developer can therefore determine whether the app is running in a sandbox environment by simply checking for any sensor data.
- Once the malicious code is executed, the app will trick victims into installing its payload APK with a fake system update. The app developers were also observed hiding the malicious C&C server by encoding it in Telegram and Twitter webpage requests.
Source (Includes IOCs)
Fallout Exploit Kit returns with improvements
- Since January 15th, 2019, Fallout exploit kit has been seen spreading via malvertising campaigns to deliver GandCrab ransomware.
- The new version of the exploit kit includes integration of the most recent Flash Player exploit, tracked as CVE-2018-15982, and a new landing page format, and delivers its payload via PowerShell rather than using iexplore.exe. This last addition is likely an attempt to evade detection by not using the traditional Internet Explorer process to drop the payload.
Source (Includes IOCs)
BlackRouter ransomware promoted as RaaS by Iranian developer on Telegram
- Security researcher ‘A Shadow’ spotted the BlackRouter ransomware being advertised on Telegram as ransomware-as-a-service (RaaS) by the same Iranian developer who has previously distributed the BlackHeart ransomware.
- The developer offers affiliates who join the RaaS program 80% of any ransom payments, while claiming the remaining 20%. The actor was also seen promoting a RAT called BlackRat that allegedly includes features such as communication encryption, AV evasion and plugins, as well as the ability to enable RDP, configure a miner, steal cryptocurrency wallets, enable keylogging, steal passwords, and more.
- BlackRouter was originally detected by Trend Micro researchers in May 2018. A new version of the ransomware was discovered in early January 2019 by a security researcher named Petrovic. The updated version was described as similar to the previous one, but with a ‘better looking GUI’ and added timer.
SentinelOne researchers detected re-emergence of OSX.Dok Mac malware
- OSX.Dok is disguised by a fake Adobe PDF icon with German instructions to click the icon twice to view the document. The victim’s Desktop is then overtaken by a fake App Store update splash screen which the user cannot cancel nor force quit due to the application disabling the user’s keyboard. Without the user’s interference, the malware installs a variety of other software.
- OSX.Dok was first discovered in 2017 and is capable of intercepting victims’ traffic.
Zero-day virus affects northeastern Ontario hospitals
- Medical systems at Health Sciences North (HSN) in Ontario, Canada, were hit by a zero-day virus. As a result, HSN’s systems were shutdown, a preventative measure that impacted 21 other hospitals in the region that rely on HSN’s Meditech platform. According to an HSN spokesperson, the virus did not corrupt any data and has not resulted in a privacy breach.
West African banks hit with off-the-shelf malware and free hacking tools
- Symantec researchers observed four attack campaigns against West African financial institutions since mid-2017. The attacks, which affected banks in Cameroon, DRC, Ghana, Equatorial Guinea and Ivory Coast, infected victims with NanoCore malware, Mimikatz credential stealer, Gussdoor Backdoor and Imminent Monitor RAT.
- The attacks also made use of tools including PowerShell, PsExec, UltraVNC, and RDP.
Source (Includes IOCs)
Threat actor Rocke’s malware evades detection by cloud security products
- Palo Alto Networks Unit 42 observed the Rocke Group using Linux coin mining malware, which has evolved in order to uninstall five cloud security protection products from compromised Linux servers.
- The malware, rather than compromising the security products, gains and leverages administrative control over the hosts in order to uninstall the products.
Source (Includes IOCs)
Perception Point discover attack leveraging open source BYOB framework
- This is reportedly the first time the build-your-own-botnet (BYOB) framework has been used in fraudulent activity in the wild. The framework allows amateur hackers and criminals to carry out attacks that they otherwise would not have the tools or techniques to create.
- Victims of the recent campaign received an email with an HTML attachment containing a link to a phishing site impersonating an Office 365 login page, as well as a script code that automatically downloads malware onto the victims’ computers. The payload then connects to the server and awaits instructions.
Threat actors spoof Tampa Bay Credit Union members’ debit card information
- Cyber criminals identified the Credit Union’s Bank Identification Numbers (BINs) and used software purchased on the dark web to connect the BINs to account holders’ debit cards.
- The Credit Union stated that no credit union members incurred losses from the attempted fraudulent transactions. Thousands of customers have had their credit cards cancelled.
Threat actors discovered leveraging flaw in ThinkPHP Framework
- Multiple threat actors have been observed leveraging a recently discovered code execution flaw in the ThinkPHP framework, tracked as CVE-2018-20062. Despite the vulnerability being addressed by the Chinese security firm TopThink, Akamai’s security team have identified several active exploits for the flaw in the wild.
- Attackers are reportedly able to use publicly available code to exploit the flaw and install several malicious codes. In one example, the code was exploited to deliver a variant of the Mirai bot.
- Analysis of attacks leveraging this flaw recently showed that the majority of IP addresses are from the Asia Pacific region, where the ThinkPHP framework is most popular, though threat actors are scanning for vulnerable systems worldwide.
Adminer vulnerability allows hackers to inject malicious code into online stores
- Researcher Willem De Groot discovered that the database management tool Adminer can be lured to disclose arbitrary files due to a vulnerability. Attackers have exploited this vulnerability in order to inject payment skimmers on online stores belonging to governments and multinationals.
Vulnerability in Telegram BOT API reveals malware OpSec
- Forcepoint researchers discovered a vulnerability in Telegram’s handling of messages sent through its Bot API, which could allow a malicious actor to view the full history of all messages sent or received by the bot, including messages sent between users sharing a group chat.
- The researchers’ investigation of the flaw led them to uncover a threat actor using the bot in order to develop malware dubbed GoodSender. The malware has infected 120 victims, mostly in the US.
Source (Includes IOCs)
Patch released for Windows zero-day flaw that overwrites files with arbitrary data
- 0patch released a micropatch for a vulnerability in Windows that allows users with low privileges to have any file overwritten with the content of a Windows Error Reporting (WER) XML file. The flaw could result in arbitrary code execution as SYSTEM.
- The bug was discovered by a security researcher, known online as SandboxEscaper, on December 27th, 2018. The researcher also released a proof-of-concept exploit code that overwrites ‘pci.sys’ with information about software and hardware issues collected through WER.
Drupal release patch for a further critical flaw
- Following yesterday’s report on the release of a patch for a critical flaw discovered in PHP’s built-in phar stream wrapper, a further critical flaw has been found residing in Drupal versions 7.x, 8.5.x, and 8.6.x, which could allow an attacker to take full control of an affected system.
- CVE-2018-1000888 lies within the PEAR Archive_Tar library component and can be exploited to achieve remote code execution. The flaw has since been patched.
Twitter fixes bug in Android app that exposed users’ protected tweets
- The four-year-old bug disabled the ‘Protect your Tweets’ setting if certain account changes were made. It caused some users’ tweets, intended only for approved followers, to be publicly exposed.
- Users were affected if they had the protected Tweets feature turned on, used Twitter for Android, and made certain changes to their account settings between November 3rd, 2014 and January 14th, 2019.
Hidden server continuously running in the background in ES File Explorer
- Researcher Robert Baptiste discovered a vulnerability, tracked as CVE-2019-6447, that concerns a hidden server in ES File Explorer continuously running in the background. ES File Explorer is an Android file manager with over 500 million users worldwide.
- Baptiste found that immediately after launching the app, it will start a local HTTP server on port 59777 which will remain open until all the background services of ES File Explorer are killed. An attacker connected to the same local network as the victim can thus collect a range of information about the victim’s phone, remotely retrieve files and remotely launch an app on the device. This will occur despite the user not granting any permissions to the app on their Android device.
- Following Baptiste’s report, researcher Lukas Stefanko found another local vulnerability in ES Explorer. Attackers could exploit this flaw to launch a man-in-the-middle attack that could intercept the app’s HTTP network traffic. All versions of ES File Explorer up to 184.108.40.206.4 are said to be affected.
High-severity flaws found in ControlByWeb industrial weather station
- Researchers Tom Westenberg and John Elder discovered two flaws in the ControlByWeb industrial grade weather station. The first, is a denial-of-service flaw, tracked as CVE-2018-18881, discovered in the device’s web-enabled Instrument-Grade Data Acquisition module, that could be exploited to disrupt all TCP-based communications on the device through a particular network.
- In addition, a cross-site scripting vulnerability, tracked as CVE-2018-18882, was also discovered, affecting the ‘Site Description’ input field on the HTML setup page. This could allow an attacker to inject malicious script into the field, which would be executed when an user visits the device’s status page.
Researchers report on collaboration of Iranian hackers on now defunct Ashiyane online forum
- The new research shows how Iranian hackers have collaborated via the Ashiyane online forum since 2002 until its shutdown in 2018. These collaborations allegedly resulted in several major cyber incidents including attacks on Saudi Aramco, large banks and espionage campaigns aimed at a variety of Western targets.
- The researchers found that the forum was managed by one of the main security contractors in Iran with known connections to Iran’s Islamic Revolutionary Guard Corps. They state that Ashiyane was a key source for Iranian contractors to share information on successful offensive tools and tactics. The creator of the forum was also found to have deep ties with the Iranian government.
19 Android apps discovered on Google Play only running ads and Google Maps
- ESET Android security researcher Lukas Stefanko discovered 19 apps with over 50 million installs that pose as GPS apps, but actually merely display advertisements and open Google Maps.
- The apps request information from users including access to contacts and the ability to send texts or make phone calls.
Facebook close hundreds of Russia-linked pages
- Facebook has announced the closure of over 500 pages, groups and accounts originating in Russia, for engaging in what has been described as ‘coordinated inauthentic behaviour’. Two campaigns were identified, one active in a number of former Soviet Union republics and another focused on Ukraine.
- 364 pages were found posing as independent new sites, though they were linked to employees of the Moscow-based news agency Sputnik. The pages posted frequently on topics with anti-NATO sentiment, protest movements and anti-corruption.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.