Silobreaker Daily Cyber Digest – 20 November 2019
Malware-as-a-service Phoenix keylogger gains popularity with cybercriminals
- Researchers at Cybereason have identified keylogger malware, named Phoenix, which is gaining popularity among cybercriminals. The keylogger first emerged in July 2019 and is provided as part of a malware-as-a-service offering. Despite its recent discovery, the malware has already been utilised to target users in North America, Europe, and the Middle East.
- The majority of Phoenix keylogger infections seen by the researchers were delivered through Microsoft Office documents or weaponised rich text files. The most common exploit used by attackers was the Equation Editor vulnerability CVE-2017-11882.
- Following infection, the malware can steal passwords, download additional malware, log keystrokes, perform screen capture, and more. Phoenix keylogger also features robust defence capabilities which attempts to stop over 80 security products. Stolen data is exfiltrated via SMTP, FTP or through Telegram.
- Similarities in code, info schemes, SMTP configurations, SMTP functions, and marketing material, led the researchers to deduce that the team behind the Phoenix keylogger had previously developed Alpha keylogger.
Source (Includes IOCs)
Researchers discover new custom packer tool using several techniques
- Fortinet researchers discovered a new packer, dubbed Frenchy, which is capable of performing a wide range of functions not related to unpacking. This includes a custom installation routine for the malware, creating a VisualBasic script in an arbitrary folder inside a user’s profile directory, and copying itself into this arbitrary folder.
- Additionally, unlike typical packers, it does not store its shellcode inside the AutoIT script, but instead places it in other resources. Depending on the resource used, the packer chooses a different Microsoft executable to inject itself into, on some occasions using process hollowing.
- The packer has already been observed used by a number of malware families, including LimeRAT, AgentTesla and Lokibot.
Source (Includes IOCs)
New banking trojan distributed via sponsored ads on Facebook
- ESET researchers observed a new Latin American banking trojan, dubbed Mispadu, targeting Brazilian and Mexican users. Different versions were created for each country, each using different installers and stages and other slight variations were observed.
- Similar to other Latin American banking trojans, for example Amavaldo and Casbaneiro, Mispadu is written in Delphi, collects information about its victims and uses a unique, custom cryptographic algorithm for obfuscation purposes.
- Mispadu’s distribution methods include spam, a common method for Latin American banking trojans, and malvertising, which is not as common. For example, when targeting Brazilian users, sponsored advertisements on Facebook offering discount coupons for McDonald’s were used to lure victims to a malicious site. The fake coupons are downloaded from the same Yandex[.]Mail account in both the spam emails and the fake websites.
- Mispadu was also observed being spread alongside a malicious Google Chrome browser extension that claims to help you ‘Protect your Chrome.’ Its purpose is to steal credit card data and banking data, specifically from the Brazilian payment system Boleto.
Source (Includes IOCs)
Changes in traffic patterns observed in Hancitor malspam campaign
- Security researcher Brad Duncan analysed a recent Hancitor malspam campaign and found changes in the infection traffic compared to an early October 2019 campaign. The current campaign continues to use the same DocuSign-themed email template observed in the previous campaign.
- Hancitor, also known as Chanitor and Tordal, is known for pushing additional malware, including the banking trojan Ursnif. Duncan’s analysis found no indications of Hancitor maintaining persistence, whereas Ursnif updated the Windows registry to stay persistent. Duncan notes that Hancitor is most often stopped by spam filters, yet such campaigns will likely continue ‘as long as it’s profitable for the criminals behind it.’
Source (Includes IOCs)
Monero website hacked to deliver crypto-stealing malware
- A coin stealer has been found in the Linux 64-bit command line (CLI) of Monero binaries download. Monero warned users who downloaded the CLI wallet between ‘2:30 AM UTC and 4:30PM UTC’ on November 18th, 2019, to check the hashes of their binaries.
- Researcher Bary Parys was also able to get a Windows malware sample from the attacker’s C2. The Windows version attempts to exfiltrate the binaries in a similar manner to the Linux coin stealer.
Cyborg ransomware delivered through Windows update spam
- Researchers at Trustwave discovered a campaign delivering Cyborg ransomware via emails which purported to relate to a Microsoft Windows Update. The emails urge the target to download an attachment in order to apply the latest update.
- The attachment is a malicious NET downloader that downloads an executable file from Github. The file, named bitcoingenerator, will download Cyborg ransomware. The malware proceeds to encrypt files on the target machine.
- The researchers searched for the ransomware builder and discovered a YouTube video promoting Cyborg. A link in the video description linked to a builder hosted in Github. The researchers warned that Cyborg ransomware can be distributed by anyone who gains access to the builder. Once the builder is acquired, an attacker can change the nature of the spam campaign, and can also alter the ransomware file extension to mislead victims.
Source (Includes IOCs)
Phorpiex used for range of malicious activity
- Researchers at CheckPoint discovered that the Phorpiex botnet is being used for sextortion spam, crypto-jacking, crypto-currency clipping, loading other malware, and distributing ransomware. The majority of the botnet hosts are located in Asia, specifically in India, China, Thailand, and Pakistan. Other hosts reside in Russia, South America, Mexico, and the USA.
- The botnet, which is spread through exploit kits and other malware, has so far infected over 1 million Windows computers. The researchers estimated that the botnet’s C2 traffic may exceed 70 TB per month. Consequently, the botnet must use ‘dedicated IP subnets registered to figureheads’ in order to avoid detection.
Leaks and Breaches
PayMyTab exposes personally identifiable information of customers
- An unsecured AWS S3 bucket belonging to PayMyTab exposed personally identifiable information of customers who dined in restaurants using the service. PayMyTab is a US card and mobile payment terminal supplier.
- Records in the database date back to July 2nd, 2018. Exposed data includes customer names, email addresses or phone numbers, last four digits of payment cards, order details, and date, time, location and name of the restaurant visited.
National Veterinary Associates hit with Ryuk ransomware
- National Veterinary Associates (NVA) were affected by a ransomware attack, which impacted around 400 facilities owned by the California-based company. NVA refused to name the ransomware or reveal if a ransom was paid. However, a source told Brian Krebs that the attack, which was discovered on October 27th, 2019, involved Ryuk ransomware.
- According to the source, the response to the attack, which disconnected practices from patient records, practice management software, and payment systems, was hampered by wildfires that surrounded NVA’s Los Angeles County headquarters
- The source told Krebs that NVA was previously hit by Ryuk in early summer 2019. NVA’s chief marketing officer acknowledged this attack but asserted that the two incidents were unconnected.
Additional D-Link routers vulnerable to remote code execution
- More D-Link routers are vulnerable to remote code execution due to a flaw, tracked as CVE-2019-16920, that could allow an attacker to access the router’s web-configuration without credentials.
- A total of 13 routers have now been found to be vulnerable. Affected models are DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DIR-615, DIR-825, DIR-835, DIR-855L, DIR-86, DGL-5500, DIR-130 and DIR-330.
- As these routers have all reached end-of-life, no patches will be made available. Instead, D-Link advises users who continue to use these products to ensure their devices have the most recent firmware installed, the device’s unique password for web-configuration is updated regularly, and to enable WiFi encryption with a unique password.
WP Maintenance Plugin vulnerability patched
- Wordfence patched a vulnerability in the WP Maintenance Plugin, which could allow an attacker to enable maintenance mode and inject malicious code into a compromised WordPress site. All WP Maintenance Plugin versions up to and including 5.0.5 are vulnerable. Wordfence recommends users to update to version 5.0.6.
Flaw in Apache Solr could lead to remote code execution
- A configuration flaw in Apache Solr versions 8.1.1 and 8.2.0 for Linux, tracked as CVE-2019-12409, could lead to remote code execution when using default configurations. A patch was released with version 8.3.
Proof of concept for critical Docker vulnerability published
- Researchers at Palo Alto Networks Unit 42 published a proof of concept for the vulnerability CVE-2019-14271, which impacts Docker.
- The issue, which was discovered and disclosed in July 2019, can be triggered when a container has been previously compromised, or ‘when a user runs a malicious container image from an untrusted source’. Successful exploitation of the vulnerability allows the attacker to escape and ‘take full root control of the host and all other containers in it.’
Source (Includes IOCs)
GateHub and EpicBot user data exposed online
- Security researcher Troy Hunt stated that the details of 1.4 million accounts from cryptocurrency wallet service GateHub and 800,000 accounts from Runescape bot provider Epic Bot have been leaked online.
- Information exposed in the GateHub database includes names, email addresses, password hashes, 2FA keys, and more.
- Exposed information on the EpicBot database included roughly 800,000 email addresses, along with usernames, IP addresses, and bcrypt hashed passwords. The data originally appeared on a hacker forum on October 25th.
Camera vulnerabilitiy has potential to impact hundreds of millions of smartphone users
- Researchers at Checkmarx identified a vulnerability, tracked as CVE-2019-2234, which stems from a permission bypass issue in applications that access the camera on Android devices. The researchers originally tested their attack on Google smartphones and warned of its potential impact on other Android devices. Samsung has since confirmed it is affected.
- An attacker could exploit the vulnerability by creating a malicious application that can retrieve input from the microphone, camera and GPS locator without requiring permission. This works even in a situation when the phone is locked or being used to make a call.
- The researchers also found attack paths that gave them access to stored videos, photos and GPS metadata.
Oracle E-Business Suite contains two critical vulnerabilities
- Researchers at Onapsis discovered two critical vulnerabilities in Oracle’s E-Business Suite (EBS). The flaws, tracked as CVE-2019-2638 and CVE-2019-2633, could be exploited by an attacker to print bank checks and make electronic fund transfers. The flaws allow a malicious party to perform these actions while remaining undetected.
- Despite a security patch being in place for both issues, researchers at Onapsis estimated that up to half of Oracle EBS customers, approximately 10,000 organisations, remain unpatched.
Emsisoft releases Jigsaw decryptor
- Emsisoft released its latest decryptor for Jigsaw, a ransomware known for deleting files on a countdown basis. First created in 2016, the ransomware has since become open-source, allowing individuals to create multiple variants. Emsisoft’s decryption tool is capable of unlocking 85 extensions and will be updated when new variants emerge.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.