Threat Reports

Silobreaker Daily Cyber Digest – 21 October 2019



Researchers publish analysis of PoisonFrog malware

  • The IronNet Threat Research team analysed PoisonFrog, a malware using DNS tunnelling as a way of covertly communicating with its C2, managing to evade detection by firewalls, endpoints, proxies and other signature-based or outlier-based network controls. The malware has been associated with APT34.
  • The purpose of PoisonFrog’s DNS tunnelling is to download or upload files and execute PowerShell commands sent as tasking. The PowerShell script sets itself up as a Windows task and is invoked every ten minutes, each time creating a DNS query as a way of announcing itself to its C2 and checking if any tasks need to be performed.
  • A full technical analysis is available on IronNets’ blog.

Source (Includes IOCs)


Ongoing Campaigns

Trojanised Tor Browser used in campaign to steal money

  • ESET researchers discovered criminals spreading a trojanised version of Tor Browser by advertising it as the official Russian language version of the browser and using it to steal cryptocurrency from darknet forum users by altering their wallet address. Three Bitcoin wallets belonging to the criminals was found to contain 4.8 Bitcoin ($40,000). However, the stolen amount is likely higher as the criminals also altered QIWI wallets.
  • The browser is advertised on two websites that were registered in 2014. It was distributed on Russian forums using spam messages in 2017 and early 2018, before the criminals started using Pastebin to promote it. Their pastes were optimised in such a way that users searching for certain terms, such as drugs, cryptocurrency, censorship bypass and names of Russian politicians, would be led to the pastes by their search engines. The generated pastes were viewed over 500,000 times.
  • The browser itself is fully functional and based on Tor Browser 7.5 without any changes to the source code. Instead, default browser settings and some extensions were changed. The HTTPS Everywhere add-on was modified to execute a content script when loading any webpage. This script then communicates with the C2, located on an onion domain, and downloads a JavaScript payload. The payload targets three major Russian darknet markets and attempts to alter QIWI or Bitcoin wallets on the pages of these markets.

Source (Includes IOCs)


Potentially malicious ZecWallet version discovered

  • Zcash community members discovered a fake version of the ZecWallet being advertised online. According to a Twitter post by Zcash developer Electric Coin Company, the fake ZecWallet likely contains malware and users are urged to ensure they are downloading from the official repository on GitHub.



Sodinokibi affiliate use range of tactics and tools to deliver ransomware

  • Researchers at McAfee concluded their series of reports into Sodinokibi ransomware by analysing the various techniques and tools used by affiliates to spread malware. The researchers focused on three affiliates which were identified as Unknown Affiliate ID, Affiliate ID 34, and Affiliate ID 19.
  • Unknown Affiliate ID was first identified in May 2019. The actor identified potential targets with Masscan, executed NLBrute with custom password lists, and made initial intrusions over RDP protocol. The actor connected to a range of IP addresses in Belgrade, Serbia.
  • In addition to dropping Sodinokibi, Affiliate ID 34 deployed Mimikatz and mined for crypto currency. The researchers stated that some of the operators appear to write in Farsi and connect to targets from Iranian IP addresses.
  • Affiliated ID 19 operators also appeared to write in Farsi and connect from Iranian IP addresses. The group used a range of methods including manually executing attack stages, using custom scripts to erase logs and create hidden user data, and more.

Source (Includes IOCs)


Spelevo Exploit Kit used to deliver Maze ransomware

  • Security researcher nao_sec discovered that the Spelevo exploit kit is leveraging a vulnerability in Flash Player to deliver Maze ransomware. The flaw, tracked as CVE-2018-15982, is present in Flash player versions and earlier.
  • Following a successful exploitation, Spelevo EK will use arbitrary code execution to download and install Maze ransomware. The malware scans for files and encrypts them with the RSA encryption and the ChaCha20 stream cipher. It is not presently possible to decrypt Maze ransomware free-of-charge.  

Source (Includes IOCs)


Ransomware distributors increase effectiveness by working alongside network intruders

  • Researchers at Advanced Intelligence discovered network intrusion specialists on the dark web working with ransomware distributors.  From June to August 2019, one user identified as -TMT- advertised ‘fat accesses’ to corporate networks. The actor claimed to have network access and stolen credentials that would give intruders administrative access. 
  • -TMT- gains access to corporate networks by using compromised remote desktop protocols and credential-stealing malware. Researchers stated that the attacker uses Cobalt Strike Beacon to achieve persistence and to elevate privileges.
  • -TMT-’s victims include businesses, universities and financial institutions in a range of countries. In July the actor offered access to an international developer of advanced digital imaging solutions for $20,000. Researchers said that they contacted US law enforcement agencies about the issue.
  • In private messages the actor said that they could upload ransomware to a victim’s network or provide access that could be used to target clients. -TMT- has offered their services to various ransomware collectives, and has worked with REvil ransomware developers.



FTCode Ransomware targets Italians

  • Researchers at AppRiver discovered that FTCode ransomware is being delivered in emails that target Italian speakers. The malicious emails contain attachments that purport to be resumes, document scans, or invoices.
  • If a target opens the attachment, a visual basic script launches PowerShell, which downloads and plays a mix of Rammstein songs. The script then retrieves a second .vbs file which launches Jasper malware loader. This achieves reboot persistence by accessing the Startup folder and using Windows task scheduler.  
  • The malware checks to ensure that the machine has not been previously infected. If no infection is discovered then FTCode Ransomware encrypts a victim’s files, disables recovery, and deletes shadow volumes and system backups. The researchers stated that at the time of writing the bitcoin wallet associated with the campaign was empty.  

Source (Includes IOCs) 


Google Play Photo Beautification Apps can be used for malicious purposes

  • Researchers at Trend Micro found that the Yellow Camera beautification app on the Google Play store performs a series of malicious functions. Despite appearing to operate as intended, the app also contains a routine that reads SMS verification codes from the Systems Notifications. These can be used to activate Wireless Application Protocol (WAP) billing and charge the users directly from their phone bill.
  • The app has been used to target victims in Southeast Asia and China. It has been reported to Google and removed from the Play Store. Researchers found that the group behind Yellow Camera have uploaded similar apps to the iOS App Store.

Source (Includes IOCs)


Azorult control panel is vulnerable to other hackers

  • Researchers at Trustwave continued their analysis of Azorult by examining its control panel and builder.  They found that the control panel uses MySQL as its database and is written in PHP. An admin can see bot reports, statistics and their configuration. The panel also contains a report page which can be used to access stolen credentials.
  • The researchers pointed to the presence of an Azorult control panel flaw, first reported on August 13th, 2019, by prsecurity, that could allow an attacker to compromise the database. The researchers discovered posts in an underground hacking forum that showed that Azorult data and logs are being shared and sold online, however, they could not definitively state that these had been gained through a SQL injection attack.

Source (Includes IOCs)


Popular Snaptube app found to generate non-human clicks and purchases

  • Upstream’s Secure-D researchers discovered the popular Android app Snaptube is secretly delivering ads that do not appear on a user’s screen, and generating non-human clicks that trigger premium digital service purchases. Snaptube was first launched in 2014 and is sold on third-party app stores, and in some cases comes pre-installed on devices.
  • In the past six months, Secure-D detected and blocked a total of 70 million suspicious transaction requests originating from 4.4 million unique devices. The activity originated from devices in Egypt, Brazil, Sri Lanka, South Africa and Malaysia, and is still ongoing.
  • The application contains SDK frameworks with obfuscated hardcoded strings that are related to advertising services, one of which could download JavaScript code to perform the automated clicks. Another framework had previously been observed in Vidmate, another application investigated due to suspicious activity. Researchers note that Snaptube’s suspicious activity stopped shortly after the first reports of Vidmate emerged.



Hacker Groups

Russian Turla group hack Iranian OilRig group

  • On October 21st, 2019, the British National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) revealed that the Russian speaking Turla group have used tools and infrastructure belonging to Iranian group OilRig for the last 18 months.
  • Turla were able to access information gained by OilRig and also posed as the Iranian group to conduct their own operations. The group targeted entities in 35 countries, and their targets were primarily located in the Middle East but also include organisations in Britain.
  • The hackers successfully compromised 20 targets and stole documents from a variety of victims, including governments.



Leaks and Breaches

Jasper County hit by ransomware attack

  • A ransomware attack on Jasper County, South Carolina, is affecting its countywide systems. It was initially believed the attack did not impact 911 and emergency dispatch services, however, its dispatch application was found to have not been working for the past three weeks. The county believes it will require a further two weeks to get its systems back up.



Financial data of Malaysians exposed on government website

  • Private financial details of individuals registered with the Petrol Subsidy Programme in Malaysia were exposed online. The leak was first discovered on October 17th, 2019 by Lowyat. Malaysia’s Domestic Trade and Consumer Affairs Minister Datuk Seri Saifuddin Nasution Ismail has since stated that the data leak has been solved.
  • The full bank account details of individuals were visible in the source code of the programme’s site when looking up MyKAD numbers. About 2.9 million Malaysians are estimated to receive petrol subsidies.

Source 1 Source 2


CenturyLink exposes 2.8 million records

  • On September 15th, 2019, researchers at Comparitech and security researcher Bob Diachenko discovered an exposed MongoDB database containing information related to technology company CenturyLink. The database contained 2.8 million records, including personal information belonging to hundreds of thousands of CenturyLink customers.
  • Records in the database were logs from a third-party notification platform used by the company. Exposed customer information included names, email addresses, phone numbers, account-specific information, and more.
  • The database was exposed for approximately ten months before it was closed on September 17th, 2019. The FCC were notified of the breach and concluded their investigation on October 17th, 2019.



Ingredion Incorporated targeted in malware attack

  • On October 15th, 2019, ingredients company Ingredion stated that ‘suspicious activity’ affected ‘several servers within certain data centres’. The company asserted that no customer, employee, or supplier data was affected.  However, they did note that the servers in question would take time to restore.
  • SecurityWeek speculated that the incident could be related to a ransomware attack.

Source 1 Source 2


Mission Health informs patients of long running data theft

  • Health services provider Mission Health has begun to notify patients that the company website was compromised between March 2016 and June 2019. The company said that some customers who made purchases during this period may have had their data stolen.
  • ZDNet noted that Mission Health may have been targeted in an attack which used skimmer malware or scripts.




Security flaw in Mercedes-Benz app exposed car owners’ data

  • A flaw in the MercedesMe app, used by Mercedes-Benz owners to remotely locate, unlock and start their cars, was found to display the account and vehicle information of other owners. This included names, recent activity, locations, phone numbers, and more.
  • A Mercedes-Benz spokesperson noted that all information displayed was cached information, meaning that no real-time access to other accounts or financial data was exposed. To resolve the incident, the company temporarily took the app offline on October 18th, 2019.



Vulnerabilities in Amazon Alexa and Google Home could allow attackers to eavesdrop

  • Researchers at Security Research Labs discovered that third-party voice apps can be used to compromise Amazon Alexa and Google Home devices. To demonstrate these attacks the researchers developed a series of apps which successfully passed Amazon and Google security checks.
  • The apps could request and collect a user’s data, including passwords, and record users even when the device itself had ceased listening. Recorded information was then exfiltrated to a server operated by the researchers.
  • Google and Amazon have been alerted to the security issues. The companies removed the developer-created apps and stated that they plan on enhancing security protocols.

Source 1 Source 2


General News

Decryptor released for 148 variants of STOP ransomware

  • Emsisoft and Michael Gillespie released a decryptor for 148 variants of the widely distributed STOP ransomware. The malware has been extremely active and is the second most detected virus on ID Ransomware, who have received 116,000 submissions related to STOP. 
  • The decryptor is available via Emsisoft. At present it cannot help victims who were encrypted after August 2019.

Source (Includes IOCs)



The Silobreaker Team 

Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Daily Alert – 21 February 2020

    Daily Alert: Data breach hits agency overseeing White House communications...
  • Threat Summary: 14 – 20 February 2020

    14 – 20 February 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Daily Alert – 20 February 2020

    Daily Alert: PhotoSquared data leak leaves 94.7GB of customer data exposed online including names, addresses...
View all News

Request a demo

Get in touch