Silobreaker Daily Cyber Digest – 24 April 2019
Malware discovered hosted on Google Sites sending data to MySQL server
- Researchers discovered malware, named LoadPCBanker, on the Google Sites platform for building websites, that drops an information stealer that sends data to a MySQL server controlled by the attackers. LoadPCBanker is an executable disguised as a PDF file that holds guest house information and is stored in the File Cabinet storage space for Google Sites.
- The threat actors used classic Google Sites to create a website and then used the file cabinet template to upload the payload, and finally sent the resulting URL to the potential victims. The name of the PDF file indicates that the threat actors are targeting either English or Portuguese speaking citizens.
- When launched, the malware creates a folder and downloads libmySQL50[.]DLL, otlook[.]exe, and cliente[.]dll payloads from the file hosting website KingHost. Otlook[.]exe is an information stealer that can take screenshots, record data saved in the clipboard and log keystrokes. It also downloads a file that contains credentials and connection details for the SQL database that will retain the stolen information.
Wall Street Market dark web marketplace shuts down following exit scam
- Last week, the Wall Street Market’s (WSM) administrators began moving funds from the site’s main Bitcoin wallets to another location, ultimately stealing over $14.2 million in users’ funds. Most of the funds were profits generated from the sale of drugs, weapons and malware.
- Following users’ complaints about the incident, the site’s administrators began blackmailing customers, demanding Bitcoin payments in exchange for not disclosing their plaintext Bitcoin wallet addresses to law enforcement. In one case, an administrator shared their account credentials online, allowing anyone to access WSM’s backend, which may contain details about buyers’ and sellers’ real identities.
Avast researchers discover 50 apps on Google Play containing adware
- The apps, infected with adware dubbed TsSdk, pose as legitimate lifestyle apps, and have been downloaded 30 million times in total.
- The adware apps are linked to one another by the use of third-party Android libraries ‘which bypass the background service restrictions present in newer Android versions.’ The apps display full-screen ads on users’ devices and in some cases attempt to lure them into installing additional malware-laden apps.
- Avast researchers discovered two versions of TsSdk. The newer version features updated and encrypted code and will only trigger if a victim installs the malicious app by clicking on a Facebook ad.
Cisco Talos publish report update on DNSpionage campaign
- Earlier this year, researchers from Cisco Talos discovered some changes to the tactics, techniques and procedures (TTPs) used by the threat actors behind the DNSpionage campaign.
- In February 2019, researchers found that instead of using malicious macros embedded in a Microsoft Word document like previous examples, the threat actors used an Excel document with a similar macro. In addition, although the payload was primarily the same, a new reconnaissance phase had been added, which ensured that the payload is dropped on specific targets instead of any machine.
- In April 2019, Cisco Talos researchers found an undocumented malware, dubbed Karkoff, that allows remote code execution from the C&C server. The malware is not obfuscated and is a Windows service named ‘MSExchangeClient’. The researchers discovered overlaps between the infrastructure of DNSpionage and Karkoff, including overlaps in IP use, during the same time periods. They therefore assess that the same threat actor is using both malwares.
Source (Includes IOCs)
Kaspersky Lab speculate the involvement of ShadowPad in Operation ShadowHammer
- Kaspersky Lab researchers recently linked the supply-chain attack that hit ASUS users, dubbed Operation ShadowHammer, to the threat group behind the ShadowPad backdoor. Operation ShadowHammer was discovered in January 2019, when attackers used a trojanized version of the ASUS Live Update utility to install a backdoor on devices.
- Kaspersky Lab researchers’ analysis of the backdoor, discovered in the recent attack, revealed that it was an updated version of the ShadowPad backdoor. In addition, the researchers also extracted an IP range that was previously reported by Avast as being related to ShadowPad activity linked to the supply chain attack that targeted CCleaner in September 2018.
Source (Includes IOCs)
Trend Micro analyse abuse of custom actions in Windows Installer MSI
- Trend Micro researchers recently discovered malicious MSI files downloading and executing further files that could bypass traditional security filters. Malicious actors could abuse custom actions in the files to execute malicious commands and drop malware that is capable of either beginning a system shutdown or targeting financial systems in certain locations.
- Their report includes an analysis of the malicious MSI files, of abusing custom actions in MSI, as well as appropriate mitigations tools and techniques.
Leaks and Breaches
Manufacturer Aebi Schmidt hit by ransomware
- According to the TechCrunch, the ransomware attack mostly affected Aebi Schmidt’s European base, but also impacted some its US subsidiaries. A spokesperson stated that the attack caused systems necessary for manufacturing operations to be inaccessible.
City of Stuart hit by Ryuk ransomware
- Following yesterday’s report on the attack, it has now been found that the city of Stuart, Florida, was attacked by Ryuk ransomware. Investigators suspect the city’s systems got infected following a phishing email. Several services, including Stuart’s police and fire departments, remain offline.
Belkin WeMo Insight smart plug still at risk of zero-day attacks
- According to McAfee researchers, the smart plug is still at risk despite it being almost a year since the critical vulnerability, tracked as CVE-2018-6692, was discovered and disclosed.
Information leak vulnerability discovered in Symantec Endpoint Protection Small Business Edition
- The flaw, tracked as CVE-2018-18366, resides in the control message handler of the ccSetx86.sys kernel driver of Symantec Endpoint Protection Small Business Edition.
- An attacker could send specially crafted requests to cause the driver to send uninitialized parts of memory, which could leak sensitive information, such as privilege tokens or kernel memory addresses that could be used to bypass kernel security mitigations. To trigger this flaw, an unprivileged user could run a program from user mode.
Fortinet analyses flaw in Apple QuartzCore
- The flaw, tracked as CVE-2019-8507, was discovered in QuartzCore, a framework used by macOS and iOS to create animatable scene graphics. The flaw is a memory corruption vulnerability that exists when QuartzCore handles a shape object in a specific function on macOS, which could lead to the app unexpectedly stopping.
Vulnerability in Confluence actively exploited to drop GandCrab ransomware
- According to Alert Logic researchers, a critical flaw, tracked as CVE-2019-3396, in Confluence’s widget connector has been rapidly deployed by attackers and successfully used to breach targets and infect them with GandCrab.
- The vulnerability permits attackers to inject commands into ‘_template’ to achieve authenticated remote code execution. A proof of concept was publicly released on April 10th and soon after the researchers observed weaponized attacks exploiting the flaw.
Source (Includes IOCs)
Twitter suspends over 5,000 pro-Trump bots retweeting anti-Mueller messages
- The messages all denounced the report released by Special Counsel Robert Mueller as a ‘RussiaGate hoax’. The accounts were connected to other accounts that had previously been used to post pro-Saudi messages.
- Most of the accounts have as few as three posts, and all retweeted content from the @TheGlobus account.
Facebook urged to address law enforcement’s use of fake profiles to conduct surveillance
- Despite previous warnings and Facebook’s efforts to combat the issue, the Electronic Frontier Foundation warns that law enforcement officers continue to mass-create both fake and impersonator Facebook profiles to secretly spy on users.
- In one recent example revealed by The Guardian, the US Department of Homeland Security ran a complex network of fake Facebook profiles and pages to trick immigrants into registering to a fake college. The scheme was designed to identify those who have committed immigration fraud.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein