Threat Reports

Silobreaker Daily Cyber Digest – 24 October 2019

Ongoing Campaigns

Spidey Bot malware used to modify Windows Discord Client

  • On October 9th 2019, researchers at MalwareHunterTeam discovered Spidey Bot malware, which is being used by attackers to modify the Windows Discord Client. Threat researcher Vitali Kremez theorised that the malware is delivered via Discord messages.
  • Following infection, Spidey Bot adds malicious JavaScript to the Discord app then terminates and restarts the application. After restart, injected JavaScript executes Discord API commands and functions that allow it to collect data including Discord user tokens, local IP addresses, emails and phone numbers. Stolen information is then exfiltrated to the attacker via a Discord webhook.
  • After the information is sent, the malware executes a function which allows it to act as a backdoor. This allows the attacker to steal payment information, install further malware, and execute commands.

Source (Includes IOCs)


NukeSped RATs has connection to North Korean hacking group

  • Researchers at Fortinet have recently analysed a series of RAT samples from the HIDDEN COBRA hacking group, compiled between May 4th, 2017 to February 13th, 2018. They contained encrypted strings to hinder analysis and were mostly 32 bits. Inspecting the RATs resources showed the language ID associated with the malware was Korean.
  • The researchers also examined NukeSped, a RAT with many variants that contains many functionalities, including read and write capabilities, connect to a remote host, terminate processes, and more.

Source (Includes IOCs)


Highly active Stealthworker malware actively updated by operators

  • Researchers at Fortinet discovered that the malware which forms the Stealthworker Botnet continues to be updated by developers. It can infect both Windows and Linux machines, and is used to perform brute force attacks against targets.
  • The researchers tracked the threat from February 2019 to September 2019, and identified over 23 versions of the malware, which were used to perform over 98 million jobs. Over half of the jobs targeted SSH services, and other popular targets included the WordPress and Magento platforms.

 Source (Includes IOCs)


Raccoon malware popularity rockets in underground markets

  • Researchers at Cybereason published a report on the info stealing Raccoon Stealer malware. Despite only being released in 2019, the malware is now one of the years most mentioned malwares on the underground market. Raccoon is written in C++ and runs on 32-bit and 64-bit operating systems.
  • Raccoon is distributed by its operators on a malware-as-a-service model. This allows inexperienced or technically inept individuals to deploy it for malicious purposes. The virus is promoted on both Russian and English-speaking hacker forum, and can be delivered in various ways, stealing information from victims, such as browser data, credit card information, and cryptocurrency wallets.
  • The malware developers appear to come from Russia, and the researchers tentatively suggested that one of the malware developers could be a member of the underground community operating under the alias ‘glad0ff’. The researchers stated that ‘glad0ff’ previously developed the Mimosa RAT and ProtonBot loader.

Source (Includes IOCs)


Researchers discovered multiple campaigns by known and new threat actors

  • BlackBerry Research published a report detailing the findings on the use of mobile malware by governments and state-sponsored threat actors, which showed that capabilities in this field have existed for a decade or longer. These include the own development of Android and iOS malware by Chinese, Vietnamese, North Korean, and Iranian state or state-sponsored APTs.
  • Among the analysed campaigns are ones by the Chinese state-sponsored groups WINNTI, REAVER, LOTUS BLOSSOM, SCARLET MIMIC, BBCY-TA1, as well as a campaign by the new threat actor BBCY-TA2 called OPERATION DUALCRYPTOEX. The group utilises two new malware families for Android and Windows, PWNDROID3 and PWNWIN1, and shares infrastructure with another new APT called BBCY-TA3. BBCY-TA3 targets Western and South Asian telecommunications and chemical manufacturing companies, particularly ones based in Germany, the US and Canada.
  • OCEANLOTUS, also known as APT32, was also observed engaging in a new campaign, dubbed OPERATION OCEANMOBILE, that uses a new Android malware called PWNDROID1, which is spread via legitimate app stores.
  • OPERATION DUALPAK, a campaign targeting the Pakistani government and using a newly identified malware called PWNDROID2 was also discovered. The suspected state-sponsored APT BITTER is believed to be behind it. Another campaign targeting Pakistani military, government agencies and their officials, dubbed OPERATION DUALPAK2, also uses a new malware called PWNWIN2 and the researchers determined CONFUCIUS to be behind it.

Source (Includes IOCs)


Leaks and Breaches

Johnson City hit by ransomware attack

  • On October 21st, 2019, Johnson City, Tennessee, was targeted in a ransomware attack that affected about half of the municipality’s computer systems. The city’s IT director stated that no data was lost and the systems are currently being restored.




More D-Link routers vulnerable to RCE attacks

  • The remote code execution flaw CVE-2019-16920 affects more D-Link routers than previously reported. DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and DIR-825 were also found to be vulnerable.
  • No patch is due to be released as D-Link no longer supports these devices. Customers are recommended to replace their devices with newer ones.



Vulnerability found in WordPress PushEngage plugin

  • A cross-site scripting vulnerability was discovered in the WordPress PushEngage plugin, which is due to one of its functions being accessible to anyone without the need to be logged into WordPress and not conducting any security checks before saving settings.



Vulnerabilities in Firefox could lead to arbitrary code execution

  • Multiple critical arbitrary code execution flaws in Firefox 69 and Firefox ESR 68.1 allow an attacker to view, change or delete data, as well as create new accounts with full user rights.
  • The vulnerabilities, tracked as CVE-2019-11764, were patched in the latest release, which also fixed a further three high severity and five moderate vulnerabilities. The Multi-State Information Sharing and Analysis Center warned that large and medium government entities and companies are at highest risk.



Flaws found in Fujitsu wireless keyboard

  • Researchers discovered two high-severity flaws in the Fujitsu Wireless Keyboard LX390 that could be exploited by an attacker up to 150 feet away due to a lack of encryption when transmitting data packets.
  • CVE-2019-18201 could allow an attacker to scope out keystrokes, for example when a user enters a password. CVE-2019-18200 could enable an attacker to use keystroke injection attacks that could be used for numerous malicious purposes, including the installation of malware.
  • Fujitsu was made aware of the flaws in April 2019, however no patch will be made available as the product reached its end-of-life in May 2019. Fujitsu advises users to replace their keyboards with new ones not affected by the bugs, such as LX410 and LX960.



Vulnerability identified in all versions of Avast Antivirus and AVG Antivirus

  • Researchers at SafeBreach Labs discovered a vulnerability, tracked as CVE-2019-17093, in all editions of Avast Antivirus and AVG Antivirus, which are both maintained by Avast Software.
  • The attack targets an Anti-Malware Protected Process Light (AM-PPL), which runs as a signed process. The researchers were able to load an arbitrary DLL and execute code into the AM-PPL.
  • An attacker could exploit the vulnerability to achieve self-defence bypass, defence evasion, privilege escalation, and persistence.

Source (Includes IOCs)


Google releases Chrome 78 with 37 security fixes

  • Chrome 78 was released to the stable channel with 37 security fixes, 21 of which were discovered by external researchers.
  • Three of the externally discovered vulnerabilities, tracked as CVE-2019-13699, CVE-2019-13700, and CVE-2019-13701, were classified as high severity issues. An additional 12 flaws were rated as medium severity, while the remaining 6 bugs were categorised as low severity issues.



Vulnerability identified in Maxthon 5 Browser for Windows

  • Researchers at SafeBreach Labs identified a vulnerability, tracked as CVE-2019-16647, in Maxthon 5 Browser for Windows.
  • The attack targets the MxService which runs NT AUTHORITY/SYSTEM as the most privileged user account, the executable is also signed by Marathon Technology Co, Ltd, and starts when the computer boots.
  • Attackers could compromise vulnerable systems by getting an unsigned EXE file to execute as NT AUTHORITY/SYSTEM. Performing the attack could allow an attacker to ‘achieve privilege escalation, persistence and in some cases defence evasion.’



General News

New rules allow Swedish law enforcement to deploy spyware on suspects’ devices

  • On October 22nd, 2019, the Swedish Interior Minister Mikael Damberg announced that, as part of a 34-point plan, law enforcement in Sweden will now be granted the power to intercept encrypted communications on suspects’ devices by deploying spyware. These new capabilities are only to be used if an individual is suspected of having committed a crime punishable by four or more years in prison.



The Silobreaker Team 

Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Daily Alert – 21 February 2020

    Daily Alert: Data breach hits agency overseeing White House communications...
  • Threat Summary: 14 – 20 February 2020

    14 – 20 February 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Daily Alert – 20 February 2020

    Daily Alert: PhotoSquared data leak leaves 94.7GB of customer data exposed online including names, addresses...
View all News

Request a demo

Get in touch