Threat Reports

Silobreaker Daily Cyber Digest – 25 September 2019


Ongoing Campaigns

Researcher observes new Quasar RAT malspam campaign

  • Security researcher Brad Duncan observed the publicly available Quasar RAT being distributed in a new malspam campaign that asks the victim to confirm account details for a payment. The email contains a ZIP file, purporting to be an invoice, which delivers the executable.

Source (Includes IOCs)


US veterans targeted in new Tortoiseshell campaign

  • Cisco Talos researchers discovered a new campaign by the Tortoiseshell Group, which targets US veterans via a fake employment website called ‘Hire Military Heroes’. Tortoiseshell was first observed targeting IT providers in the Middle East in July 2019. The same backdoor, as well as similar tactics, techniques and procedures were observed in both campaigns.
  • The fake site is made to look similar to the legitimate service from the US Chamber of Commerce. Upon entering the website, the victim is prompted to download a desktop app, which is a fake installer that downloads two binaries, a reconnaissance stage and the remote access tool IvizTech.
  • IvizTech is capable of removing itself, downloading a file on the internet, using PowerShell to unzip and execute code, and executing a command. It’s IP is put in argument to the service, making it more difficult for researchers to reach the C2, whilst also allowing the attackers to add modules to the malware without the need to recompile when updating the C2.

Source (Includes IOCs)


Sednit Group targeted government entities with new variant of Zebrocy malware

  • Researchers at ESET discovered that the Russian-speaking Sednit Group, also known as APT28, updated downloaders and added a new backdoor to Zebrocy malware. Sednit have been active since 2004 and their most recent campaign using Zebrocy was launched on August 20th, 2019, targeting Ministries of Foreign Affairs in Eastern Europe and Central Asia.
  • The campaign starts with spear phishing emails containing a malicious blank attachment that connects to a remote payload that is hosted on Dropbox. In the case that ESET studied, the victim had six malicious components dropped on their computer before the final payload was executed.  
  • The researchers found that the group have re-written their downloader in Nim Language, improved their Golang downloader, and rewritten their Delphi backdoor in Golang. The group have not added new tools but ported their original code to other languages.

Source (Includes IOCs)


Tibetan groups targeted with spyware delivered through one-click mobile exploits

  • Researchers at The Citizen Lab identified a threat actor, named POISON CARP, targeting senior members of Tibetan groups between November 2018 and May 2019. Targeted groups included the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and others. 
  • The attackers posed as journalists and members of NGOs, and delivered personalised WhatsApp messages to targets. The malicious messages contained links to exploits for vulnerabilities in web browsers which would result in spyware being installed on iOS or Android devices. POISON CARP used eight Android browser exploits, an Android spyware kit, iOS spyware, and one iOS exploit chain. 
  • The researchers stated that POISON CARP are the same group behind the iOS watering hole attacks described by Google Project Zero and the Evil Eye campaign that was reported by Volextiy. The campaigns used similar exploits and domains, and were targeted against Tibetan and Uyghur minority groups related to China.  

Source (Includes IOCs)


Instagram phishing scam attempts to lure victims with fake copyright bans

  • Researchers at Sophos reported that criminals are targeting Instagram users with phishing emails that warn of imminent account suspension due to copyright claims. The email states that the account will be suspended in 24 hours and contains a link to a ‘Copyright Objection Form’.
  • Users who access the form will be redirected to a phishing site owned by the criminals. The attackers have acquired an HTTPS certificate for their site in order for the web page to appear secure. Targets are asked for their password and date of birth in order to lodge an appeal. Entered information is exfiltrated to the attacker and the victims are redirected to the genuine Instagram login page.



Weather forecasting app used for ad fraud

  • Researchers at Upsteam discovered that the ‘Weather Forecast: World Weather Accurate Radar’ app, from Chinese company TCL Communications, purchases premium services without the knowledge of the phone owner. The app is available on Google Play Store and comes preinstalled on certain Alcatel phones.
  • The app was first caught conducting premium transactions without the users permission in January 2019. Following Upstream’s initial report the app ceased its malicious behavior, however ad fraud activity restarted in April 2019.



DDoS ‘carpet-bombing’ attack takes down South African ISP

  • On September 21st and 22nd, 2019, unknown attackers took down South African internet service provider (ISP) Cool Ideas. The attackers sent junk traffic to unpatched DNS and CLDAP servers which then redirected traffic to Cool Ideas’ network at an amplified size.
  • According to ZDNet, the perpetrators leveraged a technique called ‘carpet-bombing’ involving the sending of junk traffic to random IP addresses in the network. This meant every Cool Ideas customer received some junk traffic which was large enough to overwhelm the servers at the ISP’s network border. This caused the network border to collapse, ultimately bringing down the ISP’s external connectivity too.



Hacker Groups

Technical links established between GandCrab and REvil ransomware

  • Researchers at Secureworks identified that some or all of the authors behind GandCrab ransomware are responsible for the development of REvil ransomware, also known as Sodinokibi.  GandCrab was developed by the GOLD GARDEN group and was distributed as a ‘ransomware-as-a-service’ before the developers announced their retirement on May 31st, 2019.
  • On April 17th, 2019, REvil ransomware was first spotted in the wild with the developers of the new ransomware being referred to as GOLD SOUTHFIELD. As GandCrab activity wound down, REvil activity increased and new delivery methods were added to the malware. The researchers stated that REvil’s development and function suggested that the malware authors were ‘dedicated and experienced’.
  • They also found that both ransomware avoid infecting Russian-based hosts, contain near identical string decoding functions and a similar URL building logic that produces the same C2 URL patterns. Additionally, the malware developers made an operational security mistake when they left a debug path in REvil that referenced GandCrab.  
  • The researchers concluded that the ‘ransomware-as-a-service’ model used to distribute GandCrab was too profitable for the threat actors to abandon.

Source (Includes IOCs)


Threat actor behind Aggah campaign remains unclear

  • Researchers previously identified a possible connection to Gorgon Group, which used the same TTPs and infrastructure observed in the Aggah campaign. As in previous campaigns, the Pastebin account ‘Hagga’ is used to host malicious code.
  • Although the infection chain remained similar to the other Aggah campaigns, researchers at Cybaze-Yoroi ZLab saw a variation in the final payload. The threat actor was observed to deliver AZORult at the beginning of September 2019, before reverting back to its typical delivery of RevengeRAT.
  • A customised AZORult fork called ‘Mana Tools’ was also discovered, which could suggest Gorgon Group was behind the campaign and added AZORult as its final payload to gather initial information about its victims. However, according to the researchers, such a scenario cannot be confirmed. Other theories are that a different threat actor used the Aggah infection chain to deliver AZORult, or the ‘Hagga’ Pastebin account holders conducted their own campaign.

Source (Includes IOCs)


Analysis of Russian APTs shows that code sharing is uncommon

  • Researchers at Check Point Research and Intezer gathered and analysed nearly 2,000 malware samples in an effort to establish connections between Russian APT malware families and threat actors.
  • The researchers discovered that the ‘vast majority of times’ Russian threat actors do not share code. In instances where code was shared, it was never used by more than two organisations. The researchers stated that each actor or organisation had their own malware development team. Often these groups were developing malware with similar functions and purposes in tandem with one another.
  • By purposefully not sharing code between various groups, Russian APTs ensure that if one organisation is compromised other groups remain secure. The researchers suggested that this shows that Russia invests ‘an enormous amount of money and manpower’ in operational security.

Source (Includes IOCs)


Leaks and Breaches

Unprotected database exposes Wyatt Investment Research customer data

  • An unprotected database belonging to Wyatt Investment Research exposed private data of 18,300 of its customers. Security Discovery researchers first discovered the database in March 2019, however could only recently verify its owner. The database was publicly accessible from at least March to July 22nd, 2019.
  • The database exposed 22,396 records, including 18,300 customer accounts that contained names, addresses, email addresses, hashed passwords, and partial credit card numbers in plain text. IP addresses, Port, Pathways, and storage information were also present, which could have been exploited by threat actors. Additionally, the researchers found evidence of ransomware demanding a payment of 0.05 Bitcoin ($500).



Mexican bookstore exposes data through MongoDB instances

  • Researchers at Security Discovery identified 3 unprotected MongoDB databases which were previously exposed in July 2019. The databases appear to belong to Mexican bookseller Librería Porrúa. 
  • In July the database contained 958,128, records and now features additional details of 60,869 users. Exposed information includes full names, addresses, emails, and more. The database also contained a ransom note which was seen by the researchers in July 2019.  The researchers suggested that the developers moved the database without cleaning it first.




Third party keyboard apps can grant ‘full access’ on iOS 13 and iPadOS

  • On September 24th, 2019, Apple released iOS 13.1 which resolves a bug that allows third party keyboard apps to be granted full access to a user’s device even if access has not been authorised. The issue impacts users who have installed keyboard extensions on their iPhone, iPad, or iPod touch.



Hacker publishes PoC exploit for vBulletin zero-day vulnerability

  • An anonymous hacker published technical details and a proof-of-concept (PoC) exploit code for a critical flaw in vBulletin that could enable attackers to inject commands and remotely execute code in versions 5.0.0 up to 5.5.4 of vBulletin.



Two critical issues patched in Adobe ColdFusion

  • On September 24th, 2019, Adobe fixed two critical vulnerabilities, tracked as CVE-2019-8073 and CVE-2019-8074, in ColdFusion 2018 and 2016. If successfully exploited, the first issue can allow arbitrary code execution and the second leads to an access control bypass.
  • A third issue, tracked as CVE-2019-8072 was also patched in ColdFusion. The issue is a security bypass vulnerability that could cause information disclosure.

Source (Includes IOCs)


General News

Free decryptor released for WannaCryFake

  • Emisoft has released a free decryptor for the WannaCryFake ransomware strain. The ransomware uses AES-256 to encrypt files and demands payment in Bitcoin. Emisoft urges victims not to pay the ransom, and instead use the free decryptor.




The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • COVID-19 Alert – 06 June 2020

    Silobreaker's Daily COVID-19 Alert for 06 June 2020
  • Cyber Alert – 06 June 2020

    Cyber Alert: CPA Canada Breached and 329,000 Members' PIIs Exposed...
  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
View all News

Request a demo

Get in touch