Threat Reports

Silobreaker Daily Cyber Digest – 27 November 2018



Researchers find connection between XLoader and FakeSpy with possible ties to Yanbian Gang

  • Trend Micro researchers have discovered that XLoader and FakeSpy malware were both disguised as the same legitimate app of a Japanese home delivery service. Moreover, they found similarities in the malwares’ methods of concealing C&C addresses.
  • The researchers found that the samples showed similarities with malware previously used by the Yanbian Gang. Furthermore, registrants of FakeSpy’s and XLoader’s domains were found to originate from the Jilin Province in China, which has previously been noted as the location of Yanbian Gang members. Trend Micro therefore suspect the group has a connection to both malware.
  • As of October 2018, almost 400,000 users have fallen victim to XLoader and FakeSpy attacks. The majority of victims are located in South Korea and Japan.



Ongoing Campaigns

Backdoor discovered in Event-Stream JavaScript library

  • A popular JavaScript library called Event-Stream has been found to contain malicious code intended for stealing cryptocurrency funds from the Copay Bitcoin wallet app for both mobile and desktop.
  • Malicious code was discovered in a recently added component ‘flatmap-stream’, inserted by a developer known as ‘right9ctrl’ on GitHub. An updated version of the library has since been released that does not contain the malicious code.

Source 1 Source 2


New phishing campaign targets French organisations

  • F-Secure researchers have observed an ongoing phishing campaign targeting the French industry. The campaign, which began in October 2018, has targeted organisations in chemical manufacturing, aviation, automotive and banking sectors, as well as industry software providers and IT service provider sectors.  
  • The campaign has mostly been using compromised Wanadoo email accounts to distribute malicious HTML and PDF file attachments. In their blog post, F-Secure provide an in-depth analysis of the evolution and infrastructure of the operation.

Source (Includes IOCs)


Eight apps in Google Play store involved in ad fraud scheme

  • Kochava researchers have found eight apps in the Google Play store that have been exploiting user permissions in an ad fraud scheme. Seven of the apps are owned by Chinese company Cheetah Mobile and one app is owned by Chinese Kika Tech.
  • According to a report by Buzzfeed, the apps were involved in a practice called ‘click flooding’ or ‘click injection’. This relies on tracking users when they download new apps for the purpose of claiming app-install bounties, regardless of any involvement in the app’s installation process.



Phishing scams abuse SSL certificates in Q3 2018

  • PhishLabs have found that 49% of all phishing sites in the third quarter of 2018 were hosted on ‘https://’ sites, which display a padlock icon in the users’ browser, potentially misleading users into thinking they are legitimate.



Large spam campaign conducted by ScamClub targets US iOS users

  • ScamClub cyber-criminal group hijacked over 300 million sessions over 48 hours in order to redirect users to adult gift card scams. The hacker group hijacks a user’s browsing session from a legitimate site, redirecting them through a long chain of temporary websites, that end on a website pushing an adult-themed site or a gift card scam.
  • Confiant told ZDNet that the campaign was notable due to its scale, which they first identified as a huge spike in their telemetry. During the malvertising spike, 57% of Confiant’s clients were affected which demonstrates the campaign’s wide reach.



EU law enforcement shuts down over 33,600 counterfeit sites

  • The domains shut down were observed distributing counterfeit or stolen items, including fake pharmaceuticals, pirated films, television shows, music, software, electronics and other fake products.
  • The Intellectual Property Crime Coordinated Coalition (IPC3) also arrested 12 suspects and blocked hardware devices, enabling authorities to freeze over one million Euros in multiple bank accounts. Authorities also seized online currency farms and payment platforms used by the criminals.



Leaks and Breaches

Drake’s Fortnite account hacked during charity livestream event

  • Tyler ‘Ninja’ Blevins was streaming for The Ellen Fund when he received an invite from rapper Drake’s Epic Games account ‘Duddus674’. After Blevins attempted to communicate with Drake’s account, he was initially met with silence, until the hijacker began saying racist and offensive terms, prompting Blevins to cut communication, contact Drake and report the incident to Epic Games.  
  • Twitter user EBKOwen has since claimed responsibility for the hack, releasing images proving he accessed the account. EBKOwen posted other photos that suggested he could also be responsible for hijacking the account of FaZe Clan members as well as rapper Travis Scott.




Microsoft reveals bugs that caused login problems in cloud services for 14 hours

  • The flaws resulted in Azure and Office 365 users unable to sign in for the majority of Monday, 19th November. All three flaws were present in the Azure Active Directory Multi-Factor Authentication (MFA), which Microsoft uses for the Azure, Office 365, and Dynamics services.
  • Due to the number of users attempting to log in on Monday morning, there was a peak in traffic which caused a latency issue in the MFA frontend’s communication with its cache servers. The first issue then caused a race condition in processing responses from the MFA backend server that triggered additional latency.
  • The combination of the two initial flaws uncovered a third flaw in the way that the backend servers handled the backlog of data requests.



Vulnerability discovered in Ethereum network

  • First discovered in late October 2018, the critical vulnerability allowed attackers to force cryptocurrency exchanges to spend high fees on transactions, draining the exchange’s reserves. Attackers could also create new GasToken for profit and impose additional fees of users who interact with an attacker’s account.
  • Only exchange desks and wallet addresses that initiate Ethereum transactions were affected, meaning that decentralized exchanges were likely not abused. To defend against the vulnerability, researchers have recommended implementing ‘reasonable gas limits on all transactions’.



General News

Kaspersky Lab publish threat predictions for 2019

  • Kaspersky Lab have released their threat predictions for 2019 on industrial security, cryptocurrency and cyber threats to financial institutions.
  • The reports cover the key events from 2018 and discuss the top cybersecurity challenges that these specific industries are likely to face in 2019.

Source 1 Source 2 Source 3


New report by Carbon Black warns of increase in cyberattacks during holiday season

  • In 2017, cyberattacks during the Christmas holiday season surged by almost 60%. Based on figures from last year, the largest spike is likely to occur between Christmas and New Year.



Checkmarx developed two mobile applications that exfiltrate data using smart bulbs

  • Security researchers from Checkmarx developed two mobile applications that exploit smart bulbs for data exfiltration. In particular, the researchers used Magic Blue bulbs, manufactured by Zengge, that use Bluetooth 4.0 for communication.
  • The researchers paired an Android mobile phone with the iLight app and used sniffing communications to start sniffing the traffic while changing the colours of the light bulbs. Through this method, they discovered the commands sent by the mobile app to the smart bulbs.
  • Once complete control of the bulbs is gained, the researchers explained that the key ambition was to use the light of the bulbs to transfer information from a compromised device to a hacker. The application that is installed on the device, ‘modulates the light intensity to transfer data’, running in either Normal or Stealth Mode.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 25 April 2019

      Malware Researcher creates new backdoor inspired by leaked NSA malware Sean Dillon created a proof-of-concept backdoor, dubbed SMBdoor, designed as a Windows kernel...
  • Silobreaker Daily Cyber Digest – 24 April 2019

      Malware Malware discovered hosted on Google Sites sending data to MySQL server Researchers discovered malware, named LoadPCBanker, on the Google Sites platform for...
  • Silobreaker Daily Cyber Digest – 23 April 2019

      Malware PreAMo malware discovered on Google Play used in click fraud operation Checkpoint and BuzzFeed researchers discovered a series of applications on Google...
View all News

Request a demo

Get in touch