Silobreaker Daily Cyber Digest – 29 October 2018
New Bushido-powered DDoS-for-hire service built with leaked code discovered
- Fortinet researchers have uncovered a new DDoS-for-hire service powered by bushido botnet, that provides sufficient power to take on most targets.
- Ox-booter is promoted on social media networks where they advertise over 500Gbps of power and 20,000 bots. These numbers are reportedly likely to be an exaggeration, as Fortinet discovered lower speeds and less bots when they visited the ox-booter website.
- Ox-booter provides attacks that target layer 4 and layer 7 of the Open Systems Interconnection (OSI) model, the transport and the application layers. Since the beginning of its availability, ox-booter has carried out 300 attacks, reaching peaks of 50 attacks on some days.
Narwhal Spider group uses steganography in spam campaign targeting Japanese victims
- Cutwail botnet has been observed targeting Japanese users with the intention of affecting them with the URLZone banking trojan. Crowdstrike researchers noted that the operation includes the use of stenography, which consists of hiding secret data inside larger files or images in order to hide the payload.
- The group responsible for the campaign, dubbed Narwhal Spider, used spam emails that included macro-enabled Microsoft Excel attachments. The emails were written in Japanese and included subject lines such as ‘Order Form’, ‘Submit application form’, and ‘We will send billing data.’
- Upon opening the document and enabling macros, the embedded Visual Basic application code downloads a second-stage code consisting of Windows batch command and Powershell command. A PNG file is then downloaded, containing hidden code within its blue and green channels, which is decoded. If the infected party resides in Japan the URLZone payload is dropped.
FBI investigate a theft from Fifth Third Bank’s cardless ATM
- The FBI are investigating the May 2018 theft of over $106,000 from Fifth Third Bank ATMs in Greater Cincinnati. The funds were reportedly stolen from customers using the bank’s cardless ATM feature. 125 victims received text messages with a phishing link to a website mimicking the bank’s website, and asking them to enter their confidential account information.
- Four individuals were arrested in October 2018 on suspicion of taking part in the scheme and fraudulently withdrawing money from ATMs in Cincinnati and Cleveland.
New file types are used in malspam attachments
- Trend Micro reported that cyber criminals are using old file types in new ways to evade spam filters, including the file archiver .ARJ file archiver, .Z file extensions, and .IQY and .PUB files within .PDFs.
Source (Includes IOCs)
Scammers leverage browser locking techniques
- If using Firefox, the victim will be prompted multiple times to download the file. The scammers goal is to try to get the unsuspecting user to call the fake ‘Microsoft Technical Support’ number displayed on the page.
Microsoft Bing served malicious content in advertisement
- The advertisement was spotted by Gabriel Landau, who downloaded the content from a fake Google Chrome ad served by Bing. The advertisement itself was the top result when searching ‘download chrome’, and even displayed ‘google.com’ as the destination URL, whereas the actual URL was googleonline2018[.]com.
- Microsoft has since removed the malicious advertisement.
GreyEnergy espionage group linked to BlackEnergy group
- ESET researchers published an analysis on the GreyEnergy group that has been targeting Ukraine since 2015. The researchers linked the cyber espionage group to its predecessor the BlackEnergy group, and stated that GreyEnergy and TeleBots subgroups are likely cooperating.
Privilege escalation bug discovered in Linux and BSD operating systems
- The 23-month old vulnerability identified as CVE-2018-14665 exists in X.org server, an open-source X11 system implementation. The issue affects OpenBSD and some versions of Linux, including Ubuntu and Debian.
- It allows an attacker to elevate limited access to root privileges by overwriting files using the -logfile and -modulepath parameters when running X.org in privileged mode.
Facebook removed Iran-linked accounts targeting United States and United Kingdom
- Facebook reported removing 82 accounts registered in Iran by pretending to be those of US or UK citizens. The accounts were posting information on political issues such as race relations, immigration, and opposition to US President Trump.
Rutgers University hacker fined $8.6 million for cyber attack
- Former Rutgers University student Paras Jha was ordered by the court to pay $8.6 million in restitution and spend six months under house arrest for repeatedly launching DDOS attacks on the university’s computer network between November 2014 and September 2016.
- Jha pleaded guilty in December 2017 for being one of the co-creators of the Mirai botnet.
Cymulate discover how to deliver malware using weaponised Microsoft Office documents
- Cymulate security firm have discovered a new way to deliver malware by abusing the Online Video feature on Microsoft Word to execute malicious code.
- The attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml and replacing it with a crafted payload which opens Internet Explorer Download Manager with the embedded code execution file.
- A proof of concept attack has been created using a YouTube video link embedded in weaponised Microsoft Office documents.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.