Threat Reports

Silobreaker Daily Cyber Digest – 31 January 2019



Malwarebytes discover new stealer written in Golang

  • Malwarebytes have identified a new infostealer detected as Trojan.Infostealer.Go, which is written in Golang, a relatively new programming language not usually used to create malware.
  • Analysis of the stealer revealed that the authors behind the malware are interested in payment information such as credit card details, expiration dates, as well as personal data such as email addresses and names.
  • Their analysis of the stealer also includes details on its behaviour, tools and a code overview.



Ongoing Campaigns

Google Play ‘Beauty Camera’ apps collect pictures and push malicious porn ads

  • The applications, detected by Trend Micro as AndroidOS_BadCamera[.]HRX, have been found with the ability to access remote ad configuration servers, allowing them to be used for malicious purposes. Some of the apps have been downloaded millions of times, particularly in Asia.
  • Trend Micro’s technical analysis of one of these apps demonstrates how the app will create a shortcut after being launched as well as hide its icon from the application list, making it more difficult for users to delete. The apps also come with a packer to prevent them being analysed.
  • In some cases, the apps push full screen malicious porn ads when the user unlocks their device as well as redirect to phishing sites that ask for personal information. Trend Micro discovered several similar applications available on Google Play, some of which allow the perpetrators to collect photos uploaded to the app.

Source (Includes IOCs)


New ‘Love Letter’ malspam campaign targets Japan

  • The campaign was first detected on January 10th and re-emerged again on January 29th, when it was observed targeting Japan with an even larger volume of malicious attachments than before. According to ESET’s Juraj Jánošík, the campaign was delivering ‘tens of thousands of malicious emails’ per hour containing zipped JavaScript files camouflaged as images.
  • The new campaign includes specifically tailored emails that use topics relevant to Japanese victims, for example, the subject lines include names of popular Japanese entertainers followed by the smiley face emoji.
  • The JavaScript files download the first malware payload, which, once downloaded, gains access to second stage payloads including GandCrab 5.1 ransomware, a cryptominer likely to be Monero XMRig, and the Phorpiex Worm which has spam and backdoor capabilities.
  • In addition, the first stage payload also downloads a language-locale-specific downloader that is designed to grab more payloads if the system language suggests the user is located in China, Vietnam, South Korea, Japan, Turkey, Germany, Australia or the UK. The latest campaign delivered payloads from a server with a Ukrainian IP address.



Imperva discovered a DDoS attack that sent 500 million packets per second

  • The attack is believed to be the largest packets-per-second (PPS) attack on record. Analysis found that the packets sent in the attacks totalled more than four times the volume of the packets that hit GitHub last year. The attack was directed at a customer of Imperva, and was reportedly a ‘real challenge to overcome’.



Cisco Talos discover job posting malware campaign targeting Korea

  • The campaign used Microsoft Word documents disguised as job postings for Cisco Korea, using legitimate content from job posting websites. The Word documents contained malicious macros that extract a malicious PE32 executable.
  • During analysis, Cisco discovered additional samples that they assess are linked to multiple previous campaigns associated with the same threat actor, who they judge to be sophisticated due to the targeted nature of the campaign and the lack of IOC data.

Source (Includes IOCs)


Cyber-espionage campaign uses Remexi spyware to target Iran

  • Late last year, Kaspersky Labs observed a cyber-espionage campaign targeting Iranian IP addresses with the aim of infecting victims with an improved Remexi backdoor. Some of the targeted IP addresses were owned by foreign diplomatic entities within Iran.
  • Symantec has previously associated Remexi with the Iranian APT group Chafer, which may suggest that Iranian authorities were attempting to spy on entities within Iran.
  • According to Kaspersky Labs, Remexi includes the ability to capture keystrokes, screenshots, credentials, and browser data such as histories and cookies, and send it back to its attackers.



UAE used Karma spying tool to spy on iPhones of rivals

  • A team of former US government intelligence operatives now working for the United Arab Emirates (UAE) have reportedly hacked into the iPhone of activists, diplomats and foreign leaders using a spying tool dubbed Karma.
  • The tool gave the UAE the capability to monitor hundreds of targets from 2016 onwards, including the Emir of Qatar and Nobel Peace laureate and human rights activist Tawakkol Karman. It was used by an offensive cyber operations unit in Abu Dhabi named ‘Project Raven’.
  • The operatives stated that the tool could be used to remotely grant access to iPhones by uploading phone numbers or email accounts to an automated targeting system. The tool does not, however, work on Android devices, and does not intercept phone calls.



YouTube ‘prize giveaway’ scam impersonates YouTubers to gain profit from online surveys

  • RiskIQ researchers reported that the scam leverages a combination of impersonation techniques such as exploiting the difference between display names and account names or the internal messaging system that allows users to send messages to anyone on the platform. The messages claim the user has been ‘randomly selected’ by the YouTuber to receive a surprise gift.
  • Once users click the link, they are redirected through a chain of shortlink services until they land on one of the malicious websites set up by the perpetrators. They are then asked to fill out a short survey to complete the process of claiming their free gift.
  • According to RiskIQ, the perpetrators behind the campaign generate profit from users completing the surveys as organizations that collect the survey data pay the scammers a ‘flat-rate kick-back’. The campaign has been active since at least 2016.

Source (Includes IOCs)


Mongolock ransomware discovered in ongoing campaign

  • According to Quick Heal, the newly discovered Mongolock campaign not only deletes all files and folders instead of encrypting them, but targets databases as well.
  • It is unclear who is behind the latest wave of Mongolock and whether it is related to previous instances.



Leaks and Breaches

Airbus announce data breach exposing employee credentials and more

  • The data breach impacted the company’s ‘Commercial Aircraft business’ information systems, which led to third parties gaining unauthorised access to data. The impacted data includes predominantly professional contact and IT identification details of Airbus employees in Europe.
  • Airbus currently employs over 10,000 people. No further details have been released.



Facebook pays users for installing VPN app that collects their sensitive data

  • TechCrunch found that Facebook has been paying users to install a ‘Facebook Research’ VPN app that allows the company to harvest the user’s phone and web activity data. Facebook has admitted it is using the app to gather data on usage habits.
  • Beginning in 2016, the social network firm has been offering users between the ages of 13 to 35 up to $20 a month plus referral fees in exchange for installing the iOS or Android ‘Facebook Research’ app. The app then proceeds to collect data including private messages in social media apps, chats from instant messaging apps – including photos/videos, emails, web searches, web browsing activity and even ongoing location data via any location apps the user might have installed.
  • Following TechCrunch’s initial report, Apple banned the app from iOS devices as it was found to be in violation of Apple’s policy. The app was originally distributed via Apple’s Enterprise Developer Program, a program designed ‘solely for the internal distribution of apps within an organization’. The Facebook Research program will continue to run on Android.



Kwik Fit garages suffer malware attack

  • According to the BBC, the car service specialist has confirmed that their computer network has been infected with malware, disrupting its ability to book in vehicle repairs and manage other customer requests. Kwik Fit has stated that it believes no customer data has been affected however declined to provide any additional details regarding the incident.



Globe Telecom suffers data breach

  • The data breach on Globe Telecom’s systems has reportedly affected 8,851 customers. The company stated that they sent a data registration confirmation receipt to the wrong individual.
  • The National Privacy Commission confirmed that the incident was due to a system error and that they are still evaluating the incident and verifying the information given to them. Affected customers have been advised to monitor unusual activity and to change passwords to their accounts.



Rubrik suffers data leak

  • Discovered on January 29th, 2019 by security researcher Oliver Hough, customer data belonging to Rubrik has been accidently leaked via a misconfigured AWS Elasticsearch server. The server did not have a password, meaning that anybody who knew the server’s location could access it.
  • Rubik was since alerted to the issue, and the vulnerable databases have been secured.




Chrome 72 update includes 58 security fixes

  • Google’s release of Chrome 72 has included updates for 58 security flaws including one critical flaw and 17 high severity bugs.
  • The critical flaw, tracked as CVE-2019-5754, is an ‘Inappropriate implementation in QUIC Networking’, while the high severity flaws include inappropriate implementation in V8, a type confusion flaw in SVG, an insufficient validation of untrusted input in V8, a stack buffer overflow flaw in Skia, several use-after-free flaws, and more.



Several vulnerabilities discovered in ACD Systems’ Canvas Draw Drive

  • The flaws are all out-of-bound write vulnerabilities that exist in the flawed component of Canvas Draw 5 and lie in the handling of TIFF and PCX images. CVE-2018-3973 and CVE-2018-3981 can be exploited by delivering a specially crafted TIFF image to gain code execution.
  • CVE-2018-3976 can be exploited by delivering a specially crafted CAL image to gain code execution.
  • CVE-2018-3980 can be triggered by using the deflate encoding scheme which causes the application to take user data directly from the TIFF image without validation.



Severe privilege-escalation vulnerability in kids’ watches exposes their sensitive information

  • Researchers at Pen Test Partners discovered the flaw in GPS-tracking watches marketed for kids. The vulnerability resulted in the exposure of sensitive data involving 35,000 children and 20,000 individual accounts. It affected watches using a backend service provided by Chinese vendor Caref Watch Co. The backend is used by the Gator portfolio of watches sold by Caref’s UK distributor TechSixtyFour.
  • The flaw is the result of the system failing to validate user permissions for admin control. An attacker with access to the watch’s credentials could alter the user-level parameter in the backend to an admin designation, which could then provide access to all account and watch information.



General News

Fortune 100 companies download flawed Apache Struts

  • Sonatype have published research which discovered that between July and December 2018, 64 of the Fortune Global 100 companies downloaded the same flawed version of Apache Struts that was used in the Equifax breach.



Private details from Mueller’s investigation manipulated and shared online

  • According to the US Department of Justice, private information that was gathered by Special Counsel Robert Mueller’s team during the investigation of the Russian company Concord Management and Consulting was reportedly manipulated and made accessible via a pro-Russian Twitter account in an attempt to discredit the investigation.  
  • Concord Management and Consulting is one of the three Russian organisations that were charged last February with using social media to influence the 2016 US presidential election. An investigation has now revealed that some of the documents pertaining to the investigation’s discoveries have been altered and disseminated in a disinformation campaign.
  • The offending Twitter account @HackignRedstone is attached to an IP address in Russia and published a link to a website where the information could be accessed.



DOJ announces efforts to take down Joanap botnet operated by North Korean state hackers

  • The US Department of Justice (DOJ) has announced ‘an extensive effort to map and further disrupt’ the Joanap botnet. The botnet is a global network of numerous computers infected with the Joanap trojan, controlled by North Korean hackers and used to facilitate other cyber activities.
  • Joanap targets devices running on Microsoft Windows and has been observed as a second-stage payload often dropped by the Brambul worm. Once installed on the targeted computer, Joanap permits the perpetrators to remotely access the device, gain root level access and load additional malware.



Apple faces legal challenge over FaceTime vulnerability

  • Houston-based  attorney Larry Williams is suing Apple in relation to the recently discovered FaceTime bug that allows callers to listen to a recipient’s audio before they answer the call. He claims that Apple’s negligence allowed the microphone to be used in this way, and that the defective product breach allowed ‘the recording of a private deposition’.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 23 August 2019

      Malware Asruex variant exploits old MS Office and Adobe vulnerabilities Researchers at Trend Micro discovered an Asruex variant that exploits the known vulnerabilities...
  • Silobreaker Daily Cyber Digest – 22 August 2019

      Malware First known spyware based on AhMyth found on Google Play Store The malicious app called ‘Radio Balouch’ (or ‘RB Music’) and detected...
  • Silobreaker Daily Cyber Digest – 21 August 2019

      Malware Hidden-Cry ransomware posing as Fortnite cheat tool Cyren researchers analysed Hidden-Cry ransomware, which poses as a cheat in Fortnite that allows players...
View all News

Request a demo

Get in touch