Threat Reports

Silobreaker Daily Cyber Digest – 6 March 2019



New Jokeroo RaaS appears on underground hacker forums

  • A new ransomware-as-a-service (RaaS) dubbed Jokeroo is being advertised on underground hacker forums and via Twitter.
  • According to a malware researcher known as Damian, Jokeroo was first promoted as a GandCrab ransomware RaaS on the Exploit hacking forum. Soon after, security researcher David Montenegro found that the service has been renamed to Jokeroo and has dissociated itself from GandCrab.
  • Affiliates are asked to pay to join a membership package that ranges from $90 to $300 or $600 depending on the percentage of ransom payments the affiliate wishes to keep. The $600 package also offers extra features such as Salsa20 encryption, different ransomware variants, and different cryptocurrency payment options.



Ongoing Campaigns

Algar53 exploits flaw in Jmail in new spam and phishing campaign

  • Check Point researchers detected that threat actor Alarg53 is exploiting a new vulnerability in Joomla’s Jmail mail service in a new spam campaign. By implementing simple manipulation on the User-Agent header on HTTP requests, it was found that an attacker can manipulate the platform and override the existing Jmail service.
  • The attack, dubbed ‘Jmail Breaker’, involves setting up a backdoor and phishing infrastructure by exploiting these flaws. In this case, Alarg53 was observed using the infrastructure for phishing and mail spamming.
  • Alarg53 is a threat actor known for hacking and defacing over 15,000 websites, most notably the website of The Biology of Aging Center at Stanford University.  



Malicious spam campaigns continue to deliver IcedID with TrickBot

  • In a blog post, malware researcher Brad Duncan detailed most recent campaigns involving password-protected Word documents that infect victims with IcedID trojan followed by TrickBot.
  • In a campaign from March 5th, 2019, emails containing attachments disguised as job resumes were used to deliver the two malware samples.

Source (Includes IOCs)


Adware apps on Google Play fake uninstallation for persistence

  • Researcher Lukas Stefanko discovered three different adware apps on the Google Play store, disguised as camera-related utilities, whose only function is to display ads on the infected device. The apps are called ‘Excellent Camera’, ‘Ideal Camera: Full Featured Camera for Android’, and ‘Super Camera Lite 2019’.
  • After the apps are opened for the first time, they will hide their default icon and create a new shortcut for being launched. Moreover, users are then unable to uninstall the apps from their home screen as choosing ‘Remove’ will only remove the app launcher, not uninstall the app itself. To fully uninstall the app, users need to do it directly via the Play store or use the App menu in the Settings area of their Android device.



IRS warns of new tax-related phishing scams

  • The IRS have warned of new tax related phishing scams claiming to be from the IRS, using fake emails, text messages, websites and social media to steal personal information. One example in particular involved malicious actors depositing money into a victim’s legitimate bank account after stealing client data and filing fraudulent tax returns. The criminals then claimed a refund from the taxpayers via phone.
  • In addition, payroll departments and human resources are also being targeted with business email compromise scams to obtain information they can use to file fraudulent tax returns.
  • The IRS has advised tax preparers to watch out for malicious emails from their customers, personal or business contacts, that could contain malware that will exfiltrate tax information.



Kaspersky Lab observed campaign using torrent trackers to spread malware

  • Kaspersky Lab has reported on a campaign observed early this year, in which The Pirate Bay hacker filled up with harmful files that were used to distribute malware, disguised as cracked copies of paid programs.
  • Rather that the expected software, the files downloaded a Trojan to the user’s computer, implemented by SetUpFactory installers. The trojan has been detected by Kaspersky Lab as Trojan-Downloader.Win32.PirateMatryoshka.
  • A phishing webpage is installed, which opens in the installation window and requests the user’s TBP account credentials. The victim’s account is also eventually flooded with unwanted programs that waste system resources.

Source (Includes IOCs)


Leaks and Breaches

Saudi Android app Dalil leaves data of over 5 million users in unsecured MongoDB server

  • A MongoDB server containing the data was left accessible without password protection and appeared to contain the app’s entire data including users’ personal details and activity logs. Exposed details include user phone numbers, app registration data, device details, telecom operator details, GPS coordinates, and more.
  • The majority of exposed data belongs to Saudi users, as well as Egyptian, Emirati, European and Israeli and Palestinian users.



Rush System for Health discloses data breach affecting about 45,000 patients

  • The health system reported that a data breach, discovered on January 22nd, 2019 may have exposed patients’ data including names, addresses, birthdates, Social Security numbers and health insurance information.
  • The breach was caused by an employee of a third-party service vendor who improperly shared a file with an unauthorized party. The breach is believed to have occurred in May 2018.




Researchers discover new flaw affecting all Intel chips

  • The flaw, dubbed Spoiler, exists due to a ‘weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem, which directly leaks time behaviour due to physical address conflicts.’
  • The flaw can be exploited by attackers using a malicious JavaScript within a web browser tab, malware running on a system, or logged-in users, to extract passwords, keys and other data from memory. A foothold in the machine is required to exploit the flaw.
  • The flaw cannot be fixed without redesign work on the chips themselves.



Logitech Harmony Hub remote-root bug patched

  • Logitech Harmony Hub has been vulnerable to remote takeover attacks for several years due to four unpatched flaws.
  • Two of the vulnerabilities could have been exploited to gain full control of Logitech devices. These include a default credential flaw, tracked as CVE-2018-15720, and an authentication bypass flaw tracked as CVE-2018-15721.
  • The two other bugs include a command injection bug tracked as CVE-2018-15722, and a crafted HTTP request application injection flaw. These flaws can be chained together to allow a remote unauthenticated hacker to take over the smart hub and control all the devices that it manages.



Microsoft Office zero-day bypasses security software and sandboxes

  • The flaw exists in the OLE file format, due to the OLE32[.]dll library incorrectly handling integer overflows. It could allow an attacker to hide exploits in weaponised Word documents in a way that doesn’t trigger most anti-virus solutions.
  • The flaw has been observed being exploited in the wild in a recent campaign using attached Word documents containing a hidden exploit for an old flaw in Microsoft Equation Editor (CVE-2017-11882), that dropped a new variant of Java Jacksbot.



Patches released for critical DoS/RCE flaw in RSLinx software

  • Rockwell automation has released patches to address a critical flaw, tracked as CVE-2019-6553, in RSLinx classic software. The flaw exists due to an input validation issue that can be used to trigger a buffer overflow by passing data in a Forward Open service request to a fixed-size buffer.
  • The flaw can be exploited by sending a specially crafted package to the RSLinx Classic application on port 44818, and affects RXLink Classic versions 4.10.00 and earlier.



General News

NSA releases Ghidra reverse-engineering platform as open source

  • The US National Security Agency (NSA) has publicly released Ghidra, a software reverse engineering tool. The tool, described as ‘powerful’ and ‘particularly usable’ in addressing real-world priorities, is being made available for free.



Emotet, LokiBot and TrickBot remain active globally

  • A report released by Gigamon states that campaigns delivering Emotet, LokiBot and TrickBot remained highly active in the second half of 2018.
  • In November and December 2018, Emotet was involved in 45.9% of observed attacks. LokiBot and TrickBot were responsible for 11.6% and 10.4% of observed attacks in H2 2018, respectively.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 24 May 2019

      Malware Newly upgraded version of JasperLoader targets Italy Cisco Talos researchers discovered a new version of JasperLoader targeting Italy and other European countries...
  • Silobreaker Daily Cyber Digest – 23 May 2019

      Malware Decryptor released for newly discovered GetCrypt ransomware A threat analyst known as ‘nao_sec’ discovered a new ransomware called GetCrypt that is being...
  • Silobreaker Daily Cyber Digest – 22 May 2019

      Ongoing Campaigns Hundreds of US schools remain vulnerable to WannaCry attacks While investigating the ongoing Baltimore City ransomware attack, Ars Technica found that...
View all News

Request a demo

Get in touch