PaloAlto Networks reports on the OilRig group distributing new ALMA Communicator trojan
> OilRig has developed a new version of the Clayside delivery document to distribute the ALMA Communicator trojan, and the credential harvesting tool Mimikatz.
> The Clayside Delivery Document tricks a victim into enabling macros by displaying an “incompatible” worksheet stating that the Excel file was created with a newer version of Excel.
> ALMA Communicator is backdoor trojan that uses DNS tunneling as a C&C communication channel exclusively to receive commands and exfiltrate data. It generates a unique identifier to build specially crafted subdomains to transmit data.

New type of overlay RAT malware used to target Brazilian banks
> According to IBM X-Force, an interesting feature of this unnamed RAT is that it uses the Autolt framework, a tool designed to automate functions in the Windows UI, to bypass antivirus software.
> The malware developer compiled the malicious code using an Autolt script and runs it as a valid Autolt process which loads the malicious payload into an Autolt process memory address space. As a result AV programs will be prevented from recognising the malware’s hash signature.


Ongoing Campaigns

Hacker Abrisk is reportedly accessing travel databases as a service for as little as $50
> Abrisk is advertising the service on a Russian crime forum, claiming the ability to “provide information on the movement of people across the Russian Federation and, in many cases, beyond its borders.”
> Abrisk reportedly needs the victim’s name, date of birth, and the passport number to access the database. The Daily Beast alleges that the hacker is likely leveraging corrupt contacts inside law enforcement bodies to gain the information.

Kaspersky reports on a technique that uses legitimate tools to hide malware
> The technique employs various samples for .NET, which use the trusted application InstallUtil.exe from the Microsoft .NET Framework.
> Microsoft describes the Installer as a command-line utility allowing users to install and uninstall server resources bypassing the .NET assembly entry point. InstallUtil.exe could then run malicious .NET assembly hiding all malicious activities in the context of the trusted process.
> The analysed samples were distributed in a password-protected archive. The executable file icons masquerade as legitimate files, such as documents, photos, or key generators for common software.

Inexperienced hackers creating their own IOTroop fooled by backdoored IP scanner
> IOTroop’s creators used an IP scanner to find vulnerable systems, allowing hackers to use exploits for those vulnerabilities and infect devices such as IP based security cameras, DVRs and NVRs.
> An unnamed hacker created a website advertising a ciphered PHP script that could read IPs from a local text file, check if the IP was hosting a GoAhead web server, and list positive results in a file named GoAhead-Filtered.txt .
> Ankit Anubhav reports that after decompiling the code, the PHP script contained a backdoor used by the creator to collect the GoAhead-Filtered.txt files containing the results of all users’ scans.


Leaks and breaches

Pro Islamic State group Team System Dz defaces website of Prince Albert Police, Canada
> Team System Dz displayed the messages ‘hacked by Team System Dz’ and ‘I love Islamic State’ on the website, which were removed shortly afterwards.  The police have confirmed that no sensitive information was accessed.

University of East Anglia accidentally leaks employee’s confidential data in mass email
> The email, sent to approximately 300 students in the social science faculty, included the personal health information of a member of staff.
> The UEA’s IT department has remotely extracted the email from the recipients’ accounts, and have apologised for the error.



Google releases patches to fix the KRACK vulnerability in Android OS
> The fixes were released in the November Android Security Bulletin, which also includes patches for five critical vulnerabilities in the Media framework.

New details provided on flaw in Intel Management Engine which can be leveraged to hack most CPUs
> CVE-2017-5689 is a remote code execution vulnerability discovered in remote management features on computers shipped with Intel Chipset in the past 9 years. Positive Technologies revealed a technique in September which leverages this to access the Intel Management Engine (IME) from the USB port and run unsigned code on any motherboard.
> The firm now claims they were able to leverage this flaw in attacks also exploiting the Joint Test Action Group (JTAG) debugging ports to target the IME.


General News

The FBI hacked into computers located in Russia, Iran and China during Playpen investigation
> According to a recently filed court record, during its investigation into the child-pornography site Playpen, the FBI hacked into the computers of the site’s users and also also accessed computers in Russia, Iran and China.
> Several commentators worry about the geopolitical fallout and the precedent set by these actions.

Pennsylvanian trader indicted for conducting securities fraud via hacked brokerage accounts
> Between 2014 and 2017 Joseph Willner ran what is a described as a “cyber boiler room” scheme which involved hacking into the online securities brokerage accounts of victims to place unauthorised trades.
> Willner and his associates allegedly made at least $700,000 in profits through their hack-and-trade scheme.


The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

This website uses cookies.
See our privacy policy at