APT CVE Emotet Malware Phishing

CloudSEK Daily Threat Bulletin – 14th February 2020

Round Up of Major Cyber Security News

Puerto Rico government victim of $2.6m in phishing scam

A senior Puerto Rican government official has confirmed that $2.6 million, allotted for remittance payments, was transferred to a fraudulent account, because of an email phishing campaign. An employee of a government-owned corporation transferred the amount, based on an email that provided new bank details for remittance payments. The email stated that the existing bank account should no longer be used for remittance payments. There has been confirmation on the identity of the threat actor, or whether the government has been able to recover the amount.

MoleRATs APT group targets Palestinian territories

The Gaza Cybergang group MoleRATs, that has been active since 2012, has launched 2 campaigns using different hacking tools and C2 infrastructure. The first campaign, known as the Spark campaign, utilizes recent geopolitical events to lure victims from Palestinian territories, to infect their systems with the Spark backdoor. This allows them to steal data from the infected system. The other campaign, called the Pierogi Campaign, uses different decoy documents to trick victims into installing an undocumented backdoor called Pierogi.

Romance scams up from 8,500 in 2015 to 21,000 in 2018

According to a recent FTC report, in 2018, losses reported due to romance scams were more than losses incurred due to any other type of consumer fraud. And the number of romance scams has gone up from 8,500 in 2015 to 21,000 in 2018, with the losses increasing from $33 million to $143 million. Romance scammers generally use dating apps or sites, and social media, to target victims. It begins with creating a fake profile using pictures from the internet. They then build trust and confidence with the victim, before getting them to fleece them through money transfers and gift cards.

Three Italian universities hacked by LulzSec_ITA collective

LulzSec ITA, the popular hacktivist collective, claims to have launched an SQL injection attack on 3 Italian universities, in an attempt the highlight the importance of cybersecurity. One of the universities, Uniparthenope, notified their students and faculty about the hack. Though they have downplayed the scope of the attack, LulzSec ITA claims to have accessed data in 27 databases. They also claim to have compromised a few of the universities portals.

Uptick in Parallax RAT attributed to promotions on hacker forums

Since December 2019, developers of Parallax RAT, have been promoting the malware on hacker forums. Hence, hackers are widely spreading it, through spam campaigns. Hackers exploit the Microsoft vulnerability (CVE-2017-11882) to execute malicious macros and install RAT. The malware sells at $65 for a one-month license and $175 for a three-month license. The license comes with after sales support, and the promise of 99% reliability. Once installed in a victim’s systems, hackers get complete control over the system. This allows then to steal saved credentials and files, upload and download files, and execute remote commands. Hacker then use these details to gain access to the victim’s online banking accounts.

Round Up of Major Malware and Ransomware Incidents

Unrelenting Android malware xHelper, found to survive factory resets 

The Android malware xHelper, which mainly targeted US-based phones, has stumped researchers by a clever trick that re-infects a device even after a factory reset. Recently, they found that an infected device has several folders, which contain com.mufc files. And when the files are executed, they install xHelper again. Even a factory reset doesn’t remove these folders. Researches believe that the Google Play Store may be the source of the re-infection. So, users should uninstall the Google Play Store app before deleting the folders that contain the com.mufc files.

Emotet makes sextortion more effective

Scammers are now using the Emotet botnet to orchestrate sextortion scams. And it has been found that these scams are able to extort 10 times more than the commonly used Necurs. Since Emotet targets victims via their work emails, it forces them to comply with the scammers’ demands. A 5-day Emotet sextortion campaign, in January 2020, was able to wheedle $60,000 worth Bitcoin from victims. Whereas, a 7-week Necurs campaign, was only able to raise $4,527 worth Dashcoin.

U.S. Chain Rutter’s notifies customers of malware infected payment systems

Rutter’s notified customers that there may have been unauthorized access, to their payment card details, from October 2018 till May 2019. They announced that malware had infected some of Rutter’s fuel pumps’ and convenience stores’ payment processing systems. This gave the threat actor access to the data from payment cards, used on point of sales devices (POS), at some of their locations. Though the malware searched for track data, because of Rutter’s chip-enabled (EMV) POS terminals, it was able to collect only card number and expiration date (and not the cardholder name or internal verification code). The company has removed the malware, and has advised customersto review their card statements.

Round Up of Major Vulnerabilities and Patches

Google removes 500+ malicious Chrome extensions from the Web Store

Based on a 2-month investigation, > 500 malicious extensions have been removed from Google’s Web Store. These extensions, which were conspicuous,  inject malicious ads in users’ browsing sessions. While some of the redirects were to legitimate sites such as Dell or BestBuy. Some extensions directed users to a malware download site or phishing page. Researchers believe that this is a concerted effort, from a group, and has been operating for at least 2 years.


Leave a Reply

Your email address will not be published. Required fields are marked *